Re: Migrate ISE from 2.0 to 2.4

parau · ‎04-16-2019

Hello,

We are planning to change the release of ISE from 2.0 to 2.4 and there are some license issues that we need to clarify.

The deployment has Wired, Wireless, VPN and Device Admin licenses.

The goals of the change are to be able to use the same features allowed by the current licenses and also change the characteristics of the VM nodes(from SNS-3495 to SNS-3595).

The scenarios to move to 2.4 are the following ones:

1. Upgrade the existing setup.

2. Build a new setup with 2.4 and then point the NADs to the new deployment and then decommision the old deployment.

* Scenario 1: to what kind of licenses will be converted the current licenses from 2.0(DA will stay DA, but what about the rest of them)? Do we need to contact Cisco to convert the licenses or will they be converted automatically during upgrade?

The current deployment is using VMs based on SNS-3495(SMALL_UCS). Is is possible that after upgrade to bring the deployment to use equivalent of SNS-3595 without loosing the licenses?

I was thinking something like:

- while the current two nodes are SNS-3495, add a new(third) SNS-3595 node
- deconfigure current secondary PAN/MnT node as PAN/MnT and make the third node secondary PAN/MnT
- add the fourth node with SNS-3595 characteristics
- wait for sync to finish and then make the third node primary PAN/MnT
- deconfigure the remaining SNS-3495 PAN/MnT and make the fourth node the secondary PAN/MnT
- remove from deployment the SNS-3495 nodes

However, I am concerned that licenses will be lost along the way because the UDIs will not correspond anymore with what was used for licenses.

* Scenario 2: Is there any way to convert offline the current licenses from 2.0 to 2.4 equivalent and install them on the new deployment while keeping the old deployment in production(for a limited amount of time) until we migrate all the devices to the new deployment?

Is there a better way to achieve the goals?

Thanks,
Paris

Mohammed al Baqari · ‎04-17-2019

Hi,

I suggest to build separate environment with demo license of 60 days using
3595 VMs and migrate the NADs. This is the cleanest approach but might take
more effort. Upgrading 2.0 to 2.4 will involve other changes in behavior
which you need to analyze later such as moving from authentication and
authorization policies to policy sets, license change, etc. Also, I have
seen bugs related to endpoint purge policies and some custom profiling
rules not being migrated correctly in the upgrade and I have to reapply
them manually after discovering the error.

Once this is done, you can rehost the license using the UDIs.

parau · ‎04-17-2019

Thank you Mohammed for your answer.

For scenario 2, the demo license allows up to 100 endpoints which will not work for because we plan to migrate step by step(I do not want to risk to move everything on a misconfigured deployment), not all devices at once and also we have lot more than 100 concurrent sessions.

I am aware of the changes between 2.0 and 2.4 in terms of policies and licenses, but I am still looking for licenses clarifications mentioned in the initial post.

By using scenario 1, we are preserving the licenses, it's just the matter of upgrading the VM and what will happen with the licenses afterwards.

Any idea about these points?

Thanks,

Paris

Arne Bier · ‎04-17-2019

I would agree with @Mohammed al Baqari method - the consensus here int he Community (and outside too) is to rebuild, rather than upgrade. Seeing is believing ... esp when the upgrade fails spectacularly.

You can exceed your license limit of 100 and nothing bad will happen - except license violation warnings. You have plenty of time to get your licenses converted and applied. I think it's at least 30 days or more.

parau · ‎04-18-2019

Thanks @Arne Bier for providing your feedback.

Is't not just the number of users, but also the resources.

We are planning to deploy equivalent of SNS-3595(medium).

I know that you cannot modify fully the resources when deploying ISE from .ova, but you should be able to do it when .iso is used.

I was thinking to deploy eval ISE from .iso after I will provide the SNS-3595 resources.

Make sure the deployment is functional by migrating few users and then rehost the license from the old deployment to the new one.

Would something like this work?

Thanks,

Paris

ajc · ‎04-18-2019

That is exactly what I am doing, creating a parallel deployment to migrate from 2.2 to 2.4 because 3495 cannot run 2.4 so I need all my nodes as 3595 VM's/Appliances (I have successfully tested in the lab both environments, Hyper-V VM's and VMware VM's using the ISO and customizing manually the 3595 VM configuration for a medium and large deployment).

I have a large deployment with the PRIMARY MNT Node unable to handle the load even with an 3595 appliance so we are migrating to the SUPER MNT VM running 2.4 to solve this performance issue. Even though you have a medium size deployment, I would suggest you to have a look on your PRIMARY MNT performance.

Another important detail, you need RAID 10 when configuring those VM's. A 3595 is capable to handle ISE 2.6 version so you could eventually migrate into that version in the future. BUT, check that you have enough HW resources for expansion in the future so you can eventually build your 3655 VM's for a mid-size deployment.

We are purchasing HW to create the 3595 VM's running 2.4 but with the capacity to deploy in the future 3695 VM's (expansion).

parau · ‎04-19-2019

Thank you @ajc

Trying the same, you mean that you downloaded the .iso eval and built the VM with the resources you wanted so you can later migrate the services on this/these new VMs?

Thanks,

Paris