cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1195
Views
10
Helpful
2
Replies

SNS 3315 to 3695 migration

raulantoniorz91
Level 1
Level 1

Hi,

 

We have an end customer that wants to migrate from ISE 1.4 in SNS 3355 to ISE 2.6 in SNS 3695. He wants the more transparent transition. We checked and NAD(switches, WLC, etc) are compatible with 2.6 version and new configuration is checked and will be reconfigured to use new ISE. All Users' PC has installed Anyconnect 4.5, but in compatibility matrix shows that only 4.6 and older can be used with ISE 2.6.

 

My questions are:

Is there a way or tool that could help with configuration and policy migration from 1.4 to 2.6?

 

Is there a way to enable Anyconnect version 4.5 to be compatible with ISE 2.6?

 

Our end customer cannot change all their users' version at once, there are more than 500 users registered in this ISE and change old ISE by new ISE should be disruptibe to users with 4.5 Anyconnect version. This customer wants that transition might be the quiker possible as old ISE and appliances are EoL.

2 Accepted Solutions

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni

My recommendation here would be to stand up a parallel ISE 2.6 deployment, and manually rebuild the ISE 1.4 config on the SNS36x5 appliances. This will allow you to test everything and migrate at the customers pace with very minimal disruption. I would like to point out though that the 3695 is a massive appliance, it supports 50,000 active endpoints in a 1 or 2 node deployment. If you are looking at less than 10,000 active endpoints then two 3615's would probably be a better choice.

There is no migration tool for ISE versions, but you can upgrade or restore backups to newer versions which acts in a very similar way to what you might want. There is however no direct path to upgrade ISE 1.4 to ISE 2.6, and because of this I think it would be ideal to manually migrate by rebuilding the config on a new parallel 2.6 deployment. You can only upgrade to ISE 2.6 from v2.1+, so if you were to go down the path of the "upgrade" migration, then you would have to upgrade ISE 1.4 to 2.2, then 2.2 to 2.6.

There is no direct way to restore a backup from the 1.4 deployment to the SNS 36x5 appliances. Their minimum version is ISE 2.4 and you can't upgrade 1.4 to 2.4, only up to 2.2. It would be possible to leverage temporary VM's as an interim jump appliance but as you can see, you have to jump through some hoops to get there. So most will recommend rebuilding which also gives you a test environment prior to migrating.

There is a very good chance that AnyConnect 4.5 works with ISE 2.6, it's just not what the BU might have tested with. Assuming you are referring to the NAM module of AC, then at the end of the day this is a 802.1x supplicant, and it can be configured to work with any RADIUS server.

View solution in original post

Thank you Damien for your elaborate response.

Here is a quick pointer to the ISE upgrade best practices guide, that discusses upgrade path, how you have to migrate, best practices etc.

 

https://community.cisco.com/t5/security-documents/ise-upgrades-best-practices/ta-p/3656934

 

-Krishnan

View solution in original post

2 Replies 2

Damien Miller
VIP Alumni
VIP Alumni

My recommendation here would be to stand up a parallel ISE 2.6 deployment, and manually rebuild the ISE 1.4 config on the SNS36x5 appliances. This will allow you to test everything and migrate at the customers pace with very minimal disruption. I would like to point out though that the 3695 is a massive appliance, it supports 50,000 active endpoints in a 1 or 2 node deployment. If you are looking at less than 10,000 active endpoints then two 3615's would probably be a better choice.

There is no migration tool for ISE versions, but you can upgrade or restore backups to newer versions which acts in a very similar way to what you might want. There is however no direct path to upgrade ISE 1.4 to ISE 2.6, and because of this I think it would be ideal to manually migrate by rebuilding the config on a new parallel 2.6 deployment. You can only upgrade to ISE 2.6 from v2.1+, so if you were to go down the path of the "upgrade" migration, then you would have to upgrade ISE 1.4 to 2.2, then 2.2 to 2.6.

There is no direct way to restore a backup from the 1.4 deployment to the SNS 36x5 appliances. Their minimum version is ISE 2.4 and you can't upgrade 1.4 to 2.4, only up to 2.2. It would be possible to leverage temporary VM's as an interim jump appliance but as you can see, you have to jump through some hoops to get there. So most will recommend rebuilding which also gives you a test environment prior to migrating.

There is a very good chance that AnyConnect 4.5 works with ISE 2.6, it's just not what the BU might have tested with. Assuming you are referring to the NAM module of AC, then at the end of the day this is a 802.1x supplicant, and it can be configured to work with any RADIUS server.

Thank you Damien for your elaborate response.

Here is a quick pointer to the ISE upgrade best practices guide, that discusses upgrade path, how you have to migrate, best practices etc.

 

https://community.cisco.com/t5/security-documents/ise-upgrades-best-practices/ta-p/3656934

 

-Krishnan