cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
This month's topic is ISE Wired Access to show you how to configure 802.1X on a switch!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

482
Views
1
Helpful
6
Replies
Cisco Employee

ISE 2.3 Network Devices and AAA clients IP subnet limitation

Hi Experts,

How many IP addresses/subnets/ranges can be configured in each network device object? ACS has some limitation, so we need to create multiple network device objects to a large number of IP entries as the below screenshot. How many of those entries can be added into the IP address field in ISE v2.3?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE 2.3 Network Devices and AAA clients IP subnet limitation

Please clarify why needing many IP addresses here. ISE 2.3 also supports ranges on all octets.

For ISE, the limitation appears mainly on rendering. On ISE 2.3 standalone, I was able to import a NAD with as many as 100 addresses but rending not working until I reduced it to ~ 35 entries.

6 REPLIES 6
Cisco Employee

Re: ISE 2.3 Network Devices and AAA clients IP subnet limitation

I asked the experts

Cisco Employee

Re: ISE 2.3 Network Devices and AAA clients IP subnet limitation

Please clarify why needing many IP addresses here. ISE 2.3 also supports ranges on all octets.

For ISE, the limitation appears mainly on rendering. On ISE 2.3 standalone, I was able to import a NAD with as many as 100 addresses but rending not working until I reduced it to ~ 35 entries.

Cisco Employee

Re: ISE 2.3 Network Devices and AAA clients IP subnet limitation

My customer runs a management network to provide management access to other major clients major networks, and ACS is used to authenticate users and authorise their access to those major network components for management purpose.

Each one of the customer may have network presence in one or more metro hubs and exchanges in one or more states in Australia, and each such site would have a subnet or even multiple small subnets given to the customer.

Therefore when we define a network device (in some way it can be treated as a group with a collection of management IP subnets and addresses to represent their network infrastructure), it may have 10, 20, or even more IP subnets configured. In ACS, for some large network device IP collection, we may need to split IP addresses into 3 or more network devices, each with customerA_network1, customerA_network2, and customerA_network3, and so on, because of the IP limitation in ACS for each network device

It’s not such a problem that customer will need to do this, but just like to know if similar limitation also happens in ISE, so my customer is aware of it and not treat it as a bug. Also when we continue to add new IP addresses into existing network device, the customer knows when to create a new network device because the current one can’t have any more IPs added in.

hope this use case makes sense in ISE deployment, today the customer is still using ACS and hoping to migrate to ISE v2.3

Highlighted
Cisco Employee

Re: ISE 2.3 Network Devices and AAA clients IP subnet limitation

Hello,

Are there any limitations on the subnet mask that is supported?

My customer has been able to add a /24 range, and validated it successfully.

Adding a /16 range was accepted, but not working when validating with a NAD from that range.

Thanks.

Cisco Employee

Re: ISE 2.3 Network Devices and AAA clients IP subnet limitation

I suggest they go to tac

Cisco Employee

Re: ISE 2.3 Network Devices and AAA clients IP subnet limitation

I tried /16 in my own lab and it worked fine. We also have it in alpha working fine. FYI.