topic Re: Asking about Cisco ise network layout in Network Access Control

Asking about Cisco ise network layout

JuliusK — Thu, 02 Apr 2026 11:20:26 GMT

Hi, im having a problem. See picture above. Im building as my thesis work a Cisco ISE automated access control and what i have understood, the Edge-switches should be L2 Access switches but im having a difficult time with Edges. Im using ISIS between links currently and have tried using trunks also which causes loops. So im wondering, what is the real solution to this? Should i stick to trunks or what?

Good to mention also, i have succeeded on Dot1X and MAB authentication from Edge-1 switch but i cant get the DHCP addresses from the Router and also my probe isnt working properly cause ISE doesnt detect OS or OUI. The goal is that ISE is PDP and Edges are PEP, as zero trust architecture suggests.

Edges are 9200l
Borders 9300

Feel free to roast me.

Re: Asking about Cisco ise network layout

Htonieto — Thu, 02 Apr 2026 12:18:18 GMT

@JuliusK wrote:
Hi, im having a problem. See picture above. Im building as my thesis work a Cisco ISE automated access control and what i have understood, the Edge-switches should be L2 Access switches but im having a difficult time with Edges. Im using ISIS between links currently and have tried using trunks also which causes loops. So im wondering, what is the real solution to this? Should i stick to trunks or what?

I didn't get your first question, are you having any issues with IS-IS? There is no problem running it on the Edge devices, this architecture is called Routed Access, when you use L3 links in the access layer, generally to replace the trunks and spanning tree protocol. This architecture won't cause issues with the DHCP and the profiling in Cisco ISE.

For the DHCP issues you need to check if the switches have DHCP snooping enabled, are you using the DHCP relay? The gateway for the hosts VLAN is located in the Border or directly in the Router?

Re: Asking about Cisco ise network layout

JuliusK — Thu, 02 Apr 2026 13:37:57 GMT

Im just wondering, how can it carry multiple customer vlans (10-17) which i use for this lab.

I have following configuration at borders:

Int vlan10

Ip add <desired pools IP GW add>

Ip helper-address <router lo0 address>

Ip helper-address global <router lo0 address>

So GW's are located on borders.

I have every vlan isolated on vrf so customer trafic is seperated from infra.

Re: Asking about Cisco ise network layout

Htonieto — Thu, 02 Apr 2026 14:14:42 GMT

@JuliusK wrote:
Im just wondering, how can it carry multiple customer vlans (10-17) which i use for this lab.

Because that's what routed access does, the switch can handle multiple VLANs, but it uses the L3 routed link to forward the traffic.

So lets suppose a client in Edge01 needs to reach the Router, the path will be the following.

Client > Edge‑01 > (ISIS) > Border‑1 > (eBGP AS 65000) > Router

Please take this in consideration

Uplinks are L3, not trunks
No VLAN tagging across switches
Each access switch is a separate L2 environment
The distribution layer holds the only SVI (gateway)

And using VRFs makes the things more complex, you need to ensure each VRF has reachability to the DHCP server and Cisco ISE.

@JuliusK wrote:
So GW's are located on borders.
I have every vlan isolated on vrf so customer trafic is seperated from infra.

Re: Asking about Cisco ise network layout

pieterh — Thu, 02 Apr 2026 14:16:13 GMT

at first : a pure routed link does not carry any vlan's
the advantage of the routed link is to "isolate" the vlan , e.g. broadcasts does not travers the link
and no L2 problems like loops can occur without need for using spanning tree for loop-detection/prevention
for this pure routed link you can configure the interface as "no switchport"
but keep in mind you isolate the vlan with this command vlan10 on both access switches is a DIFFERENT vlan 10 local to the switch.

second "interface vlan 10....." means you are configuring a virtual interface (SVI),
the physical interface can still be configured as vlan trunk to carry multiple vlans (even vlan's without a SVI!)
and of course you need a feature to prevent loops like spnning-tree

Re: Asking about Cisco ise network layout

aleabrahao — Thu, 02 Apr 2026 14:30:34 GMT

Excuse the question, but why are you creating such a complex network design?

Wouldn't it be better to simplify the design? That would also make troubleshooting easier.

That's just my opinion.

Re: Asking about Cisco ise network layout

JuliusK — Thu, 02 Apr 2026 17:06:07 GMT

Thank you for your input.

Could you clarify what you mean by simplifing it? Its my thesis work and the company kinda expects bgp and all that stuff. Because they might implement this if its good

Re: Asking about Cisco ise network layout

JuliusK — Thu, 02 Apr 2026 17:13:46 GMT

So i should ditch vrf routing and just globally route vlans and use GW's on edges vlans and advertise that vlan with ISIS?

Re: Asking about Cisco ise network layout

aleabrahao — Thu, 02 Apr 2026 17:26:06 GMT

Some thing like this.

No DHCP address from router because:

Your edge is routing
The DHCP server is beyond routed hops
DHCP Snooping / Relay / Option 82 logic isn’t aligned
The client VLAN isn’t truly extended to the gateway SVI

ISE profiling not detecting OS or OUI, profiling relies on:

DHCP fingerprints
ARP
MAC OUI
HTTP probes

If the switch doesn’t see DHCP broadcasts, ISE has nothing to profile.

Re: Asking about Cisco ise network layout

aleabrahao — Thu, 02 Apr 2026 17:31:09 GMT

Design Zone - Campus LAN and Wireless LAN Solution Design Guide - Cisco

ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2024/pdf/BRKENS-1501.pdf

Re: Asking about Cisco ise network layout

Htonieto — Thu, 02 Apr 2026 17:54:30 GMT

@aleabrahao wrote:
If the switch doesn’t see DHCP broadcasts, ISE has nothing to profile.

It's not related to the switch, to use DHCP information in Cisco ISE you must configure the DHCP Probe, this is configured under the L3/Gateway interface for the local clients.

Profiling Using the DHCP and DHCP SPAN Probes

@JuliusK Since you are using Cisco ISE and wants segmentation, my suggestion is to avoid VRFs and focus on Cisco TrustSEC.

Re: Asking about Cisco ise network layout

aleabrahao — Thu, 02 Apr 2026 18:47:10 GMT

This is partially true, Cisco ISE can learn DHCP information in multiple ways, and only one of them requires L3/gateway configuration.
Cisco explicitly documents that Device Sensor on Catalyst switches sends DHCP attributes to ISE via RADIUS accounting, and does not require ip helper-address toward ISE.

ISE Profiling Design Guide - Cisco Community