Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
919
Views
0
Helpful
11
Replies

Asking about Cisco ise network layout

JuliusK
Visitor

‎04-02-2026 04:18 AM - edited ‎04-02-2026 04:20 AM

JuliusK_0-1775128207512.png

Hi, im having a problem. See picture above. Im building as my thesis work a Cisco ISE automated access control and what i have understood, the Edge-switches should be L2 Access switches but im having a difficult time with Edges. Im using ISIS between links currently and have tried using trunks also which causes loops. So im wondering, what is the real solution to this? Should i stick to trunks or what? 

Good to mention also, i have succeeded on Dot1X and MAB authentication from Edge-1 switch but i cant get the DHCP addresses from the Router and also my probe isnt working properly cause ISE doesnt detect OS or OUI. The goal is that ISE is PDP and Edges are PEP, as zero trust architecture suggests. 

Edges are 9200l
Borders 9300

Feel free to roast me. 

Labels:
0 Helpful
11 Replies 11

Htonieto
Level 6
Level 6

‎04-02-2026 05:18 AM

@JuliusK wrote:

Hi, im having a problem. See picture above. Im building as my thesis work a Cisco ISE automated access control and what i have understood, the Edge-switches should be L2 Access switches but im having a difficult time with Edges. Im using ISIS between links currently and have tried using trunks also which causes loops. So im wondering, what is the real solution to this? Should i stick to trunks or what?

I didn't get your first question, are you having any issues with IS-IS? There is no problem running it on the Edge devices, this architecture is called Routed Access, when you use L3 links in the access layer, generally to replace the trunks and spanning tree protocol. This architecture won't cause issues with the DHCP and the profiling in Cisco ISE.

For the DHCP issues you need to check if the switches have DHCP snooping enabled, are you using the DHCP relay? The gateway for the hosts VLAN is located in the Border or directly in the Router?

0 Helpful

JuliusK
Visitor
In response to Htonieto

‎04-02-2026 06:37 AM - edited ‎04-02-2026 06:37 AM

Im just wondering, how can it carry multiple customer vlans (10-17) which i use for this lab. 

I have following configuration at borders:

Int vlan10

Ip add <desired pools IP GW add>

Ip helper-address <router lo0 address> 

Ip helper-address global <router lo0 address>

So GW's are located on borders.

I have every vlan isolated on vrf so customer trafic is seperated from infra.

 

0 Helpful

Htonieto
Level 6
Level 6
In response to JuliusK

‎04-02-2026 07:14 AM

@JuliusK wrote:

Im just wondering, how can it carry multiple customer vlans (10-17) which i use for this lab. 

Because that's what routed access does, the switch can handle multiple VLANs, but it uses the L3 routed link to forward the traffic.

So lets suppose a client in Edge01 needs to reach the Router, the path will be the following.

Client > Edge‑01 > (ISIS) > Border‑1 > (eBGP AS 65000) > Router

Please take this in consideration

  • Uplinks are L3, not trunks
  • No VLAN tagging across switches
  • Each access switch is a separate L2 environment
  • The distribution layer holds the only SVI (gateway)

And using VRFs makes the things more complex, you need to ensure each VRF has reachability to the DHCP server and Cisco ISE.

@JuliusK wrote:
So GW's are located on borders.

I have every vlan isolated on vrf so customer trafic is seperated from infra.

0 Helpful

JuliusK
Visitor
In response to Htonieto

‎04-02-2026 10:13 AM

So i should ditch vrf routing and just globally route vlans and use GW's on edges vlans and advertise that vlan with ISIS?

 

0 Helpful

pieterh
VIP
VIP

‎04-02-2026 07:16 AM

at first : a pure routed link does not carry any vlan's
the advantage of the routed link is to "isolate" the vlan , e.g. broadcasts does not travers the link
and no L2 problems like loops can occur without need for using spanning tree for loop-detection/prevention
 for this pure routed link you can configure the interface as "no switchport"
but keep in mind you isolate the vlan with this command vlan10 on both access switches is a DIFFERENT vlan 10 local to the switch.

second "interface vlan 10....." means you are configuring a virtual interface (SVI),
the physical interface can still be configured as vlan trunk to carry multiple vlans (even vlan's without a SVI!)
and of course you need a feature to prevent loops like spnning-tree

0 Helpful

aleabrahao
Meraki Community All-Star
Meraki Community All-Star

‎04-02-2026 07:30 AM

Excuse the question, but why are you creating such a complex network design?

Wouldn't it be better to simplify the design? That would also make troubleshooting easier.

That's just my opinion.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Helpful

JuliusK
Visitor
In response to aleabrahao

‎04-02-2026 10:06 AM

Thank you for your input. 

Could you clarify what you mean by simplifing it? Its my thesis work and the company kinda expects bgp and all that stuff. Because they might implement this if its good

0 Helpful

aleabrahao
Meraki Community All-Star
Meraki Community All-Star
In response to JuliusK

‎04-02-2026 10:26 AM

Some thing like this.

 

aleabrahao_0-1775150549512.png

No DHCP address from router because:

  • Your edge is routing
  • The DHCP server is beyond routed hops
  • DHCP Snooping / Relay / Option 82 logic isn’t aligned
  • The client VLAN isn’t truly extended to the gateway SVI

ISE profiling not detecting OS or OUI, profiling relies on:

  • DHCP fingerprints
  • ARP
  • MAC OUI
  • HTTP probes 

If the switch doesn’t see DHCP broadcasts, ISE has nothing to profile.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Helpful

aleabrahao
Meraki Community All-Star
Meraki Community All-Star
In response to aleabrahao

‎04-02-2026 10:31 AM

Design Zone - Campus LAN and Wireless LAN Solution Design Guide - Cisco

ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2024/pdf/BRKENS-1501.pdf

 

 

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Helpful

Htonieto
Level 6
Level 6
In response to aleabrahao

‎04-02-2026 10:54 AM

@aleabrahao wrote:

If the switch doesn’t see DHCP broadcasts, ISE has nothing to profile.

It's not related to the switch, to use DHCP information in Cisco ISE you must configure the DHCP Probe, this is configured under the L3/Gateway interface for the local clients.

Profiling Using the DHCP and DHCP SPAN Probes

@JuliusK Since you are using Cisco ISE and wants segmentation, my suggestion is to avoid VRFs and focus on Cisco TrustSEC.

0 Helpful

aleabrahao
Meraki Community All-Star
Meraki Community All-Star
In response to Htonieto

‎04-02-2026 11:47 AM

This is partially true, Cisco ISE can learn DHCP information in multiple ways, and only one of them requires L3/gateway configuration.
Cisco explicitly documents that Device Sensor on Catalyst switches sends DHCP attributes to ISE via RADIUS accounting, and does not require ip helper-address toward ISE.

ISE Profiling Design Guide - Cisco Community

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Helpful
Customers Also Viewed These Support Documents