Overlapping IP adresses for Network Devices in one ISE deployment

rmueller@cisco.com · ‎05-14-2018

Hi all,

my customer would like to place two PSNs - belonging to the same ISE deployment - into two different network segments:

Segment 1 - PSN 1

Segment 2 - PSN 2

Now the issue is that these two network segements have overlapping adress spaces, which is valid also for network device adresses. So one switch in segment 1 has the same ip address as another switch in segement 2. How can this be handled with ISE? To my knowledge, we cannot configure two different NADs with the same ip address. The only solution I came up is to place the PSNs now behind a NAT devices to make the NAD adresses unique towards the ISE.

Any other idea here?

Thanks in advance.

Roland

gbekmezi-DD · ‎05-14-2018

I know this is probably not possible, but I would find a way to place the network devices on a management network that does away with the overlapping address spaces.

George

kvenkata1 · ‎05-14-2018

ISE needs unique IPs to identify Network Devices. Please see the discussion - ISE VRF overlapping IP address awareness. NAT'ing the NAS IP is an option.

- Krish

hslai · ‎05-14-2018

I agree with George's.

If the NAD with the same IP address has the same shared secret, the RADIUS requests initiated by the NADs should work, but then it would be a problem with CoA. CoA can be a problem with NAT as well. It might work if they have unique loopback addresses and use them for RADIUS communications.