Choose your Upgrade Method
This release of Cisco ISE supports the following upgrade processes. You can choose from the below upgrade processes depending on your technical expertise and time availability for the upgrade.
-
Upgrade Cisco ISE using Backup and Restore Procedure (Recommended)
-
Upgrade a Cisco ISE deployment from GUI
-
Upgrade a Cisco ISE deployment from CLI
Comparison Factors |
Backup and Restore (Recommended) |
Upgrade using the GUI |
Upgrade using CLI |
---|---|---|---|
Comparison Synopsis |
Fast but more administration required |
Long but less administration required |
Longer and more administration required |
Difficulty |
Hard |
Easy |
Moderate |
Minimum Version |
Cisco ISE 2.2 and later |
Cisco ISE 2.2 and later |
Cisco ISE 2.2 and later |
VMs |
If you have enough capacity, you can pre-stage the new VMs and join them immediately to the new PAN |
Each PSN is upgraded sequentially which increases the total upgrade time linearly |
Each PSN is upgraded however they can be done in parallel to decrease total upgrade time |
Time |
Least upgrade downtime because PSNs are imaged with new version and not upgraded |
Each PSN is upgraded sequentially which increases the total upgrade time linearly |
Each PSN is upgraded however they can be done in parallel to decrease total upgrade time |
Personnel |
Involvement of multiple stakeholders across business units to transit the configurational settings and operational logs. |
Automated upgrade process with fewer manual interventions |
Technical expertise on Cisco ISE. |
Rollback |
Requires reimaging of the nodes. |
Easy rollback option. |
Easy rollback option. |
A detailed comparison of the upgrade methods is as follows:
Upgrade Cisco ISE using Backup and Restore Method
Re-imaging of the Cisco ISE node is done as a part the initial deployment and during troubleshooting, however you can also re-image Cisco ISE node to upgrade a deployment while providing for restoration of the policy onto the new deployment once the new version is deployed.
In case the resources are limited, and new deployment is unable to spin up a parallel ISE node, Secondary PAN & MnT is removed from production deployment to be upgraded before upgrading the other nodes. Nodes are moved into the new deployment; a configuration & operational backup is restored from the previous deployment on respective nodes creating a parallel deployment. This allows to restore the policy sets, custom profiles, network access devices, and endpoints into the new deployment without need for manual intervention.
The advantages of upgrading Cisco ISE using Backup and Restore process are as follows:
-
You can restore the configuration setting and the operational logs from the previous ISE deployment. Thus, preventing from data loss.
-
You can manually choose the nodes that should be reused for the new deployment.
-
You can upgrade multiple PSNs parallelly thus reducing the upgrade downtime.
-
You can stage the nodes outside of maintenance windows, reducing the time of the upgrade during the production.
Resources Required: The backup and restore upgrade process requires additional resources which can be reserved for the ISE deployment before being released. In the case of reusing existing hardware, additional load will need to be balanced to nodes which remain online. Hence, you need to evaluate the current load and latency limits before the deployment begins in order to ensure that the deployment can handle an increase in number of users per node.
Personnel Required: You will require involvement from multiple business units including network administration, security administration, data centre, and virtualization resources to perform upgrade. In addition, you will need to re-join the node to the new deployment, restore certificates, re-join to active directory, and wait for policy synchronization. This can lead to multiple reloads and requires timeframe that of a net-new deployment.
Rollback Mechanism: Due to the re-imaging of the nodes, all information and configuration setting are erased from the previous deployment. Thus, the rollback mechanism for a backup and restore upgrade is the same procedure as re-imaging of the nodes for the second time.
Best Practice for the Backup and Restore Upgrade Process:-
Create an standalone environment or dedicate load balancers to switch Virtual IP address for RADIUS requests.
-
You can start the deployment process well before the maintenance window and point the user load balancer to the new deployment.
Upgrade a Cisco ISE deployment from GUI
You can also upgrade Cisco ISE from the GUI in a single click with some customizable options.
During the upgrade the Secondary PAN is moved into an upgraded deployment automatically and is upgraded first, followed by Primary MnT. As a result, if either of these upgrades fail, it is mandatory that the node will be rolled back to the previous version and re-join to the previous ISE deployment. Later PSN’s are moved one by one to the new deployment and upgraded. In case of an upgrade failure, you can also choose to continue or cease the upgrade. This will result in a dual-version of same Cisco ISE deployment, allowing for troubleshooting to occur before the upgrade continues. Once all PSN’s are upgraded, the Secondary MnT and Primary PAN is upgraded and joined to the new Cisco ISE deployment.
Given that this upgarde process requires limited technical expertise, a single administrator start the upgrade and assign NOC or SOC engineers to monitor and report the upgrade status or open a TAC case.
The advantages of upgrading Cisco ISE from the GUI are as follows:
-
The upgrade is automated with minimal intervention.
-
You can choose the upgrade order of the PSNs to ensure continuity whenever possible, especially when redundancy available between data centres.
-
A single administrator can execute the upgrade without any additional personnel, third party hypervisors or network access devices.
Continuation in Failure Scenarios: In case of an upgrade failure, you can also choose to continue or cease the upgrade. This will result in a dual-version of same Cisco ISE deployment, allowing for troubleshooting to occur before the upgrade continues. While the Cisco Upgrade Readiness Tool should indicate any incompatibilities or misconfigurations, if the Proceed field is checked, additional errors may be encountered if due diligence was not acted upon before the upgrade.
Rollback Mechanism: If an upgrade fails on a PAN or MnT node, the nodes are automatically rolled back. However, if a PSN fails to upgrade, the nodes remain on the same Cisco ISE version and can be fixed while impairing redundancy. Cisco ISE is still operational during this time, and therefore rollback abilities are limited without re-imaging.
Time Required: Each PSN takes around 90-120 minutes to upgrade, hence if you have a large number PSNs it takes time to upgrade all of them.
Best Practice for the Upgrade from GUI: If you have a larger number of PSNs, group the PSNs in batches and perform the upgrade.
Upgrade a Cisco ISE deployment from CLI
Upgrading Cisco ISE from the CLI is an elaborate process and requires the administrator to download the upgrade image to the local node, execute the upgrade, and monitor each node individually throughout the upgrade process. While the upgrade sequence is similar in nature to that of the GUI upgrade, this approach operationally intensive from a monitoring and actions point of view.
Upgrading from CLI is recommended for troubleshooting purposes only due to the level of effort required.
The advantages of upgrading Cisco ISE from the CLI are as follows:
-
CLI presents additional logging messages to the administrator while the upgrade is performed.
-
The nodes which are upgraded can be chosen with more control and upgraded in parallel. Nodes that are not being upgraded can handle additional load as endpoints are rebalanced across the deployment.
-
Rolling back at the CLI is much easier due to the ability to instruct scripts to undo previous changes.
-
As the image resides on the node locally, copy errors between PAN and PSNs, if any, can be eliminated.
You need technical expertise and longer time to upgrade your Cisco ISE using CLI.