01-31-2019 09:56 PM
Do we have any step-by-step procedure or migration guide for changing ISE deployment mode from hybrid (PAN/MNT on same node) to dedicated distributed mode.Just wanted to make sure, operational logs are retain on MNT. AFAIK, we can do this by following below procedure. Or is there any other approach we need follow, please guide me.
Step1: Disable the secondary MNT role on secondary PAN
Step2: Assign the secondary MNT role to a dedicate node (new node-1) in the deployment
Step3: Promote the dedicated secondary MNT (new) node to Primary MNT, wait for sync to happen.
Step4: Disable secondary MNT role on Primary PAN
Step5: Turn on the role of secondary MNT on a dedicated node (new node-2)
Solved! Go to Solution.
01-31-2019 10:11 PM
I actually covered this same question just the other day with nearly identical steps as you wrote, maybe a couple extra details for timing. It works quite well.
https://community.cisco.com/t5/identity-services-engine-ise/procedure-to-migrate-from-an-in-production-pan-mnt-ha-node-pair/m-p/3790764#M23159
Previous reply:
I haven't seen a document/guide covering breaking out a hybrid deployment in to a distributed, but one way that it can be done with relatively little downtime would be as follows.
1. Deploy, patch, install certs, on the two new future MNT nodes.
2. From the GUI, disable the MNT persona on the secondary admin node, hit save, and the node will restart and be back up within about 10-15 minutes.
3. Register one of the two new nodes you previously prepped as Secondary MNT.
4. From the GUI, disable the MNT persona on the PAN, hit save, and the node will restart and be back up within 10-15 minutes.
5. Register the other new node, this time selecting primary MNT as the role.
You can run without both MNT nodes, you just wont have any visibility in to the environment/authentication. The PAN node plays different roles in different deployments, but in a hybrid deployment, it's like that the existing user authentication remains relatively unscathed with the PSN's handling this direct. This section in the admin guide covers what features will be temporarily unavailable while the PAN reloads. If the PAN also handles PSN functions then NAD HA would have to be considered.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html#ID59
Because you are moving the monitoring roles, this will also mean you have no historical logs. This data is not synced between monitoring nodes, but it can be restored if needed. I wouldn't bother restoring the MNT logs, the default only goes back 30 days anyways, new logs will begin filling the disk as soon as the new MNT's are online. If it's important, the operational data (MNT logs) can be backed up and restored.
01-31-2019 10:11 PM
I actually covered this same question just the other day with nearly identical steps as you wrote, maybe a couple extra details for timing. It works quite well.
https://community.cisco.com/t5/identity-services-engine-ise/procedure-to-migrate-from-an-in-production-pan-mnt-ha-node-pair/m-p/3790764#M23159
Previous reply:
I haven't seen a document/guide covering breaking out a hybrid deployment in to a distributed, but one way that it can be done with relatively little downtime would be as follows.
1. Deploy, patch, install certs, on the two new future MNT nodes.
2. From the GUI, disable the MNT persona on the secondary admin node, hit save, and the node will restart and be back up within about 10-15 minutes.
3. Register one of the two new nodes you previously prepped as Secondary MNT.
4. From the GUI, disable the MNT persona on the PAN, hit save, and the node will restart and be back up within 10-15 minutes.
5. Register the other new node, this time selecting primary MNT as the role.
You can run without both MNT nodes, you just wont have any visibility in to the environment/authentication. The PAN node plays different roles in different deployments, but in a hybrid deployment, it's like that the existing user authentication remains relatively unscathed with the PSN's handling this direct. This section in the admin guide covers what features will be temporarily unavailable while the PAN reloads. If the PAN also handles PSN functions then NAD HA would have to be considered.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html#ID59
Because you are moving the monitoring roles, this will also mean you have no historical logs. This data is not synced between monitoring nodes, but it can be restored if needed. I wouldn't bother restoring the MNT logs, the default only goes back 30 days anyways, new logs will begin filling the disk as soon as the new MNT's are online. If it's important, the operational data (MNT logs) can be backed up and restored.
01-31-2019 10:24 PM
Thank you Damien :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide