I wanted to share with you a template I made for an ISE upgrade. In this case I did a backup/restore from 2.1 to 2.6.
Restoring the ISE config is recommended for major version upgrades like this. It’s a better method than using the URT or doing an upgrade because with this method you can test everything before the maintenance.
- Backup old ISE config (operational data not needed)
- Backup old ISE certs (they should be in the backup but go ahead and take manual exports just in case)
- (Note all these steps below are done in the new 2.6 VMs)
- Deploy 2x 2.6 OVAs (12vcpu 600gb) (ISE-22.214.171.124-virtual-SNS3615-SNS3655-600.ova)
- Put them in their own vlan, along with a windows vm (srv or workstation) so they don’t interfere with your network
- Configure their hostnames, DNS, ntp, and all of that to match the real nodes
- Restore the config backup on 1 new ISE VM
- If after the restore the VM shows it’s NOT standalone in deployment settings deregister node 2.
- If the deployment settings show it’s a standalone, convert it to primary.
- add ise 1 and ise 2’s admin cert as trusted to each other ( or else they can’t join a deployment)
- Register node 2 (may need static dns via cli command “ip host x.x.x.x ise2.domain.com”)
- Rehost the licenses from cisco portal to transfer them to new 2.6 VMs or email cisco licensing (if emailing licensing do this well before hand)
a. Note that you will have a 90 day trial if you don’t get the licensing transferred over
b. —- now we disconnect nics of old ISE nodes or shut them down — This is the intrusive step that will take down the environment
- Change port-group of new ISE nodes to be the real data vlan
- Reload both new nodes
- verify NTP and DNS are working
- Join AD for both PSNs
- Test connectivity and verify radius + tacacs
Note that after ISE 2.4 licensing and policy sets change so I recommend doing the restore well before the cutover date to allow for remediation time of errors.