https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-based-on-vlan-name-to-vlan-id-assignment/m-p/4786445#M580209 <P>Hi,</P><P>Is there a way for ISE to work similar to C9800 controller in terms of the VLAN assignment for specific sites? I'm trying to prepare the global policies as unified as possible and I wonder if it's doable to assign different VLAN ID's based on some "database" that includes vlan names and ID's, like "corp-vlan", "guest-vlan" and the ID's are different based on the site name for example (NAS-Identifier).</P> Fri, 03 Mar 2023 08:50:04 GMT pio.gra 2023-03-03T08:50:04Z https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-based-on-vlan-name-to-vlan-id-assignment/m-p/4786445#M580209 <P>Hi,</P><P>Is there a way for ISE to work similar to C9800 controller in terms of the VLAN assignment for specific sites? I'm trying to prepare the global policies as unified as possible and I wonder if it's doable to assign different VLAN ID's based on some "database" that includes vlan names and ID's, like "corp-vlan", "guest-vlan" and the ID's are different based on the site name for example (NAS-Identifier).</P> Fri, 03 Mar 2023 08:50:04 GMT https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-based-on-vlan-name-to-vlan-id-assignment/m-p/4786445#M580209 pio.gra 2023-03-03T08:50:04Z https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-based-on-vlan-name-to-vlan-id-assignment/m-p/4786719#M580218 <P>It is best practice not to change VLANs.&nbsp; What is your use-case?&nbsp; Why not use a different enforcement method such as dACL or TrustSec.</P> Fri, 03 Mar 2023 15:14:46 GMT https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-based-on-vlan-name-to-vlan-id-assignment/m-p/4786719#M580218 ahollifield 2023-03-03T15:14:46Z https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-based-on-vlan-name-to-vlan-id-assignment/m-p/4787483#M580239 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1254625">@pio.gra</a>&nbsp;- it sounds like you want ISE to return a VLAN Name (or VLAN ID) based on some logic/identifier about where there request came from. In my experience, that is better handled by the switch itself, based on local knowledge. If you need to return a VLAN to a switch interface, then ISE should not contain this logic - ISE should return a VLAN Name (and not a VLAN ID) and the switch has the mapping of VLAN Name -&gt; VLAN ID.&nbsp; e.g. in large buildings where each floor has its own Voice VLAN and Data VLAN, ISE&nbsp;should return a Name each time - and the switch on each Floor must have the appropriate VLAN ID. This works.</P> <P>And as&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/199513">@ahollifield</a>&nbsp;says, dynamic VLAN ID assignment can be tricky - for 802.1X the VLAN assignment happens BEFORE the DHCP - that's fine. But if you're doing dynamic VLAN&nbsp;assignment for endpoints AFTER&nbsp;the DHCP stage, then you can have issues, because the host won't know to do another DHCP after the VLAN has been changed. How would it know? Be careful.</P> Sun, 05 Mar 2023 20:29:55 GMT https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-based-on-vlan-name-to-vlan-id-assignment/m-p/4787483#M580239 Arne Bier 2023-03-05T20:29:55Z https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-based-on-vlan-name-to-vlan-id-assignment/m-p/4788994#M580306 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532">@Arne Bier</a>&nbsp;- that sounds like a great idea, I didn't knew that we can use vlan name instead of ID. Thanks for that, it will make my life easier <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 07 Mar 2023 22:11:04 GMT https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-based-on-vlan-name-to-vlan-id-assignment/m-p/4788994#M580306 pio.gra 2023-03-07T22:11:04Z