Cisco ISE: support for /31 subnet mask on ISE Interface ? (RFC3021)

ffischer · ‎10-10-2024

Hi,

one of our clients runs a 2 Node ISE Deployment in a lets call it "very specific" environment.
New reqirements should be be fulfilled by keeping the IP Address on one of the nodes but
move from /27 to a /31 subnet mask on the ISE Eth0 interfaces.

First experiments on a test machine look promising:
Configuring an IP with /31 as mask on interface eth1 is possibe
Setting the default gateway to the other address in this subnet as well.

I know /31 is intended to be used on P2P links only and it is neiter best practice
for hosts and nor may it be supported on all Operating Systems.
But fortunately ISE is based on Linux and I do not see another approach to fulfill the new requirements.

Anyone running an ISE node with 255.255.255.254 subnet mask here ?

Would this be TAC supported as well ?

Thanks & BR

Frank

Arne Bier · ‎10-10-2024

I don't see any issues with this. ISE only talking to the default gateway and nothing else - there is no requirement for ISE to have other stations on the same subnet.

ammahend · ‎10-10-2024

not running ISE with /31 mask, but I don't think there should be any issue with TAC supporting this provided you have active support contract.

other ISE node and network devices, just need to be able to reach this subnet via routing, that's all.

-hope this helps-

ffischer · ‎10-11-2024

Did some more tests on my lab VM... (ISE 3.2) on eth1:
results:

IP with /31 mask can be configured on ISE interface
ip default gateway can be set to the other IP address in this /31 net
gateway on the /31 net can be pinged successfully
an IP address in another network "behind" the new gateway can be pinged

while testing 2 restarts of ISE services observerd:
1) change of network mask
2) change of default gw

Thanks for your opinions.
Based on them and on my test results
we will give this try in the live environment.
Will come back with our final findings here....