09-19-2016 02:21 AM - edited 02-21-2020 05:55 AM
Hello all,
I am planning to upgrade an ISE distributed deployment from release 1.4 to 2.1 and I have few doubts I'd like to dispel with you.
Here is the architecture :
- 1 PAN
- 2 PSNs
- 2 MNTs
According to the upgrade procedure, distributed deployments need a secondary Administration Node to be created before starting the upgrade, so I'm planning to make one of the two PSNs act as the secondary admin node.
Can you first confirm that both functions (admin and policy service) can be handled by the same node during the upgrade ? If so, any idea how much time I have to plan for this modification (is there any reboot required) ?
Then, all nodes have to be upgraded following this specific order :
- Secondary Administration Node
- Primary Monitoring Node
- Policy Service Nodes
- Secondary Monitoring Node
- Primary Administration Node
The upgrade procedure indicates that before going further, network tests should be performed once all PSNs are upgraded. Does it mean that at this point, all requests are already processed by the "2.1 part" ?
In other terms: as there is no service interruption, when exactly and how does the switchover occur ?
Thank you for your help
09-20-2016 06:35 PM
When the secondary admin node is upgraded, it becomes the first node is a new deployment containing all the configuration and policies from the original deployment. As the PSNs are upgraded, they join this new deployment.
So when a given PSN is upgraded, any requests received by it will be fulfilled by the new deployment. Depending on how your NADs (switches, WLCs, ASAs etc..) are configured, this can start when the first PSN is upgraded or the last one or some mix in between. Definitely once all PSNs are upgraded they are all part of the new 2.1 deployment and all AAA services will be provided by the 2.1 deployment. Thus the recommendation to test things out at this point.
Once the original primary PAN is upgraded, it will become secondary in the 2.1 deployment. If you wish to revert it to the primary role, your would do a standard "promote to primary" action.
09-23-2016 02:20 AM
Thank you Marvin, this is very clear.
One last question : as my plan is to have one node handling both Secondary PAN and PSN functions (seems to be possible according to the web interface), will both parts be upgraded simultaneoulsy ? If so, will the upgrade time increase ?
09-23-2016 02:05 PM
Yes, you can do both roles although that means your deployment isn't fully distributed and thus your overall scale is limited (number of max endpoints).
The time may change a bit but not significantly so.
03-09-2017 01:19 PM
When the secondary admin node is upgraded, it becomes the first node is a new deployment containing all the configuration and policies from the original deployment. As the PSNs are upgraded, they join this new deployment. Vice versa is manual process use "promote to primary" action.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide