Solved: Re: SDA Fabric and VLAN Auto-Assignment

Newbee · ‎06-28-2020

Hi all, we're in the process of getting our SDA fabric deployment up and running using a fabric-in-a-box 9300 with multiple VN's and ISE policy management but hit an issue where I can't seem to find any online guidance.

Basically we have 2 VN's pushed to a fabric with a very simple ISE policy whereby if endpoint has 802.1x cert 'A' then get put into VN 'A' and vice versa for B (to simulate 2 different VRF's etc). However even though the ISE auth returns the correct result and the right SGT's are assigned to the auth request (which mirror those in the show cts environment-data command) the end port always stays in the critical VLAN (2047) and doesn't allocate the port to the correct VLAN (1031 etc).

We can get everything working by getting ISE to assign a VLAN but that won't scale.

Am I missing something? In the host-onboarding stage we've not assigned any ports to VN's manually - we'd like all of the ports to be blank and let ISE dictate what VLAN/VRF to assign ports to.

Has anyone experienced this or have we missed a step out somewhere?

Benjamin-A · ‎06-28-2020

Hi Newbee,

may you have a look at this community post: https://community.cisco.com/t5/networking-documents/how-to-sda-host-onboarding-with-ise/ta-p/4012430

At the picture under "Your Authorization Profile should look like this."

The subnet IP Address Pool Name should also match with the Authentication Policy as you can see in Point 3 'Navigate to Provision > Fabric and choose the Fabric you created , Then choose "Host Onboarding"'

In other Words: IP Address Pool Name (in Authorization Profile) = Authentication Policy (DNA-C) = VLAN Name (Switch)

.:|:..:|:.Please rate helpful posts.:|:..:|:.

View solution in original post

Mariusz Kazmierski · ‎06-28-2020

Hi,

The approach you use is correct - there is no need to do any port-specific configuration in DNAC on host-onboarding (assuming you select proper template). Please provide the output of:

show auth session interface <...> details

for further investigation.

Regards,

Mariusz

Benjamin-A · ‎06-28-2020

Hi Newbee,

may you have a look at this community post: https://community.cisco.com/t5/networking-documents/how-to-sda-host-onboarding-with-ise/ta-p/4012430

At the picture under "Your Authorization Profile should look like this."

The subnet IP Address Pool Name should also match with the Authentication Policy as you can see in Point 3 'Navigate to Provision > Fabric and choose the Fabric you created , Then choose "Host Onboarding"'

In other Words: IP Address Pool Name (in Authorization Profile) = Authentication Policy (DNA-C) = VLAN Name (Switch)

.:|:..:|:.Please rate helpful posts.:|:..:|:.

Newbee · ‎06-30-2020

Thanks for the post and I've made a tweak to our ISE authorization profile based on the link you've sent - when I can get back to site I will retest.

My thinking is that I shouldn't need to assign the ports manually under Host Onboarding/Port Assignment (as I would need to define which ports are VN-A and which are VN-B - not what we want). Also I shouldn't need to set the VLAN in the ISE authorization profile manually either as the SGT names should match DNA/ISE and the switch and that should be enough to assign the port to the correct VLAN?

Mike.Cifelli · ‎06-28-2020

In DNAC under host onboarding you should configure the ports for type of device (user device) and closed authentication. Then for the separate ISE authz profiles ensure that you have taken the unique auth onboarding string from DNAC (looks like this: 192_168_0_0-VN_TEST) and assign that as the "vlan" in your ISE authz profile. That specific radius attribute will be used by the switch which will ensure the host gets access to the proper vlan and your anycast gateway comes up. If you run a '#show vlan' on an edge node you will see that the vlan names are identical to this onboarding string you will use in ISE. Good luck & HTH!

LudovicDS · ‎03-19-2021

Hi Mike,

I understand your explanations and this works fine.but in this case, we will need to create an Authorization Policy per fabric and each time we add a new fabric, we will need to add a new authorization policy on ISE right?

So how can we simplify things ?

Is it possible with a Radius parameter to just send the name of the VN to the switch and then the switch will apply the proper vlan based on is VN?

Exemple :

On my lab i have 3 VNs : Corporate_VN, IoT_VN and Guest_VN

These 3 VNs are present in 3 different Fabrics with 3 different Pools per VN.

All my ports are in Guest_VN by default and i want to affect the good VN after authentication.

I just want 1 Authorization Policy "if corporate users then push Corporate_VN".

If i need to specify the Vlan Name (based on IP pool) then i will need have one Authorization Policy per Fabric.

So how can we do it with only one line, with only VN name information?

Thank you very much for your help.

jedolphi · ‎03-19-2021

@LudovicDS wrote:

I understand your explanations and this works fine.but in this case, we will need to create an Authorization Policy per fabric and each time we add a new fabric, we will need to add a new authorization policy on ISE right?

So how can we simplify things ?

Hi, this is subtle but important Q. When you add an IP pool to a VN you have an opportunity to name the access VLAN. For ISE AuthZ policy simplicity and scalability please consider giving VLAN same name at each fabric site:

Fabric site 1 - VN1 - IP pool 10.10.1.1/24 - VLAN name = CORP

Fabric site 2 - VN1 - IP pool 10.10.2.1/24 - VLAN name = CORP

Fabric site 3 - VN1 - IP pool 10.10.3.1/24 - VLAN name = CORP

This way same ISE authorization policy applies to all sites.

NB we are considering removing the auto-generated VLAN names (e.g. 192_168_0_0-VN_TEST) for same reason.

Jerome

Mike.Cifelli · ‎03-19-2021

NB we are considering removing the auto-generated VLAN names (e.g. 192_168_0_0-VN_TEST) for same reason.

-Thanks for sharing. Great to know. What is the roadmap for this?

jedolphi · ‎03-19-2021

Hi Mike. To be clear: It's largely a cosmetic change. We can already override auto-generated VLAN name when we add IP pool to L3VN, that has been possible for 12 months or more. I wont commit to roadmap on a public forum, I hope you'll forgive that. But, if I was to speculate, it shouldn't take too long to implement. Jerome

LudovicDS · ‎03-19-2021

Ok, so simple :-)!

Really happy to read that.

Thanks Jedolphi, i have now my full answer.

Regards

Mike.Cifelli · ‎03-19-2021

Answers in line:

I understand your explanations and this works fine.but in this case, we will need to create an Authorization Policy per fabric and each time we add a new fabric, we will need to add a new authorization policy on ISE right?

So how can we simplify things ?

-You will need to add/have separate Authz profiles for each respective IP pool deployed and used for user/host onboarding. So in your scenario your strings would look something like this:

authz1 profile: 10_10_10_0-VN1

authz2 profile: 10_10_11_0-VN2

authz3 profile: 10_10_12_0-VN3

Then in ISE assign the profiles as the result. You will need to identify unique authz conditions to ensure each respective client gets onboarded to their respective network.

Is it possible with a Radius parameter to just send the name of the VN to the switch and then the switch will apply the proper vlan based on is VN?

-These names are already provisioned and pushed by DNAC to the switches. ISE will push the string that is configured in the matching policy authz profile that contains the unique string identifier extracted from DNAC and configured in each respective authz profile. The string gets pushed in the radius packet as a radius attribute that the switch will use as the identifier. The attribute I am referencing looks like this in detailed ISE logs: Tunnel-Private-Group-ID (tag=1) 192_168_0_0-VN1. This attribute allows the switch to map either the name or vlan id to the proper vlan. Once this happens your Anycast gateway comes up/up upon successful auth/mapping. Keep in mind that DNAC will automatically name the vlans which is why that string MUST match in each respective ISE authz profiles in order for the process to work. Issue a '#show vlan' on an edge node and you will see what I am talking about.

See here for more:

How to SDA Host Onboarding with ISE - Cisco Community

Cisco SD-Access Resources - Cisco Community

HTH!

LudovicDS · ‎03-19-2021

I Mike Thanks for your answer.

I know how to do it with several lines but i really not understand why we need to specify the network.

Example :

I have 3 Fabric with 3 Pools and with 5 tags into my Corporate_VN.

But i only have one Corporate Pool in my Fabric.

That means that i will need 15 lines instead of 5. And also that i will need to identify the source Fabric of the Radius request.

Knowing that DNA don't Sync NAD types and locations into ISE!

So my Authorization rules will look like :

"If my NAD source is in Fabric 1 and my user is a corporate user in Groupe1 then the result will be 10_10_10_0-VN1 Tag1"

"If my NAD source is in Fabric 1 and my user is a corporate user in Groupe2 then the result will be 10_10_10_0-VN1 Tag2"

"If my NAD source is in Fabric 1 and my user is a corporate user in Groupe3 then the result will be 10_10_10_0-VN1 Tag3"

"If my NAD source is in Fabric 1 and my user is a corporate user in Groupe4 then the result will be 10_10_10_0-VN1 Tag4"

"If my NAD source is in Fabric 1 and my user is a corporate user in Groupe5 then the result will be 10_10_10_0-VN1 Tag5"

"If my NAD source is in Fabric 2 and my user is a corporate user in Groupe1 then the result will be 10_10_11_0-VN2 Tag1"

"If my NAD source is in Fabric 2 and my user is a corporate user in Groupe2 then the result will be 10_10_11_0-VN2 Tag2"

"If my NAD source is in Fabric 2 and my user is a corporate user in Groupe3 then the result will be 10_10_11_0-VN2 Tag3"

"If my NAD source is in Fabric 2 and my user is a corporate user in Groupe4 then the result will be 10_10_11_0-VN2 Tag4"

"If my NAD source is in Fabric 2 and my user is a corporate user in Groupe5 then the result will be 10_10_11_0-VN2 Tag5"

"If my NAD source is in Fabric 3 and my user is a corporate user in Groupe1 then the result will be 10_10_12_0-VN3 Tag1"

"If my NAD source is in Fabric 3 and my user is a corporate user in Groupe2 then the result will be 10_10_12_0-VN3 Tag2"

"If my NAD source is in Fabric 3 and my user is a corporate user in Groupe3 then the result will be 10_10_12_0-VN3 Tag3"

"If my NAD source is in Fabric 3 and my user is a corporate user in Groupe4 then the result will be 10_10_12_0-VN3 Tag4"

"If my NAD source is in Fabric 3 and my user is a corporate user in Groupe5 then the result will be 10_10_12_0-VN3 Tag5"

This is the same use case as if the customer do not have the same Data Vlan on all Sites (With Legacy Infra)

Moreover that also means that we can only create ISE rules when the Fabric is deployed since we cannot managed the name or the vlan ID.

Why the Radius Parameter : cisco-av-pair = cts:vn=Corporate_VN is not enough to give the switch the VN name information?

Mike.Cifelli · ‎03-19-2021

I know how to do it with several lines but i really not understand why we need to specify the network.

-If your interfaces are not statically configured for a respective VN/pool/SGT how will the switch now how to onboard clients? You are dynamically onboarding/assigning clients via ISE policy. If you wish to statically assign you have that option too, but lose the mobility aspect IMO. I guess that decision comes down to requirements.

Moreover that also means that we can only create ISE rules when the Fabric is deployed since we cannot managed the name or the vlan ID.

-I mean sort of. Technically if you know the ranges and name of VNs you will use you could pre-stage ISE authz profiles for corresponding future deployments since we already know what the auth string looks like (depicted in other posts above).

I recommend looking into those links as they will cover other ways to onboard, and potentially answer items in more detail. Anyways, HTH!

LudovicDS · ‎03-19-2021

Thanks for your Help Mike :-).

I though that the switch could find this vlan information through cisco-av-pair = cts:vn=Corporate_VN radius parameter.

Is it just for description?

Thanks.

jedolphi · ‎03-19-2021

This AV pair is NOT used in any way whatsoever for assigning endpoints to access VLANs. FYI, in case it was missed, I replied above on how to have a single ISE wired AuthZ policy for multiple fabric sites. Cheers, Jerome