Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
410
Views
0
Helpful
2
Replies

Upgrade ISE3.0 to ISE3.1 when used in SD Access network

REJR77
Level 1
Level 1

‎03-15-2023 03:37 AM

Dear community,

We are running an ISE deployment with 4 SNS nodes (2 PAN/MNT and 2PSN) running v3.0 patch 4.

This ISE deployment is integrated with DNAC servers within a SD access Fabric. The features used are mostly endpoint authentication (MAB, 802.1x) and also using SGT created/managed by DNAC.

We plan to upgrade the setup to ISE 3.1.(in regards with DNAC compatibility)

In this situation, are there specific things to take into account for the upgrade (since there is the integration with DNAC) or can we just run the upgrade as a "traditionnal" ISE deployment?

Our idea is to use the Backup/Restore method:

  1. URT to check upgrade
  2. Take Certificates backup / CLI config / ISE backup for each nodes
  3. Deregister Secondary PAN
    1. Reimage the appliance to 3.1 + Patching
    2. Adding CLI config
    3. Importing ISE backup
  4. Deregister a PSN
    1.  Reimage the appliance to ISE 3.1 + patch
    2. Reload the CLI config
    3. Register to the deployment as PSN
    4. Reconnect AD join points (do we need first to delete ISE object in AD?)
  5. Testing
  6. Deregister the other PSN
    1.  Reimage the appliance to ISE 3.1 + patch
    2. Reload the CLI config
    3. Register to the deployment
    4. Reconnect AD join points
  7. Check that the network looks fine
  8. Primary PAN
    1.  Reimage the appliance to ISE 3.1 + patch
    2. Reload the CLI config
    3. Register to the deployment as Secondary Admin
    4. Reconnect AD join points
  9. Switching Primary and Secondary PAN /MNT
  10. Testing and validating DNAC connectivity
  11. Reconnect SmartLicensing

Any other things to take care of?

Any recommandations and experience feedbacks are welcome

thanks

 

0 Helpful
2 Replies 2

Tariq Mahmoud
Level 1
Level 1

‎03-15-2023 04:05 AM

Hello, 

In my opinion, the above method would be the safest approach, however, you will need to do extra efforts compared to when you do the traditional upgrade. Also, please keep in mind that if you do the regular upgrade then the secondary ISE admin node would be upgraded first and then you can upgrade one of the PSNs to test further. 

Check those:
https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/upgrade_guide/HTML/b_upgrade_method_3_1.html

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/upgrade_guide/Upgrade_Journey/PDF/b_ise_upgrade_guide_3_1_pdf/m_upgradeoverview.html

You will need steps 1 and 2 regardless of the upgrade method. 

0 Helpful

REJR77
Level 1
Level 1

‎03-17-2023 02:38 AM

Any feedback regarding the upgrade and the fact that ISe is integrated with DNAC?

0 Helpful
Customers Also Viewed These Support Documents