04-05-2021 02:12 PM
I am working with Cisco ISE and need to add different devices for Tacas monitoring.
The switches that I must add are all on the same segment.
For instance:
192.168.0.4/24
192.168.0.5/24
192.168.0.6/24
192.168.0.7/24
When I try to add them individually ISE indicates the following error "Failed to create network device - given IP subnet overlaps with existing network device"
Could you tell me how I should add the devices to avoid this error?
Solved! Go to Solution.
04-05-2021 03:41 PM
When you add an individual network device then you indicate that by putting a /32 at the end - that is the correct IPv4 syntax to say "THIS HOST only" - or 255.255.255.255.
The /24 (255.255.255.0) in your example relates to the entire subnet of 192.168.0.0 and that is what you would configure on any device in that subnet. But as far as ISE is concerned, you want to single out those 4 devices individually.
An alternative configuration in ISE would be to specify a single Device entry , for the entire subnet - this mean, you have one entry in ISE with the IP address of 192.168.0.0 / 24 - but that means, any device in that entire subnet can talk to ISE - it's not a precise configuration and it is mostly used for things like AP subnets (e.g. imagine 100 Meraki APs on 192.168.0.0 / 24 subnet) - instead of adding 100 entries in ISE, you just add one entry into ISE to cater for the entire range of Meraki APs. But if you also happen to have a Cisco Router in that subnet, and you wish to have it talking to ISE, then ISE won't be able to distinguish between the 100 APs and the 1 router on that same subnet.
I hope that makes sense.
04-05-2021 02:58 PM
Hello
The ISE error message is correct. The /24 subnet of 192.168.0.0 is the same in each case.
Perhaps you meant to use
192.168.4.0 / 24
192.168.5.0 / 24
192.168.6.0 / 24
192.168.7.0 / 24
?
That would make sense. It all depends on what the real subnets of your actual devices are.
If you have 4 devices as such
192.168.0.4/32
192.168.0.5/32
192.168.0.6/32
192.168.0.7/32
then you would create an entry for each one - but notice that the subnet mask is /32
04-05-2021 03:04 PM
I have all the devices on the same 192.1680.x network.
According to what you indicate, I should add an entry for each switch, but with a / 32 mask, right?
Is it normal that they should all be added with a / 32 mask?
I don't have much experience with ISE.
04-05-2021 03:41 PM
When you add an individual network device then you indicate that by putting a /32 at the end - that is the correct IPv4 syntax to say "THIS HOST only" - or 255.255.255.255.
The /24 (255.255.255.0) in your example relates to the entire subnet of 192.168.0.0 and that is what you would configure on any device in that subnet. But as far as ISE is concerned, you want to single out those 4 devices individually.
An alternative configuration in ISE would be to specify a single Device entry , for the entire subnet - this mean, you have one entry in ISE with the IP address of 192.168.0.0 / 24 - but that means, any device in that entire subnet can talk to ISE - it's not a precise configuration and it is mostly used for things like AP subnets (e.g. imagine 100 Meraki APs on 192.168.0.0 / 24 subnet) - instead of adding 100 entries in ISE, you just add one entry into ISE to cater for the entire range of Meraki APs. But if you also happen to have a Cisco Router in that subnet, and you wish to have it talking to ISE, then ISE won't be able to distinguish between the 100 APs and the 1 router on that same subnet.
I hope that makes sense.
04-09-2021 11:59 AM
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide