Configuring Network Device Groups

Our Cisco ISE deployment can have hundreds of network devices connected. Network device groups allow us to provide a structured, hierarchical grouping for our devices.

In this lesson, we’ll take a look what network device groups are, how they can be used and the benefits they provide.

Overview

Depending on the size of the enterprise, Cisco ISE can be used to manage hundreds of devices. These devices will consist of things like:

  • Firewalls.
  • Switches.
  • Routers.
  • Wireless LAN Controllers.

Our network devices may then be spread across multiple locations.

Imagine we have 10 locations. Each of our locations has 50 network devices connecting to Cisco ISE. That’s 500 network devices to manage within ISE. Surely there’s an easier way to manage this? Thankfully, this is where network device groups come into their own.

Network device groups provide us a structured, hierarchical grouping for our network devices. Let’s take a look at an example below.

˅    All Device Types
      
˅    Branch
            >    Firewalls
            >    Routers
            >    Switches
      ˅    Datacentre
            >    Firewalls
            >    Routers
            >    Switches
            >    Wireless LAN Controllers

Here we’ve broken down our devices into network device groups; Branch and Datacentre. Our network devices can then be assigned to these groups in order to provide some structure.

˅    All Locations
      
˅    UKI
             > BIR
             >  LON
             >  MAN
      ˅  America
             >  SFR
             >  TXS
             >  WAS

Network device groups don’t just stop here. We also have the ability to structure locations in the same way as well. In fact, there’s no limit to how you use network device groups. You can create as many groups as you require, in the format that fits your needs.

You might be thinking, what else can we use network device groups for? They can be incredibly valuable for the following: 

  • Detailed contextual information.
  • Policy set rules.

Let’s break these down a little more so that we can understand the benefits.

We’ll start with the detailed contextual information. Below, I’ve exported a list of devices connected with Cisco ISE. You can see that our end user devices connected show the location they are within the network.

This information is pulled from assigning network devices to a relevant location. Our device connected with 10.10.10.43 is connected to a device associated to the UKI / LON network device group.

Cisco ISE - Contextual Location Overview

Alternatively, they can be extremely powerful with policy set rules. Here we can use our devices assigned to specific network device groups. Using our groups we discussed earlier in the lesson, we can specify a rule to match devices assigned as access switches.

Cisco ISE - Policy Set Overview

In turn, this allows us to assign specific command sets, policies or even permissions for each device type within our network.

Network Device Group Configuration

In this section, we’ll look at how to configure our network devices within Cisco ISE. As discussed already, this is required to allow 

Before we start adding devices to our deployment, the first thing we’ll do is create some Network Device Groups. This isn’t a mandatory step, however it provides a number of benefits including:

  • Granular control within Policy Sets.
  • Logically group devices together (location, device type etc).
  • In-depth contextual information (where users are connected within the network).

This can be achieved by navigating to:

Menu > Administration > Network Resources > Network Device Groups

Cisco ISE - Network Device Groups Nav

By default, there are a number of groups created for us.

  • All Device Types.
  • All Locations.
  • Is IPSEC Device.

We can utilise these pre-existing groups, or create our own.

Network Device Groups Overview

Sub-groups can be added by selecting Add. Here, we can provide the Name, Description and Parent Group.

I’ll create a group for Access Switches. This group will be placed under the All Device Types root group.

Network Device Groups Add Device Type

Now that the sub-group has been created, devices can be placed in the Access Switches group. You have the ability to be as granular as you like with the groups you create.

Network Device Groups Access Switches Group

Our new device type can then be used to provide granular access control in our policy set configuration. We’ll look more into this in our upcoming lesson.

Bulk Import Network Device Groups

Let’s imagine we have hundreds of groups to add to Cisco ISE. This would take far to long to complete using the method outlined above. Surely there must be an easier way?

Thankfully within Cisco ISE, we have the ability to import network device groups via a .CSV file.

Before we can import our network devices, we need a template to use four .csv. We’ll start by navigating our network device group configuration. This can be achieved by navigating to:

Menu > Administration > Network Device Groups

Cisco ISE - Network Device Groups Nav

Within here, you can see that we have the option to import or export network device groups. The ISE platform provides a template to use.

However, I find it beneficial to export your devices first. This then provides you with examples of how to format the csv.

Cisco ISE - Import Export

Below, you can see that I’ve exported our devices to use as a template. I’ve then used the format of our existing network device groups.

In our example, I’ve added Device Types#All Device Types#Core Switches. I’ve marked this line in orange to highlight. This will add a network device group called Core Switches under the All Device Types group.

Cisco ISE - Network Device Groups CSV

Once our network device groups have been added to Cisco ISE, we can import them.

Cisco ISE - Network Device Group CSV Import

Now that our import is completed, our new network device group is displayed within Cisco ISE.

Cisco ISE - Network Device Group Import Completed