ISE Migration from ESXI to HyperV

haroungh · ‎08-23-2024

Dears,

We are running 2 ISE VMs in one ESXI Server and we are looking to migrate both of them one by one to two UCS Servers running under micorosft windows server standard 2022,

The ISE is integrated with Firepower and DNAC , we are looking for way to migrate ise without downtime.

Is it possbile to to export the vmx Files for both ISE VMs from EXSI and convert them to HyperV ?

andy!doesnt!like!uucp · ‎08-23-2024

u better consider installing fresh deployment natively on hyper-v with https://software.cisco.com/download/home/283801620/type/283802505/release/3.4.0#:~:text=Cisco%20ISE%20Software%20Version%203.4%20full%20installation.%20This%20ISO%20file%20can%20be%20used%20for%20installing%20ISE%20on%20SNS%2D36x5%2C%20SNS%2D37x5%20A... moving your current deployment to there

haroungh · ‎08-23-2024

you mean backup and restore ? , we dont want change the ise node ip addresses or certificates , current ISE integrated with FMC and DNAC with certificates , Our goal is to find a way to do that without any impact in SDA Network

andy!doesnt!like!uucp · ‎08-23-2024

yes, backup&restore.
u dont need to change IP addressing, just plan moving one half of ISE-cube to new deployment by isolating it from everything except internal & mgmt communications in new deployment. & then switch prod to new deployment with shutdown of previously active half & unisolation of migrated one. i did it 1M times w/o any issues. for sure u'll need some short mntn window for 2nd part

UPD: "Our goal is to find a way to do that without any impact in SDA Network" this is most interesting part. we have an issue even with promotion secondary PAN to primary with DNAC to ISE integration. did u promoted sPAN to pPAN role already w/o issues?

haroungh · ‎08-24-2024

Thanks , Yes, the ISE Configured well , sPAN node can prompted to pPAN,

as per my understanding these are the steps i will follow :

1 take a backup From pPAN Node

2 de-register the sPAN and shut it down

2- install New ISE node in Hyper V with the same version, patch , IP address , (the node will have the same sPAN initial config)

3- restore the backup configuration

4.Register the new ISE Node as sPAN

5 Prompt the sPAN to pPAN

6 De-rigister the sPAN

7 Create new ISE Node and restore the backup

8 Register the new node created as SPAN

andy!doesnt!like!uucp · ‎08-26-2024

before doing "install New ISE node in Hyper V with the same version, patch , IP address , (the node will have the same sPAN initial config)" ensure that your NADs & DNAC are not able to communicate with IP of new ISE. Remember with redundant DNAC-to-ISE integration u'll have sPAN IP alerting on DNAC. it will be like this (& even worst bc at some point DNAC will lose communications with all configured ISE IPs until u unisolate new ISE-cube from DNAC & gets all the IPs fully functioning as it was before ISE migration. in the past i had no DNAC-to-ISE integration & i did it with ACL for NADs only on the SVI terminating L3 for any new reimaged ISE node.
"4.Register the new ISE Node as sPAN" - no. After step 3 u'll have new ISE-cube with standalone ISE deployment u'll extend with new nodes one by one.
NOTE: with DNAC-to-ISE integration consider opening proactive SR in Cisco TAC, as i expect surprises there with backup&restore approach. bc f.e. we have in our account weak integration between DNAC & large distributed ISE-cube (every time we promote sPAN primary role we have ERS integration fully destroyed until we revert ex-pPAN its primary role - & it's only part of impact we have). So getting back to this topic carefully verify that your DNAC-to-ISE integration doesnt suffer from disabling redundant PANs&pxGrids (meaning that DNAC only experience lost of connectivity to nodes being under maintenance). i'd plan for this extra maintenance window to check with introduction of test downtime on your pPAN & one of pxGrids.