Cisco Identity Services Engine Upgrade Guide, Release 1.1.x
Upgrading a Distributed Deployment
Downloads: This chapterpdf (PDF - 193.0KB) The complete bookPDF (PDF - 890.0KB) | Feedback

Upgrading Distributed Deployment

Table Of Contents

Upgrading Distributed Deployment

Performing a Split Deployment Upgrade

Upgrading Cisco ISE Nodes in a Distributed Deployment

Replacing Appliances Running Cisco ISE Release 1.1 with Appliances Running Release 1.1.x in a Distributed Deployment

Replacing a Subset of Existing Cisco ISE 1.1 Nodes with Cisco ISE Appliances Running Release 1.1.x in a Distributed Deployment

Replacing All Cisco ISE Appliances Running Release 1.1 with Appliances Running Release 1.1.x in a Distributed Deployment


Upgrading Distributed Deployment


This chapter contains the following topics:

Performing a Split Deployment Upgrade

Replacing Appliances Running Cisco ISE Release 1.1 with Appliances Running Release 1.1.x in a Distributed Deployment

Performing a Split Deployment Upgrade

To upgrade the Cisco ISE nodes in a distributed deployment to Release 1.1.x, you must use the split deployment upgrade method.

The configuration changes that are made to the Primary Administration ISE node database are applied to the secondary Administration ISE node, the Inline Posture node, and all the secondary nodes in your deployment. This allows you to replicate the database on all the nodes from the Primary Administration ISE node so that each node has a local copy of the configuration. Replication of configuration data across all nodes may introduce complications in terms of functionality changes that are implemented within the latest version and the required configuration.

For more information on centralized configuration and management of Cisco ISE nodes in a distributed deployment, see Cisco Identity Services Engine User Guide, Release 1.1.x, Chapter 10, "Setting Up ISE in a Distributed Environment".


Note When you upgrade a complete Cisco ISE deployment, Domain Name System (DNS) server resolution is mandatory; otherwise the upgrade will fail.



Note During the split deployment upgrade, before you register the nodes to the new primary Administration node, you must do the following:

If you use self-signed certificate, you must import the self-signed certificate of all nodes to your new primary Administration node.

If you use different CA certificates for the nodes, you must import all the CA certificates into the new primary Administration node.

If you use the same CA certificate for the nodes, you must import that CA certificate into the new primary Administration node.


When upgrading a complete Cisco ISE deployment to the next release, you create a new deployment that is based on the version to which you want the Cisco ISE to be upgraded, and you migrate all the nodes to the new deployment.

Split deployment upgrade happens in two phases:

1. Upgrade the Cisco ISE Administration nodes in the distributed deployment

2. Upgrade and register the Policy Service nodes and Inline Posture nodes to the new deployment

Upgrading Cisco ISE Nodes in a Distributed Deployment

When upgrading to a higher release, you should initially upgrade only the secondary Administration ISE node to the higher version.

For example, if you have a deployment set up as shown in Figure 4-1, with one primary Administration node (Node A), one secondary Administration node (Node B), one Inline Posture node (IPN) (Node C), and four Policy Service nodes (PSNs) (Node D, Node E, Node F, and Node G), you can proceed with the following upgrade procedure.

Figure 4-1 Cisco ISE, Release 1.1 Administrative Deployment

Cisco ISE supports only a split domain upgrade from a previous release to Cisco ISE, Release 1.1.x, and so the secondary ISE nodes and Inline Posture nodes have to be deregistered individually from the deployment before upgrade.


Warning This warning is not applicable if you are upgrading from Cisco ISE, Release 1.1 patch 3.

If your secondary Admin node has been operational for more than 90 days, its license will be lost after it has been deregistered. In this case, you must obtain a valid license for the secondary Cisco ISE Administration node (ISE Node B) based on its UDI: Serial Number, Version ID, and Product ID. See "Obtaining a Valid License" section for more information.

Prerequisite:

Make sure you have the license file for your Primary Administration ISE node before beginning the upgrade process. If you do not have the file on hand (if your license was installed by a Cisco partner vendor, for example) contact Cisco TAC for assistance.

Ensure that you have a copy of the license that you install initally. You need to reinstall the license while completing the upgrade.


Step 1 Perform an on-demand backup (manually) of the Primary Administration ISE node from the admin user interface or CLI and an on-demand backup of the Monitoring node from the admin user interface before upgrading the Cisco ISE.

For more information on how perform an on-demand backup, see the "Performing an On-Demand Backup" section.

Step 2 Record the Inline Posture Node (IPN) configuration before the upgrade, so that you can reconfigure the IPN node after the upgrade.

Step 3 Deregister the secondary node (Node B) from the deployment setup. After deregistration, this node becomes a standalone node. Upgrade this standalone node to Cisco ISE, Release 1.1.x. See Figure 4-2.

Figure 4-2 Cisco ISE Secondary Node Upgraded

When you log in to Node B after the upgrade, if the system prompts you for a license, you must install a valid license for the secondary node based on its UDI. See Obtaining a Valid License for more information.

Step 4 Record the Profiling configuration applied on each node before the upgrade, so that you can reconfigure the nodes after the upgrade. You can find the Profiling configuration for a specific node by navigating to Administration > System > Deployment > node-name > Profiling Configuration.

Step 5 Deregister the PSN node (Node D) from the deployment setup. After deregistration, this node becomes a standalone node. Upgrade this standalone node to Cisco ISE, Release 1.1.x.

Step 6 Make Node B as the primary node in the new deployment, and register Node D as the PSN node. If the node does not have its own license, then it will revert to the default grace period license, which is valid only for 100 endpoints. If the deployment is being used by endpoints more than 100, then the functionality of the node will be impacted until the Upgrade is complete.

Step 7 Deregister the IPN node (Node C) from the deployment setup, and make it as a standalone node. Upgrade this IPN node to Cisco ISE, Release 1.1.x.

The upgrade process removes the configuration of the IPN. You must reconfigure the IPN after the upgrade.


Note If your IPN node runs version 1.1.0.665 or above, you can deregister and upgrade the node as described in step 6. If your IPN node runs an earlier version (for example, 1.0.0.473), then you have to reimage your IPN appliance and install Cisco ISE 1.1.x on it.


Step 8 Deregister the second PSN node (Node E) from the deployment, and upgrade it to Cisco ISE, Release 1.1.x. Register this node to Node B as the PSN node. Repeat this step for the other PSN nodes (Node F and Node G).

Step 9 Convert the primary node of the previous deployment (Node A) to a standalone node. Upgrade Node A to Cisco ISE, Release 1.1.x and register to Node B in the Cisco ISE, Release 1.1.x deployment setup as the secondary node.

Step 10 Exchange the IPN certificates with the new primary Administration node (Node B) certificates. Similarly, exchange the IPN certificates with the new secondary Administration node (Node A) certificates.


Note Certificates from both the primary and secondary Administration nodes should be installed on each IPN node to trust the management interface certificate. For more details on certificate provisioning, see the "Deploying an Inline Posture Node" section in the Cisco Identity Services Engine User Guide, Release 1.1.x.


Step 11 Register the IPN node (Node C) to the new deployment setup; that is, to Node B.

After you upgrade and register all the nodes to the new deployment, your Cisco ISE deployment upgrade is complete as shown in Figure 4-3.

Figure 4-3 All Nodes In the Deployment Now Have the New Cisco ISE Release

Step 12 Promote the secondary Administration ISE node (original primary—Node A) to be the primary node in the deployment again. When you are promoting Node A to be the primary node, it would have lost the license. When Node A got registered to Node B, the license would have been removed. You need to reinstall the license for Node A.

Step 13 The upgrade process removes the Profiling configuration, if available. You need to reconfigure the Profiling for each PSN after the upgrade.


Replacing Appliances Running Cisco ISE Release 1.1 with Appliances Running Release 1.1.x in a Distributed Deployment

This section contains the following:

Replacing a Subset of Existing Cisco ISE 1.1 Nodes with Cisco ISE Appliances Running Release 1.1.x in a Distributed Deployment

Replacing All Cisco ISE Appliances Running Release 1.1 with Appliances Running Release 1.1.x in a Distributed Deployment

Replacing a Subset of Existing Cisco ISE 1.1 Nodes with Cisco ISE Appliances Running Release 1.1.x in a Distributed Deployment

The Cisco Secure Network Server is based on the Cisco UCS C220 Rack Server and is configured specifically to support the Cisco Identity Services Engine (ISE), Network Admission Control (NAC), and Access Control System (ACS) security applications. The Secure Network Server supports these applications in two versions. The Cisco Secure Network Server 3415 is designed for small and medium-sized deployments. The Secure Network Server 3495 has several redundant components such as processors, hard disks, and power supplies, making it suitable for large deployments that require highly reliable system configurations.


Note You can run the Cisco ISE version 1.1.4 on the SNS appliances and also on the platforms that are supported in the ISE version 1.1.3.


To replace a subset of the Cisco ISE 1.1 nodes with the Cisco ISE appliances that runs 1.1.x in a distributed deployment, complete the following steps:

Prerequisite:

Make sure you have the license file for your Primary Administration ISE node before beginning the upgrade process. If you do not have the file on hand (if your license was installed by a Cisco partner vendor, for example) contact Cisco TAC for assistance.


Step 1 Deregister an existing secondary Cisco ISE 1.1 appliance and upgrade it to Cisco ISE 1.1.x. Make this appliance as the primary node in the new deployment.

Step 2 Deregister the other nodes in the old deployment which you want to move to the new deployment, upgrade them and register them to the new deployment.

Step 3 Register the new Cisco ISE 1.1.x appliances to the new deployment.

In this case, the primary Administration ISE node remains on the original hardware.

Step 4 Promote one of the newer Cisco ISE 1.1.x appliances to be the new primary Administration ISE node.


Replacing All Cisco ISE Appliances Running Release 1.1 with Appliances Running Release 1.1.x in a Distributed Deployment

The Cisco Secure Network Server is based on the Cisco UCS C220 Rack Server and is configured specifically to support the Cisco Identity Services Engine (ISE), Network Admission Control (NAC), and Access Control System (ACS) security applications. The Secure Network Server supports these applications in two versions. The Cisco Secure Network Server 3415 is designed for small and medium-sized deployments. The Secure Network Server 3495 has several redundant components such as processors, hard disks, and power supplies, making it suitable for large deployments that require highly reliable system configurations.


Note You can run the Cisco ISE version 1.1.4 on the SNS appliances and also on the platforms that are supported in the ISE version 1.1.3.


To replace all Cisco ISE appliances that run Cisco ISE Maintenance Release 1.0.4 or the Cisco ISE, Release 1.1 software with Cisco ISE appliances that run Cisco ISE, Release 1.1.x in a distributed deployment, complete the following steps:

Prerequisite:

Make sure you have the license file for your Primary Administration ISE node before beginning the upgrade process. If you do not have the file on hand (if your license was installed by a Cisco partner vendor, for example) contact Cisco TAC for assistance.


Step 1 Deregister an existing secondary Cisco ISE 1.1 appliance and upgrade it to Cisco ISE 1.1.x. Make this appliance as the primary node in the new deployment.

Step 2 Register the new Cisco ISE 1.1.x appliances to the new deployment.

Step 3 After all the new Cisco ISE 1.1.x appliances are registered to the new deployment, promote one of the new Cisco ISE 1.1.x appliance as the primary node in the new deployment.

Step 4 Deregister the old appliance that was promoted as primary node in Step 1.