Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
800
Views
5
Helpful
6
Replies

ISE3.1 network device groups hierarchy

Go to solution
EHNET
Level 1
Level 1

‎02-23-2023 03:23 PM

Hi, I am new to ISE and try to implement it. But I am confused by the hierarchy of NDGs

EHNET_0-1677194330587.png

For example, I created a parent group called Building A using All locations as root group.

And  then I created two child groups of Building A, called them floor 1 and 2, added one device to each child group.

But if I write a condition in policy set to match parent group, Building A, it wont match any devices included in its child group. Is it supposed to work like this way ? or I used it wrong ?

And as shown in the picture, the group numbers for Building A is 0. Why this number does not include all its children group devices ? 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-23-2023 03:34 PM

That is working as designed. If you want to create a matching condition for all devices under the 'Building A' parent group, you would use 'DEVICE·Location STARTS WITH All Locations#Building A'

 

View solution in original post

6 Replies 6

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-23-2023 03:34 PM

That is working as designed. If you want to create a matching condition for all devices under the 'Building A' parent group, you would use 'DEVICE·Location STARTS WITH All Locations#Building A'

 

Go to solution
EHNET
Level 1
Level 1
In response to Greg Gibbs

‎02-23-2023 03:38 PM

Thanks for your prompt response, I will try that.

But as for the group member count, the parent group is not the sum of its child group ?

0 Helpful

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee
In response to EHNET

‎02-23-2023 04:09 PM

hello @EHNET in which version of ISE are you seeing that behavior ? what happen if you click on the 0 that is in front of Network  device group Building A ? 

0 Helpful

Go to solution
EHNET
Level 1
Level 1
In response to Rodrigo Diaz

‎02-24-2023 09:58 AM

I am on ADE-OS Version 3.1.0.135. Please see my screen capture in another reply

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to EHNET

‎02-24-2023 05:16 AM

@EHNET , no the group member count is for devices, not subgroups.  Since there are no devices in the group All Locations#BuildingA, the count is 0.  All Locations#BuildingA#Floor1 contains 1 and All Locations#BuildingA#Floor2 contains 1.

@greg is right, choose the Starts with condition and select All Locations#BuildingA to select all floors within that building.

0 Helpful

Go to solution
EHNET
Level 1
Level 1
In response to Charlie Moreton

‎02-24-2023 09:57 AM - edited ‎02-24-2023 12:15 PM

Right, I know group member count is for devices not subgroups.

But ISE doesn't work in this way.  When I click that parent number, it shows 0 devices in the parent group. I think it should be the sum of all its child group and the count should be 8, right ?

EHNET_0-1677261369630.pngEHNET_1-1677261394523.png

 

I am on  ADE-OS Version 3.1.0.135

 

 

0 Helpful
Customers Also Viewed These Support Documents