Scribd
Upload
90 views82 pages

ISE 2.7 Upgrade Best Practices Guide

Uploaded by

mysub
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
90 views82 pages

ISE 2.7 Upgrade Best Practices Guide

Uploaded by

mysub
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Accelerator

Upgrade Planning & Best


Practices: ISE
Toronto District School Board
Partner: Bell Canada
Gautam Bhagwandas, Partner Customer
Success Specialist
18 February 2024
Welcome
Before we begin…

1 Prerequisites 2 Accelerator Scope 3 Engagement


Review
• ISE is deployed • Learn about different ways to upgrade ISE • Discovery: 30 minutes
• Evaluate which is the best method to upgrade
• Plan and prepare for ISE upgrade: 1.5 hours
your ISE deployment
• Know the checklist for pre-upgrade tasks • Perform upgrade and Post-Upgrade tasks: 2 hours
• Understand upgrade best practices
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Have a checklist for Post-Upgrade tasks • Follow-up: 30 minutes 2
The last time we talked…
…this is what we learned

• ISE 2.7 deployment with 11 nodes including 9 PSN’s


• User Base: 250K students, 40K staff, 450 guest accounts
• ISE Use cases: Wired / Wireless dot1x/mab, Guest Wireless
• Goal: Want to ensure a smooth upgrade unlike the previous 2.2à2.7 upgrade
• Smart Account: smart account [Link]
• ISE Licensing: Essentials License, ISE VM Licenses

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Today’s
discussion 1 Why upgrade?

2 Plan and prepare

3 Perform the upgrade

4 Post-upgrade tasks
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Why upgrade?

© 2022
2021 Cisco
Ciscoand/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved. Cisco
CiscoConfidential
Confidential 5
ISE 3.0 - 3.2 release highlights
802.1x with Azure Random &
Agentless SAML SSO with AD using Changing MAC
Posture Azure AD
ROPC/EAP-TLS Address

Endpoint
ISE on Amazon
Visibility with OpenAPI service
Web Services
Custom Scripts

Posture Script Streamlined


Posture support Zero Touch
Condition and Upgrade
for Linux Provisioning
Remediation experience

Handle Random
Specific License ISE on Microsoft
and Changing
Reservation Azure Cloud
MAC Address

ISE on Oracle Cisco pxGrid


Cloud Data Connect Log Analytics
Direct

[Link]/ise-videos
© 2 0 2 3 C isco a n d / o r its a ffilia te s. A ll r ig h ts r e se r ve d . C isco P a r tn e r C o n fid e n tia l
ISE 3.3 release highlights

Controlled Restart
UI Navigation New Split ISE Ciphers
after Admin Cert
Improvement Upgrade Process Control
Renewal

pxGrid Direct
API Support for pxGrid Context-In
Visibility
LDAP Enhancement
Enhancements

Posture for Use Wi-Fi Edge IPv6 Support IPv6 Support for
ARM64-based Analytics Data (Guest Portal, Agentless
Endpoints for ISE Profiling Posture, Profiling) Posture

Machine Multi-Factor Custom Attribute


Learning based Classification Re-profiling
Profiling (MFC) on ISE Trigger

[Link]/ise-webinars
© 2 0 2 3 C isco a n d / o r its a ffilia te s. A ll r ig h ts r e se r ve d . C isco P a r tn e r C o n fid e n tia l
EOL/EOS announcements
Latest Release

22nd September 2022


22nd September 2023
22nd September 2024

3.3
3.2
3.1
3.0
2.7
2.6
Suggested Release

13th July 2023


13th July 2024
31st December 2021
13th July 2025
31st January 2023
31st January 2024
§ Software Maintenance
§ End of Software Maintenance
© 2 0 2 3 C isco a n d / o r its a ffilia te s. A ll r ig h ts r e se r ve d . C isco P a r tn e r C o n fid e n tia l
[Link]/ise-software § End of Support
ISE deploys natively on Public Clouds
3.1 3.2 3.2

[Link]/free [Link]/en-us/free [Link]/cloud/free

Default username change


Starting in 3.2, all cloud deployments will use
iseadmin as the default username

Security change for the ZTP Process


Password changes will be mandatory on first login to the GUI

Secure console connection


># SSH key-based authentication is mandatory for ssh console
access to all cloud platforms
© 2 0 2 3 C isco a n d / o r its a ffilia te s. A ll r ig h ts r e se r ve d . C isco P a r tn e r C o n fid e n tia l
Major upgrade considerations

Target version License Upgrade path and Upgrade Tools: URT Upgrade and
and Platform migration Upgrade method + Patching
readiness Health Check maintenance
windows

© 2 0 2 3 C isco a n d / o r its a ffilia te s. A ll r ig h ts r e se r ve d . C isco P a r tn e r C o n fid e n tia l


ISE 3.x supported platforms
Standalone PSN
Appliances Sessions Sessions Processor Cores Memory Disk RAID Network Interfaces
32 GB 2x10Gbase-T
SNS-3615 10,000 10,000 1- intel Xeon 2.10 GHz 4110 8 1 (600GB) No
(2 x 16 GB) 4x1GBase-T
96 GB 2x10Gbase-T
SNS-3655 25,000 50,000 1 – Intel Xeon 2.10 GHz 4116 12 4 (600 GB) 10
(6 x 16 GB) 4x1GBase-T
256 GB 2x10Gbase-T
SNS-3695 50,000 100,000 1 – Intel Xeon 2.10 GHz 4116 12 8 (600 GB) 10
(8 x 32 GB) 4x1GBase-T
16 GB
SNS-3515 7500 7500 1 – Intel Xeon 2.40GHz E5-2620 6 1 (600 GB) NO 6x1GBase-T
(2 x 8 GB)
EOL 64 GB
SNS-3595 20,000 40,000 1 – Intel Xeon 2.60 GHz E5-2640 8 4 (600 GB) 10 6x1GBase-T
(4 x 16 GB)
32 GB 2x10Gbase-T
SNS-3715 25,000 50,000 1 – Intel Xeon 2.10 GHz 4310 12 1 (600 GB) 0
(2 x 16 GB) 4x10GE SFP
96 GB 2x10Gbase-T
SNS-3755 50,000 100,000 1 – Intel Xeon 2.30 GHz 4316 20 4 (600 GB) 10
(6 x 16 GB) 4x10GE SFP
256 GB 2x10Gbase-T
SNS-3795 50,000 100,000 1 – Intel Xeon 2.30 GHz 4316 20 8 (600 GB) 10
(8 x 32 GB) 4x10GE SFP

* SNS-3515 no longer supported with ISE 3.1


© 2 0 2 3 C isco a n d / o r its a ffilia te s. A ll r ig h ts r e se r ve d . C isco P a r tn e r C o n fid e n tia l * VMWare version 6.5+ required
ISE licensing model
• Starting with the ISE 3.0 release, ISE licenses are Smart Licenses only
• Cisco ISE release 2.6 and later support the use of SSM on-prem servers for smart licensing
• SLR is supported in Cisco ISE release 3.1 and later
• PLR is supported in Cisco ISE release 3.0 patch 2 and above

2.x Model 3.x Model

Plus (Context) Apex (Compliance) Premier (Compliance & Cloud with Advantage)
• Posture
• Profiling • Posture
• MDM Compliance
• BYOD (+CA, +MDP) • Mobile Device Management
• TC-NAC
• Context Sharing (pxGrid Out/In) Compliance
• Rapid Threat Containment (using • Threat-Centric NAC (TC-NAC)
Advantage (Context with Essentials)
Adaptive Network Control)
• Profiling • TrustSec (Group-Based Policy)
• BYOD (+CA, +MDP) • Endpoint Analytics Visibility and
• Context Sharing (pxGrid Out/In) Enforcement
• User Defined Network (Cloud) • Rapid Threat Containment (Adaptive
• Location Service Network Control)
Base (Network Onboarding)
Essentials (User Visibility & Enforcement)
• AAA & 802.1X
• AAA & 802.1X
• Guest (Hotspot, Self-Reg, Sponsored)
• Guest (Hotspot, Self-Reg, Sponsored)
• TrustSec (Group-Based Policy)
• Easy Connect (PassiveID)
• Easy Connect (PassiveID)

© 2 0 2 3 C isco a n d / o r its a ffilia te s. A ll r ig h ts r e se r ve d . C isco P a r tn e r C o n fid e n tia l


Migrate licenses
ISE 2.X ISE 3.X

1 Base 1 Plus 1 Apex 1 Premier

1 Base 1 Plus 1 Advantage

1 Base 1 Essential

© 2 0 2 3 C isco a n d / o r its a ffilia te s. A ll r ig h ts r e se r ve d . C isco P a r tn e r C o n fid e n tia l


ISE Device Admin license

DA license enables Applied on per PSN Must be migrated to


TACACS on PSN node node basis Smart Account

© 2 0 2 3 C isco a n d / o r its a ffilia te s. A ll r ig h ts r e se r ve d . C isco P a r tn e r C o n fid e n tia l


New VM Common license

Upgrade from Upgrade to Ratio

R-ISE-VMS-K9=

R-ISE-VMM-K9= R-ISE-VMC-K9=
1:1

R-ISE-VML-K9=

* Every old VM license, if present in the Smart Account, has already been
© 2 0 2 3 C isco a n d / o r its a ffilia te s. A ll r ig h ts r e se r ve d . C isco P a r tn e r C o n fid e n tia l automatically migrated by Cisco for seamless customer experience.
Upgrade Path to ISE 3.2

ISE <2.7 ISE 2.7/3.0/3.1 ISE 3.2

Two-step Upgrade Single-step Upgrade

© 2 0 2 3 C isco a n d / o r its a ffilia te s. A ll r ig h ts r e se r ve d . C isco P a r tn e r C o n fid e n tia l


Upgrade Methods
Backup & Restore GUI CLI

Restore ISE config backup to Easier with health checks Individual nodes are upgraded
freshly installed version of ISE (Full Upgrade / Split Upgrade) manually

© 2 0 2 3 C isco a n d / o r its a ffilia te s. A ll r ig h ts r e se r ve d . C isco P a r tn e r C o n fid e n tia l


Upgrade Best Practices
Pre-upgrade validations (to-do list)
Prior to this list, make sure you’ve performed all software compatibility checks from ISE compatibility matrix and network devices
documentation

Backup Clean
• Configuration, Operational, Endpoints .csv • Delete expired certificates
• Load balancers • Purge excess operational data, inactive endpoints
• Export certificates and private keys and guest accounts

• Export internal CA certificates from CLI


Do not forget
Take notes
• Disable automatic PAN failover
• AD credentials – token credentials (RSA)
• Disable scheduled backups
• MDM credentials
• Configure a repository and download the latest
• Profiler configuration for each PSN URT and upgrade bundle

© 2 0 2 3 C isco a n d / o r its a ffilia te s. A ll r ig h ts r e se r ve d . C isco P a r tn e r C o n fid e n tia l


Upgrade Readiness Tool
Download and run the URT

Success
Time
Estimate for
Upgrade
Supported Running on Schema
version of Standalone Age of URT Pre checks Clone and Data
ISE? or bundle (45 met (disk, NTP, configuration upgrade on
Secondary days)? RAM, certs)? DB? the cloned
2.7 – 3.1 PAN? DB?
Failure
Log bundle
TAC
While running the URT, do not simultaneously
• perform backup or restore data
• make persona changes

© 2 0 2 3 C isco a n d / o r its a ffilia te s. A ll r ig h ts r e se r ve d . C isco P a r tn e r C o n fid e n tia l


On-demand ISE Health Check *
Validating ISE deployment against critical errors

The following are validated:


• Disk space
• Platform support
• NTP reachability
• Deployment validation
• Load average
• DNS resolvability
• MDM validation
• Trust store cert validation • License validation

• System cert validation

The result of the check can be downloaded, and critical errors (if any) can be fixed before upgrade.
This is an optional step and NOT an alternative for URT. Rather, it serves as an additional check

* Available on latest patches of 2.6 and 2.7 for 2.x versions


© 2 0 2 3 C isco a n d / o r its a ffilia te s. A ll r ig h ts r e se r ve d . C isco P a r tn e r C o n fid e n tia l
Schedule maintenance window
Use maintenance windows
for updates and upgrades

Communicate
about possible downtime

Minimize downtime
Upgrade your PSNs in batches to reduce downtime

Schedule extra time, you might need it

© 2 0 2 3 C isco a n d / o r its a ffilia te s. A ll r ig h ts r e se r ve d . C isco P a r tn e r C o n fid e n tia l


Preparing to
upgrade

© 2022
2021 Cisco
Ciscoand/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved. Cisco
CiscoConfidential
Confidential 26
Plan and prepare
Compatibility checks and
upgrade path
Pre-upgrade activities
Upgrade Readiness Tool and
Health Check
Maintenance window

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Migrate licenses
ISE 2.X ISE 3.X

1 Base 1 Plus 1 Apex 1 Premier

1 Base 1 Plus 1 Advantage

1 Base 1 Essential

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
ISE licensing model - Structure
2.x Model 3.x Model

Plus Apex Premier


Compliance and Cloud – Full Stack
Context Compliance
Advantage
Context
Base
Essentials
User Visibility and Enforcement User Visibility and Enforcement

• Hybrid - support either PAK or Smart • Support Smart licensing only


• Lego model – licenses are not overlapped each • Nested doll model – higher tier license covers
other lower tier license
• Base is Perpetual, Plus and Apex are Term • All Endpoint licenses are term-based
• Device Admin needs 100 Base licenses • Device Admin does not need any tier licenses
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Upgrade path to ISE 3.1

Single-step upgrade
You can upgrade directly to 3.1 if you have the following ISE versions:
• Cisco ISE, Release 2.6

• Cisco ISE, Release 2.7


• Cisco ISE, Release 3.0

Two-step upgrade
• If you are currently using a version earlier than Cisco ISE, Release 2.6, you must first upgrade to one of the
releases that are listed above and then upgrade to Release 3.1

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Upgrade path to ISE 3.0

Single-step upgrade
You can upgrade directly to 3.0 if you have the following ISE versions:
• Cisco ISE, Release 2.4

• Cisco ISE, Release 2.6


• Cisco ISE, Release 2.7

Two-step upgrade
• If you are currently using a version earlier than Cisco ISE, Release 2.4, you must first upgrade to one of the
releases that are listed above and then upgrade to Release 3.0

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Backup

2. Certificates

Back up
3. System Logs

1. Config &
Operational

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Upgrading
pre-upgrade validations (to-do list)
Prior to this list, make sure you
performed all software
Best practices compatibility checks from ISE
compatibility matrix for network
devices documentation
Backup Clean
• Configuration, Operational, Endpoints .csv • Delete expired certificates
• Load balancers • Purge excess operational data, inactive endpoints and
• Export certificates and private keys guest accounts
• Export internal CA certificates from CLI Do not forget
Take notes • Disable automatic PAN failover
• AD credentials – token credentials (RSA) • Disable scheduled backups
• MDM credentials • Configure a repository and download the latest URT and
upgrade bundle
• Profiler configuration for each PSN

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Review and download software

CCO Repository

Download Upgrade
Bundle

Review Upgrade Guide and Release Notes

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Upgrade Readiness Tool
Download and run the URT

Success
Time
Estimate for
Upgrade
Supported Running on Schema
version of Standalone Age of URT Pre checks met Clone and Data
ISE? or bundle (45 (disk, NTP, configuration upgrade on
Secondary days)? RAM, certs)? DB? the cloned
2.4 – 2.7 PAN? DB?
Failure
Log bundle
TAC

While running the URT, do not simultaneously:


• Perform backup or restore data persona changes

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
URT time estimates for Demo upgrade
Secondary PAN, 1MNT, PSN – 74 Mins

PSN (each or in tandem) – 57 Mins

Primary PAN, 2MNT, PSN – 67 Mins


URT Estimate: 198 Mins
GUI Estimate: 660 Mins

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
On-demand ISE Health Check *
Validating ISE deployment against critical errors
The following are validated:
• Platform support • Disk space
• Deployment validation • NTP reachability
• DNS resolvability • Load average
• Trust store cert validation • MDM validation
• System cert validation • License validation
The result of the check can be downloaded and critical errors (if any) can be fixed before upgrade.
This is an optional step and NOT an alternative for URT. Rather, it serves as an additional check

* Available on later patches of 2.6 and 2.7 for 2.x versions


© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
On-demand ISE Health Check *

*Available on later patches of 2.6 and 2.7 for 2.x versions


Color key:
Red indicates critical error, orange denotes warning and green
means it is safe to proceed

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Demo: Upgrade
Readiness Tool and
Health Check

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Schedule maintenance window
Use maintenance windows Factors that affect upgrade time
for updates and upgrades Number of endpoints
Number of users and guest users
Number of logs in a monitoring or standalone node
Communicate Profiling service, if enabled
about possible downtime
How to estimate
Type of
Node Persona Time Estimate
Deployment
Minimize downtime Administration, Policy 240 mins + 60 mins for
Standalone
Do not upgrade all of your PSNs at once Service, Monitoring every 15 GB of data

Secondary Admin Node 240 mins

Schedule extra time, you might Distributed Policy Service Node 180 mins

need it Monitoring
240 mins + 60 mins for
every 15 GB of data

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Choosing upgrade
options

© 2022
2021 Cisco
Ciscoand/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved. Cisco
CiscoConfidential
Confidential 43
ISE deployment types
Policy Administration Node (PAN) <=50: PSNs + <= 4 PXGs)

Monitoring & Troubleshooting Node (MnT)

Policy Services Node (PSN)

pxGrid Controller

Lab and Evaluation Small HA Deployment Medium Multi-node Deployment Large Deployment
2 x (PAN+MNT+PSN) 2 x (PAN+MNT+PXG), <= 6 PSN 2 PAN, 2 MNT, <=50: PSNs + <= 4 PXGs

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Upgrade types
Split upgrade compared to Full upgrade

Split Full

• Multi-step Sequential process to upgrade your • Two-step process to upgrade all nodes in parallel
deployment while the services are available. with service outage
• Takes longer time than full upgrade. • Takes less time than split upgrade
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Upgrade supported paths
Split Upgrade
3.0 any/no patch

2.7 any/no patch ISE 3.1

2.6 any/no patch

Full Upgrade 3.0 Patch 3 and above

2.7 Patch 4 and above ISE 3.1

2.6 Patch 10 and above


Split compared to Full upgrade
Aspect Split Full
Sequential Yes No

Highly Available Yes No

Time taken for upgrade ~240 mins per node ~480 mins

Recommended High Availability is required Faster upgrade and downtime is not a


concern

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Performing the
upgrade

© 2022
2021 Cisco
Ciscoand/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved. Cisco
CiscoConfidential
Confidential 48
Upgrade Flow

Choose Prepare Post-


Health GUI-
Upgrade for Upgrade Upgrade
Checks Full/Split
method Upgrade Tasks

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Split upgrade

© 2022
2021 Cisco
Ciscoand/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved. Cisco
CiscoConfidential
Confidential 50
Split upgrade

Sequential Allows administrator to choose PSNs in Run URT tool to identify any data
sequence based on location/sites, so upgrade issues prior to upgrade
there is no downtime to endpoint
services
Distributed Deployment Upgrade process
Medium and large deployments with split upgrade
Pre-upgrade Post-Upgrade

PPAN PPAN
Steps – all automatic
1

1. SPAN: Deregister, config data upgrade, promote to PPAN


5
SPAN SPAN
2. PMnT: Deregister, register in new deployment, download
and import data Operational data upgrade
PMnT
2
PMnT 3. PSN1: Deregister, register in new deployment, download and
import data

SMnT
4
SMnT
4. PSN2: Deregister, register in new deployment, download and
import data
5. SMnT: Deregister, register in new deployment, download
PSN PSN
and import data Operational Data upgrade
3
6. PPAN: Register, download and import data
PSN PSN

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Upgrade Readiness Tool (URT)
Split Upgrade

2.X/3.X
Persona
Clones the configuration DB
Version
Disk Space
URT

NTP
System/trusted
Certificates Schema and DB upgrade
Status; Estimates the time for upgrade
Memory
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Minimize downtime during upgrades
Split Upgrade

Site/Location C Seq C

Site/Location B Seq B

Site/Location A Seq A

• Do not upgrade all PSNs at once


• Strategically upgrade your PSNs in clusters
• While upgrading cluster, configure NADs with
secondary/tertiary RADIUS servers so that endpoints
are not affected during upgrade

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Upgrade options: Split Upgrade
CLI/ GUI / Backup-Restore
• First upgrade all secondary nodes, only then PAN*
CLI-based • Need to upload upgrade bundle to all nodes manually

• ISE will push upgrade bundle to all nodes automatically


GUI-based • Single click upgrade

• Backup old version, restore on new version


Backup-Restore • Minimizes downtime and works best for virtual deployments

*Check upgrade guides for better understanding


© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Upgrade options
GUI – Split Upgrade

Step 1 Step 2 Step 3 Step 4 Step 5


Single click upgrade Customizable options for PSN Upgrade PSNs in tandem or Once finished, promote Install latest patch
order groups original PAN and MNT

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Upgrade options
CLI – Split Upgrade
Step 1 Step 2 Step 3 Warning:
Recommended for
Manual Process Upgrade each node Copy upgrade image to each
troubleshooting only
individually node (9GB)

Step 4 Step 5 Step 6


Prepare and execute the Monitor each node Install the latest patch
upgrade individually

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Upgrade options
Backup, reimage (create new), restore – Split Upgrade

Overview of the steps

Step 1 Step 2 Step 3 Step 4 Step 5


Back up configuration Install ISE 3.x (new VM or Restore your backup Join nodes to the new Install the latest patch
database HW) or reimage existing deployment
node(s)

Discussed in detail in the section next


© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Backup and Restore
Method
Detailed Steps

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Backup and Restore
Split Upgrade
Backup and Restore is recommended in the following scenarios
• ISE nodes are deployed on VMs and to upgrade to 3.x, the VM resources need to be
increased (ISE 3.x needs increased resources compared to 2.x)
• ISE nodes are deployed on hardware (SNS) and need to upgrade to 3.x by moving
from hardware to VMs
• ISE nodes are deployed on VMs or hardware and need to upgrade to 3.x by moving
to ISE nodes which are cloud native
• Any other kind of migration with different underlying infrastructure between
versions

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Backup and Restore
Detailed steps
Prepare
• Retrieve backup from original ISE Primary admin (make a note of key used)
• Export internal CA store from PAN CLI (application configure ise -> internal CA store)
• Export the system certificates with their keys
• Export trusted certs for the chains of the certs in use
• Get a copy of ‘show run’ from all ISE node CLIs

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Backup and Restore
Execute during maintenance window
• De-register the node from the deployment and properly power off the VM
• Re-image the node to new ISE version and install using the OVA (preferred) or ISO
• Assign the same hostname and IP address as before (use the the show run retrieved earlier)
• Install latest patch
• Promote node from standalone to Primary PAN
• Restore config backup but do not include the ADE-OS when restoring the config (after this is
done, if the node is also serving as a PSN, it will start processing RADIUS traffic from the NADs
since it will now contain the NAD configuration)
• After the restore is completed, clear the browser cache, close the browser, and open a new
browser session before accessing the ISE GUI

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Backup and Restore
Execute during maintenance window (contd.)
• Import trusted certs
• Import system certs and private keys
• Import the CA store if missing (application configure ise -> import CA store)
• Re-join node to Active Directory
• Verify reverse DNS lookup and that the config has been restored properly
• Register to Smart Licensing Portal
• De-register, re-image, patch and join the remaining nodes in the order specified on the next
slide /discussed

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Backup and Restore
Order Pre-upgrade Post-Upgrade

PPAN PPAN
1

5
SPAN SPAN

2
SMnT PMnT

4
PMnT SMnT

PSN PSN

PSN PSN

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
Backup and Restore
Detailed steps
Verify
• All nodes are in sync and are joined to AD
• Smart licensing is enabled and registered
• Test your use cases or features
• Live logs and reports work fine for the tests

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Backup and Restore
Consistency between old and new deployments (optional)
• If you would like to keep the hostname and IPs of the primary and secondary nodes consistent
between old and new deployments, there would be additional steps for maintenance window
• All these steps involve service restarts and can prolong the maintenance window
• Shutdown PAN by using command “application stop ise” on its CLI, press enter to save ADEOS
and press y to continue stopping all ISE services on this node
• Then type “halt” and press enter
• Login to secondary admin GUI and click on “Make Primary” on the deployment page
• Power on the node that was primary and was shutdown. It will set itself as secondary
• Again, make sure all nodes are in sync. Test your use cases.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Upgrade options
Hybrid Approach – Split Upgrade
Step 1 Step 2 Step 3 Step 4
Deregister Secondary PAN Reimage all other nodes in Manually join all nodes to Promote original Primary
from GUI the deployment PAN and sync PAN

Step 5 Step 6 Step 7


Reimage the single upgraded Join the reimaged node to Install the latest patch
node the deployment

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
What works best for you?
Split Upgrade
Backup/Restore GUI CLI Hybrid

Complexity Medium Easy Complex / Manual Easy


Process
Access to Required Minimal/Mainly for Required Required
Appliance / VM URT

Parallel Ability Yes PSNs Only Yes, In a specific Only need to upgrade
order one node
Rollback Not possible, requires reimage Limited Yes Limited
to previous version
Previous Artifacts No, clean image Maintained (Disk Maintained No, clean image
issues from previous
defects)
Time Medium Longer Time Medium, requires Longer Time
active monitoring per
node
Resources Large number of staff, Small number of staff Small number of staff Large number of staff,
additional VM resource temporal VM
resource
Errors Minimal Possible if not using Possible if not skilled Minimal
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
best practice in CLI
Demo: GUI-Split
Upgrade

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
Full Upgrade

© 2022
2021 Cisco
Ciscoand/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved. Cisco
CiscoConfidential
Confidential 70
Full upgrade process
pre-upgrade 3.1 release
1. PPAN gets upgraded
240 mins
PPAN 1 PPAN
2. Rest of the nodes upgraded in
parallel
SPAN SPAN
Benefits:

PMnT PMnT
• No persona changes

• Quicker upgrade
240 mins
SMnT 2 SMnT • Reliable

Cons:
PSN PSN
• No High Availability

PSN PSN

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
Pre checks: Full Upgrade
Full Upgrade
Checks if repository is configured for all nodes

Downloads upgrade bundle and helps to


prepare upgrade DB for all nodes
URT
Checks if 25% free memory space on PAN or
standalone and 1GB for other nodes

Checks if PAN-HA is enabled

• Enhanced Pre checks


Checks whether scheduled backup is enabled
• No URT required
Checks for recent (in recent week) backup
taken

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
Pre checks
Full Upgrade
1. Repository Validation
2. Bundle Download
3. Memory Check
4. PAN Failover Validation
5. Schedule Backup Check
6. Config Backup Check
7. Configuration Data Upgrade
8. Platform Support Check
9. Deployment Validation
10. DNS Reachability
11. Trust Store Certificate Validation
12. System Certificate Validation
13. Disk Space Check
14. NTP Reachability and Time Source Check
15. Load Average Check
16. License Validation
17. Services or Process Failures
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Pre-checks (1/2)
Repository is configured for all nodes

Downloads upgrade bundle

25% free RAM on PAN or standalone and 1GB for


other nodes

PAN-HA enabled status

Scheduled backup is configured

Recent backup taken (1 week)

Schema, data upgrade and prepares upgrade DB


dump
Eval node is not
Minimum 300GB HDD, 12 Core supported
CPU,16GB RAM 3515 is not supported

Nodes’ sync status


© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
Pre-checks (2/2)
Forward and Reverse DNS Lookup

Trust Store certificates’ expiry

System certificates expiry

40GB free space

NTP configured in the system and source time validation

System load on an interval of 5, 10 or 15 minutes

MDM configured reachability

Smart license configuration and validity

Service or Application status


© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
Demo: Full Upgrade

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
Install Latest Patch

© 2022
2021 Cisco
Ciscoand/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved. Cisco
CiscoConfidential
Confidential 77
Installing Patch
Pointers and Best Practices
• It is suggested to install latest patch Post-Upgrade

• Patches would have bug fixes and vulnerability fixes for the upgraded version

• Same maintenance window could be used for patch installation as well

• Patch can be installed from GUI or from CLI


• With GUI option, once initiated, patch gets installed on PAN first and then gets installed on rest of the nodes one by one,
automatically

• With CLI, you get to decide the sequence of nodes that can be installed in parallel on multiple nodes at the same time. Be sure
to be on same patch level for all nodes in deployment

• Full upgrade method has patch installation along with upgrade as an option

• Cisco ISE patches are cumulative. For example, installing patch 11 will include all the fixes from patch 1 to patch 10
• Patch installation performs a reboot of the ISE server

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
Post-Upgrade tasks

© 2022
2021 Cisco
Ciscoand/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved. Cisco
CiscoConfidential
Confidential 79
Post-Upgrade tasks
Verify Licenses Update Profiling, posture and CP

Verify virtual machine settings Restore MnT backup

Rejoin AD Refresh TrustSec Policies

Restore Certificates Update CP resources

Regenerate Root CA if necessary Restart TC-NAC adaptors


Upgrading
Post-Upgrade tasks

Best Practices
• Run an on-demand health check, which ensures basic sanity checks are run
• Cleanup from previous upgrades: application upgrade cleanup from CLI (for split
upgrade only)
• Test and verify your use cases and authentications
• Reconfigure scheduled backups – Run a manual backup
• Enable automatic PAN Failover (if configured) and heartbeat for PANs

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
ISE Upgrade Program
Old 2.x Model New 3.x Model
1,000 Premier

1,000 1,000 1,000 1,000 Premier 1,000 Advantage


Upgrade with
Base Plus Apex
one-time
incentive

1,000 1,000 CCW


1,000 Advantage 1,000 Advantage
Base Plus

Or
1,000 1,000 Essentials 1,000 Premier
Base

Migrate Upgrade with discounts Receive upgraded licenses


Migrate from ISE 2.x to 3.x following existing Upgrade Base to Advantage or Premier Upgrades will be deposited in Smart
process and note the remaining Base licenses for 3-5 years term instead of Accounts with Subscription IDs for easy
licenses which would get converted to keeping them as Essentials. And receive a renewals.
Essentials lucrative one-time incentive Customers can now continue to use
TrustSec and explore new use cases
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
Choose your upgrade path as well as upgrade type (split
in contrast to full)

Key points Prepare your system for upgrade


to remember Download upgrade and patch bundles on repository
beforehand, and verify their MD5

Install latest patch of your current release after upgrade

Perform Post-Upgrade tasks

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83
Presenter: If there are multiple workshops to be held,
complete this slide by adding the Agenda items for the

Coming in our
next workshop.

[Workshop
Complete the bracketed placeholders.
next workshop agenda item 1]
Note that you include the content for each workshop in a
single delivery deck. If you have another workshop, this
is the last slide [Workshop
for the current workshop. The next slide
should be the blue close slide with the CX logo.
agenda item 2]
Then, start the subsequent workshop with the slides
after the closing slide.
[Workshop
The use of this agenda itemaccording
slide is optional, 3] to Presenter
needs.
[Workshop
agenda item 4]

[Workshop
agenda item 5]

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
Scheduling the
Follow-up Meeting

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85
Continuing your journey
Purchase
Advocate
Align Recommend

Renew

Select Optimize

Adopt

Evaluate Accelerate
Engage

Use

Need Onboard Implement

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
Resources for your ISE journey
Related Ask the Experts sessions: Related Accelerators:
• Upgrade Planning & Best Practices: Upgrading ISE • Getting Started: ISE
• Deployment Best Practices: Best Practices in User
Deployments

Continue the conversation in the communities:


ISE
Related information:
[Link]
• Upgrade Webinar by ISE TME

• Upgrade ISE with Full Upgrade Method

• ISE Upgrade Journey

Learn more about our available services.


© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87

You might also like