Re: Need your inputs on ISE Hardware to VM migration and pre-requisite

eahmed.ext · ‎07-17-2023

Hi All ,

We have 8 Nodes in our ISE deployment .We are planning to migration 3 ISE which is running on Hardware SNS-3515-K9 with version 2.4 to VM Machine . As a pre-requisite , We need your inputs to know the best practice and other consequence to migrate this Hardware Nodes to VM .

Please can you tell me whether we need to register these 3 VM Nodes separately as part of this migration ? Do we need to deregister existing Nodes and register it again as we are planning to use same ip address for management .

For your information , one of the Node from 3 Nodes are using SAN with PSN , other one Node is PSN and secondary monitoring Node .

In addition , we would like to know your inputs on this plan and other concerns and impact for this migration activities .

with regards

Erfan

ahollifield · ‎07-17-2023

It doesn't sound like you are running a supported deployment today. https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

What is your upgrade/migration strategy? https://community.cisco.com/t5/security-knowledge-base/ise-version-upgrade-matrix/ta-p/3653501

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-743964.html

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/identity-service-engine-software-3-0.html

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/eos-eol-notice-c51-742122.html

eahmed.ext · ‎07-17-2023

Hi @ahollifield ,

Thanks for your reply .

As we are planning to migrate the hardware to VM and then we will go for version upgrade to 3.1 or later .But I will do it phase by phase considering impact of existing Infrastructure .

As a migration plan , I would like to know the best practice and other consideration before migration from Hardware to VM .For your information , I am planning to install existing version 2.4 is in 3 VM machine using different mgmt ip address and during the maintenance window I will deregister those ISE Hardware Node from existing deployment and shut down those Hardware Nodes and then I will reconfigure those 3 VM Nodes with those existing MGMT ip address using " reset-config " and register with deployment with same FQDN name and role .

For your information , Existing 3 Hardware Nodes has self-signed certificate for Admin,Portal,EAP Authenticaiton,RADIUS DTLS . do you think that I need to upload this existing self-signed certificate or I can create new self-signed certificate as soon as I register 3 ISE VM Nodes with same FQDN name .

Please can you share inputs on my above plan to proceed with this migration plan .

with regards

Erfan

ahollifield · ‎07-17-2023

Why not deploy 3.0 and import 2.4 backup instead? https://community.cisco.com/t5/security-knowledge-base/ise-version-upgrade-matrix/ta-p/3653501

Then upgrade from 3.0 to 3.1, 3.2, or 3.3.

Why is a self-signed certificate being used? What is this ISE deployment actually doing?

eahmed.ext · ‎07-24-2023

Hi @ahollifield ,

As an alternative migration approach , I am thinking to migrate those 3 Hardware Nodes to VM using cisco ISE recommended version 3.1 and then create New deployment cluster with version 3.1 and upload the configuration backup to newly created cluster . However , Backup and restore method from version 2.4 doesn't support version 3.1 .So do you think whether I need to upgrade 1st from 2.4 to 2.7 and then 3.1 ?

On other hand , If I migrate these 3 Nodes into ISE version 3.1 then I will put all those Nodes in Evaluation license and then I can upgrade other Nodes from existing cluster and join those nodes into new deployment cluster .

Please can you provide your inputs whether this migration approach is suitable or not ?

with regards

Erfan

hslai · ‎07-29-2023

@eahmed.ext The backup taken from ISE 2.4 cannot be restored to an ISE 3.1, because ISE 2.4 cannot upgrade directly to 3.1. Take a look at Cisco Identity Services Engine Upgrade Journey, Release 3.1

BTW, ISE 3.2 is the current recommended release.

Dustin Anderson · ‎07-17-2023

I can see why not changing straight to 3 as the licensing needs to be changed etc. I just moved from 3595's to 3765's Saturday, but we are already on 3.1 and smart licensing.

My suggestion would be to bring up, patch, and wait to register for the switchover. I'm not sure what registering and deregistering would get you other than a longer maint period.

What you want to verify.

Licensing, Appliance is licensed, VM has it's own that would be needed. I don't remember if 2.4 is smart licensed, but if not Cisco will not move the licensing from the appliance to the VM. If smart licensed you should be fine except for needing the VM licenses.