Re: Upgrade from SNS-3595-K9 to SNS-3795-K9

Anthony O'Reilly · ‎03-26-2024

Hello,

I have two ISE 3595 (3.2 Patch 3) physical appliances, one in each Data Centre. They will be end-of-life in a few months. They are currently used for Wired NAC with Posturing, Wireless NAC (corporate, BYOD and Guest and Hotspot). It is also used for TACACS+.

They are being replaced with two SNS-3795 physical appliances.

My aim is to build both of these in a lab by backing up the config and operation databases on the 3595 and restoring on the 3795. The new appliance will have the same IP address, same hostname, same OS version and same patch level.

On the night of migration, I will move the current network cables from the current 3595 to the new 3795 in the hope of completing this in one clean swoop. I can roll back to the 3595s easily if necessary.

Is there anything I need to be aware of:

join to AD domain
certificate migration
licensing
anything else.

Thanks Anthony.

davidgfriedman · ‎03-26-2024

I thought SNS-3595 was more than upgraded by going to an SNS-3655 or SNS-3755 level device For a 2-node deployment, I'd think going to a pair of SNS-3795's was overkill. Does anyone from Cisco want to chime in?

ahollifield · ‎03-26-2024

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

You will need to re-join to AD. You will need to export/import the certificates. Keep an eye on DNS changes needed as well.

Anthony O'Reilly · ‎03-27-2024

Thanks for this.

I was thinking of this method, it is probably not recommended.

Could you do this?

Build both new ISE 3795 appliances with the same OS and Patch (3.2 Patch 3) in the lab.
Move the Admin and MnT mode to the ISE01
Remove the old secondary ISE appliance. (ISE02)
Join the new ISE appliance, let them sync. With this the primary will be 3595 and the secondary will be 3795
Failover admin and MnT to the secondary. (New-ISE02)
Remove the old primary, join the new ISE and let them sync, now both appliance will be 3795
Then at the end the following will be running:

ISE01 - Primary Admin, Secondary MnT

ISE02 - Secondary Admin, Primary MnT

Is this lazy way possible?

Thanks

Anthony

ahollifield · ‎03-27-2024

Yeah this should work. As long as you are ok with the redundancy concerns.

Anthony O'Reilly · ‎03-27-2024

Hi,

When you say redundancy concerns, are you referring to the time when both ISE appliance are not in sync and the Admin and MnT personas running on the same node?

Thanks

Anthony.

ahollifield · ‎03-27-2024

No when you only have a single ISE node online at a time. This is a small deployment with only two nodes correct?

Anthony O'Reilly · ‎03-28-2024

Yes, it is only a two-mode deployment.

Can you have a two node deployment where two node have different physical hardware. e.g 3595 and a 3795?

ahollifield · ‎03-28-2024

It should be fine for the purposes of the migration. Its nothing you want to leave for very long though as you will have mismatched scale.

Anthony O'Reilly · ‎03-28-2024

Hi,

I had a typo, the new ISE appliance will be a SNS-3755-K9 not a SNS-3795-K9. Does this impact my plan above?

ahollifield · ‎03-28-2024

Nope