Maintaining ISE Deployments
Having a distributed deployment and load-balanced architecture are certainly critical items to scaling the deployment and ensuring it is highly available, but there are also critical basic maintenance items that should always be considered to ensure the most uptime and stability. That means having a patching strategy and a backup and restore strategy.
Patching ISE
Cisco releases ISE patches on a semi-regular basis. These patches contain bug fixes and, when necessary, security fixes. Think about the Heartbleed and Poodle vulnerabilities that were discovered with SSL. To ensure that bug fixes are applied, security vulnerabilities are plugged, and the solution works as seamlessly as possible, always have a planned patching strategy.
Patches are downloaded from Cisco.com, under Downloads > Products > Security > Access Control and Policy > Identity Services Engine > Identity Services Engine Software, as shown at the top of Figure 18-23.
)
Figure 18-23 ISE Downloads Page
Search the list of software available for your specific version of ISE. Figure 18-24 illustrates the naming convention for ISE patches. Cisco ISE patches are normally cumulative, meaning that installing 1.2 patch 12 will include all the fixes in patches 1 through 11 as well.
)
Figure 18-24 Anatomy of ISE Patch Nomenclature
After identifying the correct patch file, follow these steps:
Step 1. Download the required patch.
Step 2. From the ISE GUI, navigate to Administration > System > Maintenance > Patch Management.
Step 3. Click the Install button, as shown in Figure 18-25.
)
Figure 18-25 Patch Management Screen
Step 4. Click Browse, select the downloaded patch, and click Install, as shown in Figure 18-26.
)
Figure 18-26 Installing the Selected Patch
As the patch is installed on the PAN, you are logged out of the GUI and the patch is distributed from the PAN to all nodes in the ISE cube. After the patch is successfully installed on the PAN, it is applied to all nodes in the cube one at a time, in alphabetical order.
You can log back into the PAN when it’s finished restarting services or rebooting. Click the Show Node Status button shown previously in Figure 18-25 to verify the progress of the patching. Figure 18-27 shows the resulting status of each node’s progress for the patch installation.
)
Figure 18-27 Node Status
Backup and Restore
Another key strategy to assuring the availability of ISE in the environment is having a solid backup strategy. There are two types of ISE backups: configuration backup and operational backup. These two types are most easily related to backing up the product databases (configuration) and backing up the MnT data (operational).
Figure 18-28 shows the backup screen in ISE, located at Administration > System > Backup & Restore.
)
Figure 18-28 Backup & Restore Screen
As shown in Figure 18-28, the backups are stored in a repository, and can be restored from the same repository. You can schedule backups to run automatically or you can run them manually on demand. You can view the status of a backup from either the GUI or the CLI, but you can view the status of a restore only from the CLI.