Solved: Migrate ISE for Version Upgrade and Cleanup

Chris Terry · ‎01-22-2023

Hello all

I recently took over ISE for my company. We're running version 2.7 and we're looking to upgrade to 3.X. It looks like 3.1.0 is the current recommended.

It's been decided that we want to deploy a new environment for the upgrade rather than upgrade the current environment. The reason being it wasn't exactly set up right from the start and it's kind of been frankensteined together since.

A few questions about taking this path.

1. As far as licensing would the new environment just use trial license while we set up and test the new environment and then move the existing licenses over from the old environment?

2. Would it be recommended to migrate existing devices, policies, static profiles, etc and then clean up from there, or start from scratch? In other words, restore or start from scratch? We've had to manually profile a lot of devices due to old/outdated profiling policies that would need to be modified to correctly profile new devices.

Marcelo Morais · ‎01-23-2023

Hi @Chris Terry ,

ISE 3.1 is the Suggested Release since Feb/2022, the last Patch is P5 released on 07-Dec-2022.

ISE 3.2 last Patch is P1 release on 19-Jan-2023.

A good action plan:

Backup your ISE 2.7
Restore the backup to a New ISE 3.x
Sanitize this New ISE 3.x ... it's time to "remove your Frankenstein" : )
Test the New ISE 3.x ... make sure that everything is OK, no "new bug" : )

Note 1: please take a look at ISE Software Download.

Note 2: please take a look at ISE 3.1 Release Notes and ISE 3.2 Release Notes , special attention to What is New in Cisco ISE !!!

Note 3: you MUST migrate from the classic VM licenses to the VM Common license before you upgrade to ISE 3.1+.

Note 4: if you own Traditional Cisco ISE Licenses, you MUST convert them to Smart Licenses to enable License Consumption in ISE 3.0+.

Note 5: the SNS 3515 is NOT supported in ISE 3.1+.

Hope this helps !!!

View solution in original post

balaji.bandi · ‎01-22-2023

Are these virtuals? so you need proper planning and future use.

Sure ISE 3.1.0 is longtive plan (3.2 on way to deploy)

yes you can build new Servers and start Trail and once you ready move the License using smart License portal.

depends on how big the setup is, its just days work, I would create a brand new one from scratch, this way you get the opportunity to clean up any organic profiles that don't need and are not sure can go off.

Also, another part of testing is a major part of after deployment, so test ....test...Monitoring is a key role.

Another last note, before you put them Live make sure have all the patches in place.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Karsten Iwen · ‎01-22-2023

For 1) it depends how your actual setup is licensed. ISE 3.1 runs with smart licensing. If you are using PAC based licenses you have to migrate them and can install the new deployment fully licensed and phase the old deployment out. If your actual deployment already runs on Smart-Licensing, I would run the new as evaluation and then switch over.

For 2) it depends on what kind of monster you created. If devices, policies and so on are mainly ok, you could migrate them first and then clean up. But I am always a friend of first cleaning up and then migrating. If it is a whole mess, doing a complete new setup is likely the better approach.

Marvin Rhoads · ‎01-23-2023

For my customers, I generally prefer to backup the old system and restore onto newly built VM(s) that have the latest patch installed.

2.7 backups can be restored onto 3.1. Certificates need to be manually migrated and AD rejoined from the new deployment. Licensing needs to be updated to Smart type (if it's not already in use) and any old VM-Small/Medium/Large needs to be converted to VM-Common type. (TAC case may be required for that.)

Marcelo Morais · ‎01-23-2023