Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
582
Views
23
Helpful
4
Replies

ISE 1.4 Upgrade

vtribut01
Level 1
Level 1

‎09-19-2016 02:21 AM - edited ‎02-21-2020 05:55 AM

Hello all,

I am planning to upgrade an ISE distributed deployment from release 1.4 to 2.1 and I have few doubts I'd like to dispel with you.
Here is the architecture :
  - 1 PAN
  - 2 PSNs
  - 2 MNTs

According to the upgrade procedure, distributed deployments need a secondary Administration Node to be created before starting the upgrade, so I'm planning to make one of the two PSNs act as the secondary admin node.
Can you first confirm that both functions (admin and policy service) can be handled by the same node during the upgrade ? If so, any idea how much time I have to plan for this modification (is there any reboot required) ?

Then, all nodes have to be upgraded following this specific order :
  - Secondary Administration Node
  - Primary Monitoring Node
  - Policy Service Nodes
  - Secondary Monitoring Node
  - Primary Administration Node

The upgrade procedure indicates that before going further, network tests should be performed once all PSNs are upgraded. Does it mean that at this point, all requests are already processed by the "2.1 part" ?

In other terms: as there is no service interruption, when exactly and how does the switchover occur ?

Thank you for your help

0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-20-2016 06:35 PM

When the secondary admin node is upgraded, it becomes the first node is a new deployment containing all the configuration and policies from the original deployment. As the PSNs are upgraded, they join this new deployment.

So when a given PSN is upgraded, any requests received by it will be fulfilled by the new deployment. Depending on how your NADs (switches, WLCs, ASAs etc..) are configured, this can start when the first PSN is upgraded or the last one or some mix in between. Definitely once all PSNs are upgraded they are all part of the new 2.1 deployment and all AAA services will be provided by the 2.1 deployment. Thus the recommendation to test things out at this point.

Once the original primary PAN is upgraded, it will become secondary in the 2.1 deployment. If you wish to revert it to the primary role, your would do a standard "promote to primary" action.

vtribut01
Level 1
Level 1
In response to Marvin Rhoads

‎09-23-2016 02:20 AM

Thank you Marvin, this is very clear.

One last question : as my plan is to have one node handling both Secondary PAN and PSN functions (seems to be possible according to the web interface), will both parts be upgraded simultaneoulsy ? If so, will the upgrade time increase ?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to vtribut01

‎09-23-2016 02:05 PM

Yes, you can do both roles although that means your deployment isn't fully distributed and thus your overall scale is limited (number of max endpoints).

The time may change a bit but not significantly so.

Farhan Mohamed
Cisco Employee
Cisco Employee

‎03-09-2017 01:19 PM

When the secondary admin node is upgraded, it becomes the first node is a new deployment containing all the configuration and policies from the original deployment. As the PSNs are upgraded, they join this new deployment. Vice versa is manual process use "promote to primary" action.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card