Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
1
Helpful
3
Replies

ISE policies for SDA with FZ - Re-use pool names or vlan ids

s.van
Level 1
Level 1

‎05-19-2023 08:26 AM

Hi 

I have a new SDA brownfield deployment, which needs to retain the old ip pools. I was looking at FZs to accommodate this requirement.(vlan/ip pools per floor) however with this the ise policy lines are growing exponentially.

The authz policies look something like...

"If my NAD source is in Fabric Zone 1 and my user is a corporate user then the result will be 10_10_10_0-VN1"

"If my NAD source is in Fabric Zone 2 and my user is a corporate user then the result will be 10_10_11_0-VN1"

"If my NAD source is in Fabric Zone 3 and my user is a corporate user then the result will be 10_10_12_0-VN1"

"If my NAD source is in Fabric Zone 4 and my user is a corporate user then the result will be 10_10_13_0-VN1"

"If my NAD source is in Fabric Zone 5 and my user is a corporate user then the result will be 10_10_14_0-VN1"

 and the list grows exponentially if i add a new Fabric site and it becomes a nightmare to manage the policies.

The challenge is that i'm unable to reuse vlanIDs/Names across FZs in the same fabric.(or another feature from cisco which can do it )

Is there a better way to do this ?

Thanks

Labels:
0 Helpful
3 Replies 3

jedolphi
Cisco Employee
Cisco Employee

‎05-23-2023 02:32 AM - edited ‎05-23-2023 02:33 AM

Ability to assign same VLAN name to different IP range per-FZ has been written into the SD-Access code but unfortunately is not generally available yet. If you can wait a few months for the code change then please ask your Cisco sales representative to contact me and we can coordinate scheduling. In the short term you could manually deploy VLAN groups, please note this has the potential to be quite manual. https://community.cisco.com/t5/identity-services-engine-ise/best-practice-for-dynamic-vlan/td-p/3494603

s.van
Level 1
Level 1

‎05-23-2023 08:38 AM

Thankyou so much for the reply and the planned resolution.

Is there any timelines as to when this will be available as GA ?

0 Helpful

jedolphi
Cisco Employee
Cisco Employee
In response to s.van

‎05-24-2023 05:50 AM

No problems. Timelines are commercially sensitive and subject to change, so not appropriate to share in this forum unfortunately. The fix is not coming out for general consumption in the near term, but should be available later this year. If you need specific details please talk to your Cisco sales representative.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents