09-19-2017 01:02 AM
Hi Team,
Could you please let me know there is any migration guide that explains how to transit from two-nodes design to large design?
Especially, I'd like to know the procedure and service impact.
I understand when an ISE changes its persona, application will restarts and it could take abt 15-30 min.
When adding PSN dedicated nodes to ISE Minimum HA deployment, ( => A,M and P nodes finally should change to A and M nodes)
- which node should I firstly change its role?
- is there any other user impact?
Customer is using RADIUS and Guest Service features.
Thank you,
Itaru
Solved! Go to Solution.
09-20-2017 05:46 AM
That is fine whichever path you choose. Note that the original nodes likely have more disk assigned to them (600GB+) since running MnT role. The PSNs typically do not require more than 200GB, so if operational cost of changing NAD configs is significant, then you can live with the over allocation of disk to the PSNs. The only way to free up that space on VM is to reinstall.
09-19-2017 08:39 AM
Well not knowing your certificate setup, I would tackle it this way:
Done and Done. Now you can break out Admin and M&T onto nodes 5 and 6 whenever you want without restarting any of the PSNs.
09-19-2017 09:01 AM
Paul, In general, I would make same node active for PAN and MNT functions. However, question was to build out a large deployment where all nodes are running dedicated personas. By keeping the original PAN nodes the same, you reduce the number of service restarts and do not impact the cert trust store for root CA and trust.
Yes, new PSNs will need to be joined to AD.
/Craig
09-19-2017 09:09 AM
Craig,
If you are doing my cert steps right there is no issue moving the PAN functions to the new nodes. I agree on the service restarts. I guess it comes down to touching NADs or living with the service restarts. You could definitely go from 2 to 6 using the same methodology I laid out and leave the PSNs the same.
On your same not active for PAN and MNT, if the nodes are at the same site on the same subnet would you always recommend that? Don’t split the processing load between the nodes?
Thanks for the feedback.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
09-19-2017 10:30 AM
Both MnT nodes are always processing all logs, so load on primary and secondary MnT essentially the same. Admin UI retrieves the log and reporting info from Primary MnT, so balance between local fetch load vs network latency/load. The secondary PAN/MNT is often at a different location for HA reasons, so need to take into consideration the network factor for retrieval of remote server data. If nodes in same DC, then it may have some benefit to splitting, but we don't have any QA testing that has measured the impact.
/Craig
09-20-2017 01:03 AM
Thank you so much, Paul.
I'd like to do the way Paul taught because the difficult point is to keep all the NADs's configuration as same after adding two dedicated PSN nodes.
They have 1,000+ NADs in real traffic and are not willingly to change their configuration.
Creig,
Thank you for your comment.
Sorry for my insufficient explanation.
Actually customer is planning to add add two dedicated PSN nodes to minimum design.
No Mnt dedicated nodes are required currently.
That's why I focused on "( => A,M and P nodes finally should change to A and M nodes)".
I understood in theory ISE can transit its design from minimum HA to distributed deployment.
Thank you,
Itaru
09-20-2017 05:46 AM
That is fine whichever path you choose. Note that the original nodes likely have more disk assigned to them (600GB+) since running MnT role. The PSNs typically do not require more than 200GB, so if operational cost of changing NAD configs is significant, then you can live with the over allocation of disk to the PSNs. The only way to free up that space on VM is to reinstall.
09-19-2017 08:57 AM
If have a window where you can allow for the temporary service outage, I would recommend start with the registration of the dedicated MnT nodes, and then proceed with the registration of dedicated PSN nodes. This would allow all changes to be applied in less than an hour, but you will need to configure NADs to point to new PSN(s). If configure them beforehand, then the NADs can failover to new PSNs if original IPs no longer respond to RADIUS requests or health probes.
If unable to have a service maintenance window to make these changes, then shortest disruption would be to pick time during lowest activity, then register the new dedicated PSN(s). You will then point the NADs to the new PSN IP addresses. This will not impact existing sessions, but new sessions will be authenticated by new RADIUS targets.
Once the existing NADs are pointing to new PSNs you can remove the PSN persona from the PAN/MNT nodes. You can then proceed to registering the dedicated MnT nodes. Then register the new Primary MNT node which will remove Primary MnT persona from existing Primary PAN. Finally, register the new Secondary MNT node which will remove the persona from existing Secondary PAN.
Craig
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide