cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14632
Views
33
Helpful
25
Replies

Migrate to new ISE Server

DAVID
Level 3
Level 3

Forgive me if this seems a bit unorthodox but I am forced to migrate to a new ISE server while still maintaining the production ISE. Explanation is too long for this post.  Anyway, what I am wanting to do is simply take those devices and policies that have no user impact such as our printers that are being profiled and have those devices now to be profiled by a new ISE server.  Once I have all the printers profiled by the new ISE server I can then continue with the other low impact devices and then I finally move those policies that deal with users. 

Is this even possible? To control which ISE server a device is profiled on?  I have discovered that I am seeing some vmware machines being profiled that I did not expect to. Essentially, I want to be able to see that my own workstation and IP phone show up as profiled devices on the new ISE server.  The port that my workstation is connected on is configured as open access to allow the device access to the network without any restrictions as we are just monitoring the devices first.  Once all the devices are  profiled on new server then we can worry about posturing and remediation.

25 Replies 25

Hi @MaheshPandey60919 ,

 try this:

1st install one Node on the new infra as a Secondary PAN of the current Cluster

2nd de-register this SPAN from the Cluster (it will become a Standalone Node)

3rd start registering the new infra into this Node - created on step 1 & 2 (this Node will be the PPAN and will synch all the config with the other Nodes

 

Hope this helps !!!

Hi Marc, many thanks for picking it up. The issue is existing environment is in version 2.2 hardware hosted services. New proposed to be Infra will be on version 3.1 on VM.

Current Architecture is a distributed environment with PAN,MNT and 2 PSN's (SNS-3495 boxes) in location X. SAN, secondary MNT and 2 PSN's are currently in location Y. Location Z has only 2 PSN's. Hence cluster has total 2 Admin nodes, 2 MNT nodes and 6 PSN's. Now the issue is we can not include location Y in new infra due to unavailability of virtual environment instead planned to create Location X as new PAN, MNT & PSN. Location Z to be installed with Secondary Admin, MNT and PSN along with other different geographical PSN's which will be controlled by PAN and MNT in location X & Z.

Now query is-is this possible to take backup of the existing setup-> Create new Virtual environment in ISE in version 2.7-> Restore the config to get all the existing setup data -> deregister the nodes and Sync data> Migrate to version 3.1.

Seek assistance if there is any issue in approach or this can be possible to achieve version 3.1 with keeping all the data of existing setup(2.2) in new Virtual setup (3.1). New Virtual Infra will be build in parellel with new hostname and IP addresses. DNS and NTP will be same. Once new Virtual environment is build and tested , plan to decommission the existing infra. Plz guide accordingly what would be the best practice to follow in such scenario-thanks again.

Hi @MaheshPandey60919 ,

 1st:

 . ISE 2.7 supports restore from backups obtained from Release 2.2 and later.

 . ISE 3.1 supports restore from backups obtained from Release 2.6 and later.

 2nd:

  . ISE 3.1.0 parity with ISE 2.6 P9, 2.7 P4 and 3.0 P2.

 3rd:

  . ISE 2.7 latest Patch is Patch 6 (03-Nov-2021)

  . ISE 3.1 latest Patch is Patch 1 (07-Dec-2021)

 4th:

 . installing one Node with ISE 2.7 (from scratch) and restore the ISE 2.2 backup and then upgrade to ISE 3.1 is a good action plan.

  5th:

 . after the 1st ISE 3.1 Node is up, then you only need to install the new Nodes from scratch (with same version and patch) and register to the new Cluster.

 

Hope this helps !!!

Thank you Marcelo for the valuable advice.

So the understanding is only a Admin node has to be build from scratch in 2.7 and restore the 2.2 config on it. Once restore is successful. Only Standalone PAN to be upgraded in 3.1 and then to add other nodes including guest PSN's, PSN and MNT nodes in cluster (3.1) with new IP's and hostname.- is this correct.

2. Does restore has any dependability on IP or hostname (same IP, hostname must be used or different can also be used)for the node to build from scratch in 2.7 so that restore can happen successfully as the target is to restore the ISE 2.2 backup successfully.

3. Last, just to know your thoughts if backup has all the current node information, how to get rid of that as new nodes has to be build in new VM infra and just to be sure that existing node information is not needed-thanks again for guiding throughout.

Hi @MaheshPandey60919 ,

 1. yes, the Standalone Node will become the PPAN of the ISE Cube, when a Secondary Node register to this ISE Cube, the PPAN will synch all the info with the Secondary Node.

 2. when you restore the backup, do NOT include the ADE-OS option (ADE-OS would include ALL of the OS Configuration data that is configured when setting up the ISE Node - like hostname, IP Addr, ...)

 3. remember that we are talking about the Config Backup ... the Operational Backup is the RADIUS and TACACS logs, contains the MnT data !!!

 

Hope this helps !!!

Thanks a lot Marcelo, much appreciated and helpful! Will reach out if stuck in any technicalities. 

Hi Marcelo,

During the Process of Cisco ISE deployment in version 3.1, we are having one issue related to Hardware appliance OS version. The SNS appliances which needs to be added in ISE 3.1 cluster are on ISE 3.0 pre-installed OS. How to re-image those hardware devices from 3.0-3.1 and then to add them in cluster with the help of Primary PAN.

PS- All the other nodes in cluster are in VM and will be build to version 3.1 with OVA.

Total Nodes- 8

PAN-2

MNT-2

PSN-4 (2 VM's-3.1, 2 Hardware appliances- will be delivered with pre-installed OS 3.0)

Pls help to understand , how hardware appliances can be best configured in cluster-thanks for help.

Hi @MaheshPandey60919 ,

 if my understanding is correct, you have 2x Standalone SNS 3695 - version 3.0 Px, am I correct?

 If the answer is Yes, then:

 1st upgrade each Standalone SNS 3695 from 3.0 to 3.1P1

 2nd upgrade the VMs Cluster from 3.0 to 3.1P1

 3rd register the SNS 3695 to the VM Cluster.

Note: take a look at ise-patchbundle-3.1.0.518-Patch1-21120304.SPA.x86_64.tar.gz

 

Hope this helps !!!

HI Marc,

thanks for reply. Standalone nodes are new hardware appliances delivered b Cisco with pre-installed 3.0 OS. The cluster where it requires to be added is already on 3.1. Now, the challenge is we can't add these hardware appliances into cluster without upgrading them to 3.1

The query is how best these appliances can be re-installed with ISE 3.1 image so that they can be added in cluster.

Understanding is connecting KVM console to the devices is only way to upgrade the OS or is there any other way to do it better.

No, you should not restore ADE-OS configuration if you don’t want the start-up and running configuration to change to the one from where this backup was collected.

Ok that is what is changing the IP then. Thanks.