Solved: Re: Add Multiple Network Devices in Cisco ISE 3.0

Cconchap · ‎04-05-2021

I am working with Cisco ISE and need to add different devices for Tacas monitoring.

The switches that I must add are all on the same segment.

For instance:

192.168.0.4/24
192.168.0.5/24
192.168.0.6/24
192.168.0.7/24

When I try to add them individually ISE indicates the following error "Failed to create network device - given IP subnet overlaps with existing network device"

Could you tell me how I should add the devices to avoid this error?

Arne Bier · ‎04-05-2021

When you add an individual network device then you indicate that by putting a /32 at the end - that is the correct IPv4 syntax to say "THIS HOST only" - or 255.255.255.255.

The /24 (255.255.255.0) in your example relates to the entire subnet of 192.168.0.0 and that is what you would configure on any device in that subnet. But as far as ISE is concerned, you want to single out those 4 devices individually.

An alternative configuration in ISE would be to specify a single Device entry , for the entire subnet - this mean, you have one entry in ISE with the IP address of 192.168.0.0 / 24 - but that means, any device in that entire subnet can talk to ISE - it's not a precise configuration and it is mostly used for things like AP subnets (e.g. imagine 100 Meraki APs on 192.168.0.0 / 24 subnet) - instead of adding 100 entries in ISE, you just add one entry into ISE to cater for the entire range of Meraki APs. But if you also happen to have a Cisco Router in that subnet, and you wish to have it talking to ISE, then ISE won't be able to distinguish between the 100 APs and the 1 router on that same subnet.

I hope that makes sense.

View solution in original post

Arne Bier · ‎04-05-2021

Hello

The ISE error message is correct. The /24 subnet of 192.168.0.0 is the same in each case.

Perhaps you meant to use

192.168.4.0 / 24

192.168.5.0 / 24

192.168.6.0 / 24

192.168.7.0 / 24

?

That would make sense. It all depends on what the real subnets of your actual devices are.

If you have 4 devices as such

192.168.0.4/32

192.168.0.5/32

192.168.0.6/32

192.168.0.7/32

then you would create an entry for each one - but notice that the subnet mask is /32

Cconchap · ‎04-05-2021

I have all the devices on the same 192.1680.x network.
According to what you indicate, I should add an entry for each switch, but with a / 32 mask, right?

Is it normal that they should all be added with a / 32 mask?

I don't have much experience with ISE.

Arne Bier · ‎04-05-2021

When you add an individual network device then you indicate that by putting a /32 at the end - that is the correct IPv4 syntax to say "THIS HOST only" - or 255.255.255.255.

The /24 (255.255.255.0) in your example relates to the entire subnet of 192.168.0.0 and that is what you would configure on any device in that subnet. But as far as ISE is concerned, you want to single out those 4 devices individually.

An alternative configuration in ISE would be to specify a single Device entry , for the entire subnet - this mean, you have one entry in ISE with the IP address of 192.168.0.0 / 24 - but that means, any device in that entire subnet can talk to ISE - it's not a precise configuration and it is mostly used for things like AP subnets (e.g. imagine 100 Meraki APs on 192.168.0.0 / 24 subnet) - instead of adding 100 entries in ISE, you just add one entry into ISE to cater for the entire range of Meraki APs. But if you also happen to have a Cisco Router in that subnet, and you wish to have it talking to ISE, then ISE won't be able to distinguish between the 100 APs and the 1 router on that same subnet.

I hope that makes sense.

Cconchap · ‎04-09-2021

Thanks.