My customer runs a management network to provide management access to other major clients major networks, and ACS is used to authenticate users and authorise their access to those major network components for management purpose.

Each one of the customer may have network presence in one or more metro hubs and exchanges in one or more states in Australia, and each such site would have a subnet or even multiple small subnets given to the customer.

Therefore when we define a network device (in some way it can be treated as a group with a collection of management IP subnets and addresses to represent their network infrastructure), it may have 10, 20, or even more IP subnets configured. In ACS, for some large network device IP collection, we may need to split IP addresses into 3 or more network devices, each with customerA_network1, customerA_network2, and customerA_network3, and so on, because of the IP limitation in ACS for each network device

It’s not such a problem that customer will need to do this, but just like to know if similar limitation also happens in ISE, so my customer is aware of it and not treat it as a bug. Also when we continue to add new IP addresses into existing network device, the customer knows when to create a new network device because the current one can’t have any more IPs added in.

hope this use case makes sense in ISE deployment, today the customer is still using ACS and hoping to migrate to ISE v2.3

Hello,

Are there any limitations on the subnet mask that is supported?

My customer has been able to add a /24 range, and validated it successfully.

Adding a /16 range was accepted, but not working when validating with a NAD from that range.

Thanks.

I suggest they go to tac

I tried /16 in my own lab and it worked fine. We also have it in alpha working fine. FYI.