cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2203
Views
20
Helpful
3
Replies

Move from small (2 node) ISE deployment to medium / large deployment

JON SHORTEN
Level 1
Level 1

I'm looking for guidance on the best way to move from a small deployment to a medium / large deployment with minimal disruption.

 

Background is that the customer has an existing small deployment, but has acquired sites in other countries & needs local PSNs

 

The existing deployment is integrated with DNA, due to limitations on the DNA side (max 2 ISE PxGrid nodes), a single ISE deployment will be needed for all sites. 

 

Where I've done this before we've built a separate medium deployment & restored a backup from the small deployment once built, but If there's a way to make the changes "live" it would be preferable in this instance.

 

tia

1 Accepted Solution

Accepted Solutions

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @JON SHORTEN,

I would install new deployment, with only initial configuration of ISE, running still as Standalone nodes (ideally with PKI-issued certificates). From the existing deployment, I would remove secondary admin and MnT roles completely, leaving only 1 PAN, 1 MnT and 2 PSN nodes. I would register one of the new servers (pay attention which one, and of which size, as there are different requirements and role distributions for Medium or Large Distributed Deployment) as secondary PAN (and MnT, depending on the deployment). After this, I would proceed with other integration tasks (like AD join). Once all of this is done, I would promote new server to be primary PAN.

I would continue with this process of adding new servers, and assigning them PAN and MnT roles, untill existing 2-node deployment becomes only PSN (this would be most convenient, because all of your NADs are already configured with these IPs, while noone knows not cares about new PAN and MnT apart from admins). Later on, you can simply start adding new PSN servers. Also, in Large deployent, each server must have only one role, meaning you'll have to move either PSN or pxGrid role from 2-node deployment.

Finally, you can reimage 2-node deployment, one by one, and change their VM size, if needed.

BR,

Milos

View solution in original post

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

As per i know backup and restore is the best method i know. since medium / large OVA changes and requirement changes.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @JON SHORTEN,

I would install new deployment, with only initial configuration of ISE, running still as Standalone nodes (ideally with PKI-issued certificates). From the existing deployment, I would remove secondary admin and MnT roles completely, leaving only 1 PAN, 1 MnT and 2 PSN nodes. I would register one of the new servers (pay attention which one, and of which size, as there are different requirements and role distributions for Medium or Large Distributed Deployment) as secondary PAN (and MnT, depending on the deployment). After this, I would proceed with other integration tasks (like AD join). Once all of this is done, I would promote new server to be primary PAN.

I would continue with this process of adding new servers, and assigning them PAN and MnT roles, untill existing 2-node deployment becomes only PSN (this would be most convenient, because all of your NADs are already configured with these IPs, while noone knows not cares about new PAN and MnT apart from admins). Later on, you can simply start adding new PSN servers. Also, in Large deployent, each server must have only one role, meaning you'll have to move either PSN or pxGrid role from 2-node deployment.

Finally, you can reimage 2-node deployment, one by one, and change their VM size, if needed.

BR,

Milos

Thanks @Milos_Jovanovic ; that makes a lot of sense; I may tweak it slightly to end up with the PSNs on the same addresses, but the deregister / add / promote method you suggest should do exactly what I was hoping for.