Solved: Procedure for changing ISE deployment mode from Hybrid to dedicated distributed mode

Mohaninj · ‎01-31-2019

Do we have any step-by-step procedure or migration guide for changing ISE deployment mode from hybrid (PAN/MNT on same node) to dedicated distributed mode.Just wanted to make sure, operational logs are retain on MNT. AFAIK, we can do this by following below procedure. Or is there any other approach we need follow, please guide me.

Step1: Disable the secondary MNT role on secondary PAN

Step2: Assign the secondary MNT role to a dedicate node (new node-1) in the deployment

Step3: Promote the dedicated secondary MNT (new) node to Primary MNT, wait for sync to happen.

Step4: Disable secondary MNT role on Primary PAN

Step5: Turn on the role of secondary MNT on a dedicated node (new node-2)

Damien Miller · ‎01-31-2019

I actually covered this same question just the other day with nearly identical steps as you wrote, maybe a couple extra details for timing. It works quite well.
https://community.cisco.com/t5/identity-services-engine-ise/procedure-to-migrate-from-an-in-production-pan-mnt-ha-node-pair/m-p/3790764#M23159

Previous reply:

I haven't seen a document/guide covering breaking out a hybrid deployment in to a distributed, but one way that it can be done with relatively little downtime would be as follows.

1. Deploy, patch, install certs, on the two new future MNT nodes.
2. From the GUI, disable the MNT persona on the secondary admin node, hit save, and the node will restart and be back up within about 10-15 minutes.
3. Register one of the two new nodes you previously prepped as Secondary MNT.
4. From the GUI, disable the MNT persona on the PAN, hit save, and the node will restart and be back up within 10-15 minutes.
5. Register the other new node, this time selecting primary MNT as the role.

You can run without both MNT nodes, you just wont have any visibility in to the environment/authentication. The PAN node plays different roles in different deployments, but in a hybrid deployment, it's like that the existing user authentication remains relatively unscathed with the PSN's handling this direct. This section in the admin guide covers what features will be temporarily unavailable while the PAN reloads. If the PAN also handles PSN functions then NAD HA would have to be considered.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html#ID59

Because you are moving the monitoring roles, this will also mean you have no historical logs. This data is not synced between monitoring nodes, but it can be restored if needed. I wouldn't bother restoring the MNT logs, the default only goes back 30 days anyways, new logs will begin filling the disk as soon as the new MNT's are online. If it's important, the operational data (MNT logs) can be backed up and restored.

View solution in original post

Damien Miller · ‎01-31-2019

I actually covered this same question just the other day with nearly identical steps as you wrote, maybe a couple extra details for timing. It works quite well.
https://community.cisco.com/t5/identity-services-engine-ise/procedure-to-migrate-from-an-in-production-pan-mnt-ha-node-pair/m-p/3790764#M23159

Previous reply:

I haven't seen a document/guide covering breaking out a hybrid deployment in to a distributed, but one way that it can be done with relatively little downtime would be as follows.

1. Deploy, patch, install certs, on the two new future MNT nodes.
2. From the GUI, disable the MNT persona on the secondary admin node, hit save, and the node will restart and be back up within about 10-15 minutes.
3. Register one of the two new nodes you previously prepped as Secondary MNT.
4. From the GUI, disable the MNT persona on the PAN, hit save, and the node will restart and be back up within 10-15 minutes.
5. Register the other new node, this time selecting primary MNT as the role.

You can run without both MNT nodes, you just wont have any visibility in to the environment/authentication. The PAN node plays different roles in different deployments, but in a hybrid deployment, it's like that the existing user authentication remains relatively unscathed with the PSN's handling this direct. This section in the admin guide covers what features will be temporarily unavailable while the PAN reloads. If the PAN also handles PSN functions then NAD HA would have to be considered.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html#ID59

Because you are moving the monitoring roles, this will also mean you have no historical logs. This data is not synced between monitoring nodes, but it can be restored if needed. I wouldn't bother restoring the MNT logs, the default only goes back 30 days anyways, new logs will begin filling the disk as soon as the new MNT's are online. If it's important, the operational data (MNT logs) can be backed up and restored.

Mohaninj · ‎01-31-2019

Thank you Damien :)