cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
487
Views
0
Helpful
6
Replies

ISE 2.7 to 3.2 migration

stephenstown20
Level 1
Level 1

hello 

I am working on an ISE v2.7 to v3.2 upgrade /migration 

I have staged a VM with a v3.2 build 

 

I am trying to understand the timing of the handover

for example if I restore the production configuration & install the certs  from v2.7 to the v3.2 

at this point can both VM be on the network together or how is the changeover timed ?

6 Replies 6

Hi @stephenstown20 ,

 how many Nodes do you have in your Deployment ?

 

thank you for your reply
there is currently one node in production — a VM running v2.7

Hi @stephenstown20 ,

 beyond what @Aref Alsouqi said ...

 Since you only have 1x Node in Production (2.7) and another Node in 3.2:

1st make sure you are using 2.7 Patch 10 

2nd make sure you are going to 3.2 Patch 7 (please take a look at Cisco ISE Software Download)

3rd remember the Types of Cisco ISE Deployment (Table 2 at Performance and Scalability Guide for Cisco Identity Services Engine) .. at least a Small Deployment is recommended !!!

4th test the 3.2 Patch 7 first

  • Install an ISE 3.2 from scratch
  • Update to Patch 7
  • Restore the Config Backup of 2.7 Patch 10 to 3.2 Patch 7 (do NOT restore the ADE-OS)
  • Point some NADs to your new Test Environment ... I highly recommend that  : )

5th please take a look at Cisco ISE Licensing Guide, special attention to:

2.2. Cisco ISE licensing

"Smart Accounts are mandatory for any Subscription"

7. Cisco ISE license migration

Take a look at Figure 6. Mapping of 2.x and 3.x licensing model features

7.2 Migrate to VM Common licenses

"... open a Case with the Cisco Global License Operations Team to have your old or classic VM licenses converted to the new VM Common licenses in Smart Account ..."

 

Note 1: remember that Cisco ISE 3.3 Patch 3 is the Suggested Release (please take a look at Cisco ISE Software Download)

Note 2: remember that Cisco ISE 2.7 reach the End of Support on Sep 22th, 2024 (please take a look at Cisco ISE 2.7 EoL)

 

Hope this helps !!!

many thanks

Q is there any impact to production when I export certificates ?

No, exporting certificates doesn't cause any downtime or impact on ISE.

It depends on if you want to use the same IP address on the new VM or not, but usually we use the same IP address on the new deployment to avoid having to reconfigure the RADIUS/TACACS servers on the network devices. In that case, once you have the new VM ready you can shutdown or disconnect the old node from the network and change the IP address of the new one to be the same as the old one to complete the cutover.

Please note that with ISE 3.2 you have to have the licenses in your smart account, so you have to provision them into your smart account prior to use the new deployment in production. Also, the licenses for 3.2 have changed, so you have to work with Cisco licensing team to convert your old licenses to the new format and move them into your smart account.

Cisco ISE Licensing Guide - Cisco

Review Cisco Networking for a $25 gift card