Migration from 2-Node ISE Deployment to Hybrid Distributed

georgip · ‎03-19-2023

Running version 2.7.0.356 ISE Basic 2-node redundant deployment
Is there a guide or procedure to scale out the deployment and run up to 6 PSN in a distributed environment, keeping the PAN and MnT on the existing nodes? Admin + MnT on Same Appliance; Policy Service on Dedicated Appliance (VMs)

Thank you

balaji.bandi · ‎03-19-2023

ISE 2.7 going to soon end of life, if you looking to upgrade or migrate ...Look for ISE 3.X (for Long term support)

Look at the distributed deployment guide :

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/install_guide/b_ise_InstallationGuide30/b_ise_InstallationGuide30_chapter_1.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

georgip · ‎03-19-2023

Hello balaji.bandi,

thank you for replying but I my question is related to the migration and not related to an upgrade to different version.

I mentioned 2.7 because this is the version we are running and once I successfully scale out the deployment, have PSNs running, I can move to higher version of ISE.

In the link that you shared - we are running a Split deployment and would like to move to a Medium-Sized ISE deployment

balaji.bandi · ‎03-19-2023

but I my question is related to the migration

Migration to what ? - the document provide how you can deploy hybrid with different roles ? - is that missing ?

we are running a Split deployment and would like to move to a Medium-Sized ISE deployment

is this what your requirement?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

georgip · ‎03-19-2023

*migration from split deployment to medium-sized deployment with PSNs

I am deploying PSNs now and would like to know the next step in associating them with the PANs and the procedure for that in a live production environment.

Thank you.

Rodrigo Diaz · ‎03-19-2023

hi @georgip , once configured the new psn nodes within your environment, these ones needs to be configured as standalone , then you need to associate them through a registration process that you need to do in the GUI PAN, please refer to the following documentation https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_deployment.html#ID177 , when registering from the PAN dashboard in the menu Administration>System>deployment , you need to add the fqdn of the newest nodes ( this does not impact the previous nodes operation unless the new node that you are associating replaces some of the functionalities MNT or Admin that your older nodes have ) . kindly review also this other documentation that may serve your purposes https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKSEC-3432-reference.pdf

Rate and comment if that helped you.

thomas · ‎03-20-2023

This is not a detailed, step by step guide but it covers an overview of the process:

▷ ISE Deployment Architectures: Nodes, Services and Scale 20220113

04:19 ISE Nodes: Appliances, VMs, Cloud
07:50 Free, 90-day ISE Evaluation Licenses with every installation
08:56 ISE Personas: PAN, MNT, PSN, PXG
14:06 ISE Personas Example Flow
16:44 ISE Deployment: Standalone ISE Node
17:59 ISE Deployment: Small
19:01 ISE Deployment: Small 3 Node
20:33 ISE Deployment: Medium and Multiple Regions
22:43 ISE Deployment: Medium to Large

georgip · ‎03-21-2023

Thank you Thomas. Your basic video series are great and really helpful for beginners .