09-06-2019 06:15 AM
I have an ISE version 2.6 patch 2 running on SNS-3615. When I first installed it, I assigned the appliance with the host name ise1.companyx.com with an IP address of 192.168.1.2. Both the forward and reserve DNS is working fine.
This ISE appliance is used only for TACACS and RADIUS authentication to manage Cisco devices such as routers, switches and firewall.
Today, I have a requirement to re-IP address from 192.168.1.2 to 192.168.1.100 but the name will stay the same. I will update DNS to reflect the new IP. Do I just go into the ISE CLI and change the IP address to 192.168.1.100 and restart the ISE application. Is it that easy?
are there any "gotcha" that I need to know about?
TIA
Solved! Go to Solution.
09-06-2019 06:57 AM
It would need to be in standalone mode. So if it is joined with another ISE node, you would need to remove it from the deployment first. Once in standalone mode, you go to the CLI and stop the services using "application stop ise". Then change the IP address from the CLI and restart the services using "application start ise". Rejoin back to the deployment. You may have to reissue the certificates on the node if they were issued using the IP address in any of the fields such as the Subject Alternative Name (SAN).
Personally, I never like to change the IP once it is running. I don't trust that it is a clean operation. So if the configuration isn't too crazy, I would just reset the configuration and start over.
09-06-2019 06:57 AM
It would need to be in standalone mode. So if it is joined with another ISE node, you would need to remove it from the deployment first. Once in standalone mode, you go to the CLI and stop the services using "application stop ise". Then change the IP address from the CLI and restart the services using "application start ise". Rejoin back to the deployment. You may have to reissue the certificates on the node if they were issued using the IP address in any of the fields such as the Subject Alternative Name (SAN).
Personally, I never like to change the IP once it is running. I don't trust that it is a clean operation. So if the configuration isn't too crazy, I would just reset the configuration and start over.
09-06-2019 11:10 AM
@Colby LeMaire wrote:It would need to be in standalone mode. So if it is joined with another ISE node, you would need to remove it from the deployment first. Once in standalone mode, you go to the CLI and stop the services using "application stop ise". Then change the IP address from the CLI and restart the services using "application start ise". Rejoin back to the deployment. You may have to reissue the certificates on the node if they were issued using the IP address in any of the fields such as the Subject Alternative Name (SAN).
Personally, I never like to change the IP once it is running. I don't trust that it is a clean operation. So if the configuration isn't too crazy, I would just reset the configuration and start over.
Unfortunately, your answer didn't help me. I was looking for any potential side effects and hidden issues from re-IP the appliance.
09-06-2019 11:49 AM
The documentation states that you can re-IP the nodes as long as they are in standalone mode! So it is supported and the documentation doesn't mention any side effects or anything.
However, my recommendation would be to reset the configuration and start over to avoid any potential side effects. If there were known issues with changing the IP of a node, then Cisco would not have the instructions in the documentation to do it. Or there would be a caveat in the documentation with a warning.
But anyone who has worked with Cisco appliances such as ACS, NAC, MARS, etc, would not feel comfortable with changing the IP even if they say it is ok. I wouldn't want to take the chance that there are some remnants that could cause weird issues in the future.
02-19-2020 05:15 PM
Hello Colby,
Do you have evidence of issues per a re-address of an ISE server from previous installs?
04-06-2023 04:25 AM
thank you for providing extra insight on this topic. i do have a follow up question on your post... when re-IPing in a clustered environment, is there a preferred order the nodes must be re-IPed in? meaning should the Primary admin node be re-IPed first and then the secondary admin node followed by the PSN? OR is it that the order doesnt matter?
do you have to issue the "reset config" command via cli?
do you need to issue a new cert to the node again? OR can you re-use the previous cert before you re-IPed?
04-06-2023 05:02 AM
04-06-2023 07:57 AM
Resurrecting a 2-year old + thread that has an accepted solution limits the number of people that will take a look at it. The best thing to do is to start a new thread.
09-06-2019 11:57 AM
02-19-2020 05:13 PM
Hello Damien,
Do you have details of the result when changing the IP address - what was the requirement or system requirement to do so? can you elaborate on something went wrong?
02-21-2020 02:59 PM
If you are really worried, you may open a proactive TAC case and also have a backup plan. Each ISE deployment is different so what happened to Damien may or may not apply to yours.
Colby already mention the main requirement is for the ISE node in standalone mode. Besides, we need ensure proper DNS resolutions before and after re-IP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide