Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1046
Views
15
Helpful
2
Replies

Cisco ISE - Network Device Configuration - /32 vs /16 or /24

hanKass
Level 1
Level 1

‎10-25-2022 05:38 PM

Hi All,

I was wondering if there are any security concern about creating a record under "Network Devices" in Cisco ISE for a network range instead of a specific /32 host IP address?

It would be beneficial to configure a /16 network range, this essentially means that you do not need to configure every single network device in Cisco ISE wwhen you would like to add it to ISE.
But I was thinking, more from a security perspective, if there are any security concern for doing so?
Whats the benefit of adding a /32 vs adding a network range (i.e. /24 or /16).
Thank you.,

0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎10-25-2022 08:46 PM

I would recommend adding a /32 in all cases because it allows you to uniquely identify the device name in logs - if you used a /24 then you see one name and then have to click on the details to see the actual IP address of the device in question.  You can also make bulk device creations using a template - use a spreadsheet to massage the data, and then import the .csv into ISE. ISE shouldn't be an inventory management system - but - if using /32 entries, and if you manage all network devices using ISE, then you can look at the Network Devices count in ISE and get an idea of how many devices you have in the network. it's a lot more useful than having one /16 entry  

As for security - all it means is that ISE will process requests from devices within that subnet - so it's not a risk to your network devices. All it means is that instead of 200+ entries in ISE, you add one. I have seen subnet ranges used on Meraki AP VLANs (where the VLAN only contains Meraki APs) - and since each AP needs to talk to ISE, it makes sense to add the subnet into ISE, especially when you have many branches with many Meraki APs.

 

thomas
Cisco Employee
Cisco Employee

‎10-26-2022 08:59 AM

Individual entries gives you more options/flexibility to match devices and apply policy based on their respective network device groups (device type, location, department, model, PIN, etc.).

You could take your /24 and /16 example to the extreme and just do a Default Network Device in ISE with a single RADIUS secret and don't even bother with IP subnets/ranges.  You will quickly see the limitations. But it sure is fast and convenient!  8-)

Customers Also Viewed These Support Documents