Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1184
Views
5
Helpful
3
Replies

Migrate Cisco ISE from Azure to on-prem servers

Go to solution
iran
Level 1
Level 1

ā€Ž01-06-2024 09:28 AM

Hello,

I would to have some opinions regarding the best practices to migrate Cisco ISE from Azure cloud to an on-prem setup.

Information regarding my setup:
- I have distributed setup with 2 PAN, 2 MnT, 2 PxGrid and 5 PSN 

I am aware that I need to create all new VMs on-prem, then configure the hostname, persona role..

I would like to clarify the following points:

  1. Should first I register all new nodes on the the primary PAN and then restore the bakcup configuration or first should I import the backup and then register the nodes?
  2. Should I need to integrate again with Active directoy after import the backup?
  3. Since the new VM will have a different IP address and hostname, can I still use the backup from ISE with a different IP and hostname? I saw that in this case, I should not select option include-adeos
  4. How can I migrate/still use the same licenses from the previous VM
  5. I can export and import the trusted certificates via
  6. I can keep both setups in parallel, correct? 

Thank you in advance.

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

ā€Ž01-06-2024 12:24 PM

Hello,

 

  • Should first I register all new nodes on the primary PAN and then restore the backup configuration or first should I import the backup and then register the nodes?

First import the backup on a new standalone PAN. Make it Primary after the restore. Install Admin cert and then register the other standalone nodes (those should have Admin certs too)

 

  • Should I need to integrate again with Active directory after import the backup?

Definitely. ISE does not automatically join the AD after a restore. I find one of the best methods is to create an AD Service Account just for ISE, with limited privileges, that the AD Team can provide to you. Then you can do this AD Join without their assistance.

 

  • Since the new VM will have a different IP address and hostname, can I still use the backup from ISE with a different IP and hostname? I saw that in this case, I should not select option include-adeos

Yes. The IP address details in the ISE backup only relate to the PAN on which it was backed up. When restoring, don't select the include-adeos option. 

 

  • How can I migrate/still use the same licenses from the previous VM

Smart Licensing works as usual - point new ISE Deployment to Smart and register it. Don't worry if you don't have double as many VM licenses - you will get a warning - ignore it. Once you are ready to destroy the Azure deployment, your license count will reduce and you'll only consume VM licenses for on-prem nodes.

 

  • I can export and import the trusted certificates via

If the FQDNs of the new on-prem nodes are the same as the FQDNs of the Azure nodes, then yes - export them somewhere safe, and then import them into the on-prem nodes one-by-one. But I doubt this will be viable, if you want to run things in parallel - I don't know how you will achieve the same FQDN for two different IP addresses.

  • I can keep both setups in parallel, correct? 

Yes, you can, but you will have to deploy the on-prem nodes with different IP addresses to the Azure Nodes. Unless you have some clever tricks to allow the IP addresses of the Azure ISE nodes to also work on-prem, all at the same time. I am not too clued up on how public cloud works, but something tells me, this would be ugly, if not, impossible. Unless you're using IPv6 in the cloud.  I doubt it though ...

Changing your PAN and MNT IP addresses to new addresses is no big deal. The impact is when you have new PSN ip addresses. This means you must change the NAS/NAD configs to point to the new PSN IPs.  Perhaps not a bad idea, because it could be your smooth migration strategy. Move one or a few NAD devices at a time to the new deployment.

Yes. Think about your migration strategy too.

View solution in original post

Go to solution
Arne Bier
VIP
VIP
In response to iran

ā€Ž01-14-2024 04:53 PM

I have to admit, I have never used a public cloud ISE version. I don't know what types of repositories it allows, but I don't see any reason why you can't configure a repo in the ISE GUI, and then as long as you can access/view the repo contents afterwards, then you're good to go.  The challenge with an SFTP repo has always been, that you MUST create the crypto host keys on the CLI - you cannot add the crypto host keys from the GUI (at least, not in any on-prem ISE version I know of).

View solution in original post

3 Replies 3

Go to solution
Arne Bier
VIP
VIP

ā€Ž01-06-2024 12:24 PM

Hello,

 

  • Should first I register all new nodes on the primary PAN and then restore the backup configuration or first should I import the backup and then register the nodes?

First import the backup on a new standalone PAN. Make it Primary after the restore. Install Admin cert and then register the other standalone nodes (those should have Admin certs too)

 

  • Should I need to integrate again with Active directory after import the backup?

Definitely. ISE does not automatically join the AD after a restore. I find one of the best methods is to create an AD Service Account just for ISE, with limited privileges, that the AD Team can provide to you. Then you can do this AD Join without their assistance.

 

  • Since the new VM will have a different IP address and hostname, can I still use the backup from ISE with a different IP and hostname? I saw that in this case, I should not select option include-adeos

Yes. The IP address details in the ISE backup only relate to the PAN on which it was backed up. When restoring, don't select the include-adeos option. 

 

  • How can I migrate/still use the same licenses from the previous VM

Smart Licensing works as usual - point new ISE Deployment to Smart and register it. Don't worry if you don't have double as many VM licenses - you will get a warning - ignore it. Once you are ready to destroy the Azure deployment, your license count will reduce and you'll only consume VM licenses for on-prem nodes.

 

  • I can export and import the trusted certificates via

If the FQDNs of the new on-prem nodes are the same as the FQDNs of the Azure nodes, then yes - export them somewhere safe, and then import them into the on-prem nodes one-by-one. But I doubt this will be viable, if you want to run things in parallel - I don't know how you will achieve the same FQDN for two different IP addresses.

  • I can keep both setups in parallel, correct? 

Yes, you can, but you will have to deploy the on-prem nodes with different IP addresses to the Azure Nodes. Unless you have some clever tricks to allow the IP addresses of the Azure ISE nodes to also work on-prem, all at the same time. I am not too clued up on how public cloud works, but something tells me, this would be ugly, if not, impossible. Unless you're using IPv6 in the cloud.  I doubt it though ...

Changing your PAN and MNT IP addresses to new addresses is no big deal. The impact is when you have new PSN ip addresses. This means you must change the NAS/NAD configs to point to the new PSN IPs.  Perhaps not a bad idea, because it could be your smooth migration strategy. Move one or a few NAD devices at a time to the new deployment.

Yes. Think about your migration strategy too.

Go to solution
iran
Level 1
Level 1
In response to Arne Bier

ā€Ž01-14-2024 04:37 PM

Hello,

Thank you so much for your detailed explanation

One more question, please.
On the new Cisco ISE installation, is it possible to restore the bakcup from GUI interface? If yes, should I configure manually the repository where my backup is, and the backup available in the repository will be available in DNAC GUI to restore?

Note: I checked that is possible to restore via CLI using:

restore backupfilename.tar.gpg repository repositoryname en cryption-key plain/hash <key> include-adeos

In my case, since I plan to use different IP addresses, I will not select include-adeos.





0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to iran

ā€Ž01-14-2024 04:53 PM

I have to admit, I have never used a public cloud ISE version. I don't know what types of repositories it allows, but I don't see any reason why you can't configure a repo in the ISE GUI, and then as long as you can access/view the repo contents afterwards, then you're good to go.  The challenge with an SFTP repo has always been, that you MUST create the crypto host keys on the CLI - you cannot add the crypto host keys from the GUI (at least, not in any on-prem ISE version I know of).

Customers Also Viewed These Support Documents