- ISE 2.1 to 2.3 없그레이드 절차
- backup하기위해서, admin->certification->CA->internal CA setting에서 enable ceritficate authrity 하고
- upgrade절차에 있는 configuration backup 하기.
b. 현재 ISE에 repository 가 없으므로, 새로 만들기.. Disk로 지정...
- management 망에 PC연결하여 FTP서버 실행
- ISE에서 repository 를 FTP 서버로 지정하여 만듬
- Upgrade 메뉴로 이동. FTP 서버 통해, ISE에서 OS 다운받음.
- upgrade sequence는 secondary PAN가 먼저, 그다음 node는 임의로 선택가능.
- 수동으로 upgrade가아니라, node가 끝나면 자동으로 넘어감.
- node당 4시간 정도 소요
- deployment 구성
- DNS 등록
configure the Domain Name System(DNS) server. Enter the IP addresses and fully qulified domain names(FQDNs) of all the Cisco ISE nodes that are part of your distributed deployment in the DNS server. Otherwise, node registration will fail.
ISE의 FQDN과 IP address를 추가.
- Secondary ISE에서 CA 인증서 생성 및 export
- CA 인증서를 Primary ISE에 import 및 secondary ISE를 register등록
- ISE 2.3버전 replication 및 cluster 필요한 port
HTTPS (SOAP): TCP/443
Data synchronization/ Replication (JGroups): TCP/12001 (Global)
Clustering (Node Group) : Node Groups/JGroups: TCP/7800
CA PKI : TCP/9090
Device
Administration : TACACS+: TCP/49
Cisco ISE Service |
Ports on Gigabit Ethernet 0 or Bond 0 |
Ports on other Ethernet Interfaces, or Bond 1 and Bond 2 |
Administration |
-HTTP:TCP/80, HTTPS:TCP/443 -SSH server:TCP/22 -OCSP:TCP/2560 |
Cisco ISE management is restricted to Gigabit Ethernet 0. |
Replication and Synchronization |
-HTTPS(SOAP):TCP/443 -Data Synchronization / Replication (JGroups):TCP/12001(Grobal) |
- |
Clustering(Node Group) |
Node Groups/JGroups:TCP/7800 |
- |
CA PKI |
TCP/9090 |
- |
IPSec/ISAKMP |
UDP/500 |
- |
Device Administration |
TACACS+:TCP/49 Note This port is configurable in Release 2.1 and later releases. |
|
- deployment upgrade 시 소요시간
'IT > Traditional Network' 카테고리의 다른 글
| Cisco Stack 가능 product 비교, Stackwise virtual link (0) | 2019.02.21 |
|---|---|
| Nexus 9K PBR Test (0) | 2019.02.14 |
| Nexus license download 및 license upgrade (0) | 2019.02.13 |
| Nexus 93128/9396 등 QSA module 사용시 주의사항 (0) | 2019.02.13 |
| ACS server IP address change procedure (0) | 2019.02.11 |
