03-11-2018 08:56 PM
Hi Team,
My customer has large deployment ISE in 1.4 (6 instances) and planning to upgrade to 2.3.
I understand if they want to upgrade from 1.4 to 2.3, each ISE instance should once be 2.1 and then can go to 2.1+.
Also in large deployment design, the best practice is:
1) to upgrade from Secondary PAN and MnT to Primary,
2) then PSNs join to the new cluster at upper version,
3) finally previous primary Mnt and PAN join to the cluster as secondary.
If these my understandings right, could you please let me know which is the recommended(supported) instructions in this scenario?
a) Each instances go to 1.4->2.0->2.3 at the same time.
b) Each instances has to stay in 2.0 (to create 2.0 cluster). Then, customer do the same upgrade instructions again to go to 2.3.
03-11-2018 11:10 PM
Do you have hardware appliances or VM's?
If VM's, then you can build out 6 new ISE 2.3 VM's and leave them at the 'setup' prompt (assuming that you are also required to re-use the same IP addresses from the existing ISE deployment). But, if you are free to create 6 new ISE nodes with new IP addresses then it's even better - just build all 6 nodes and leave them as Standalone mode. This might be possible if you are using a load balancer. All of your NAS's send Radius/WebAuth to a VIP and therefore the NAS does not have a hard coded ISE IP address.
Create another interim ISE VM with ISE 2.0 (or 2.1... whatever the interim version needs to be from 1.4 -> 2.x upgrade). In that new ISE 2.0/2.1 VM, restore the config backup from ISE 1.4. Check that the config looks sane.
Make a config backup of that 2.0/2.1 system. Import that backup into ISE 2.3 - now you have a new PAN node for your ISE 2.3 deployment! Register all the other node personas like MnT, PSN etc. Once you new deployment is built, you can start adding in some PSN's into the load balancer pool (if you have a load balancer). If no load balancer, then change a NAS config to use the new ISE PSN.
Basically, if you have a VM deployment AND IP address of ISE nodes is not hard coded in your NAS's, then you have the luxury of running the old and the new ISE deployments in parallel - and you can decide when to migrate to the new platform.
If you plan to upgrade ISE using the upgrade method (as opposed to restoring a config backup) then you really need to test this. And even if your tests pass, there is no guarantee that it will work on your production system. Having been burnt in the past, I would never upgrade a system ever again.
03-12-2018 02:12 AM
Arne,
Thank you for your reply and sharing upgrade tips for virtual machines. At this time, customer is using physical appliances. So we need to clarify how to successfully upgrade physical ISE.
Thank you,
Itaru
03-12-2018 03:11 AM
Hi Itaru ,
Following are my steps that i've done on my enviroment,
Hope it will help you a bit for your case.
Regards,
Daniel Sai
03-13-2018 08:32 AM
kthiruve is working on a guide on this topic so you might want to check with him directly.
03-18-2018 09:30 PM
Hi Hsing-Tsu,
Thank you for the reply.
I've send an email to him. I attached figures of pattern (a) and (b) as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide