If I understand your question correctly, you have lots of floors that require different VLANs to be dynamically assigned, to reduce the size of the broadcast domain, once authenticated and posture check is performed.

The way I implement this without a large complex policy is by using dynamic VLAN assignment by name and not ID and use a standard name across all floor switches that maps locally on each switch to a particular VLAN ID. So the policy for authenticated/checked users/computers is to assign to the VLAN EMPLOYEE (say) in the ISE result, however, on the switches on floor 1 this VLAN name maps to VLAN ID 101 and on floor 2 this VLAN name maps to VLAN ID 102 and so on for as many floors and buildings as you need. The policy remains very simple and the different broadcast domain mapping is done on the access switches where the VLANs must be configured anyway but you just use a standard name across all access switches.

This can be done for multiple VLANs if required.

The standard VLAN naming is only required on the access switch where 802.1x is required so for distribution switches etc you can use a more detailed name if required.

Hi Holla, Jason, dmh,

Thanks a lot! let me have a try.

DL

Hi DL,

The easiest way to solve the issue would be eliminate the broadcast domain between Access Switch to Core(or)Dist switch.

By doing that you can assign same VLAN ID for all access switch, minimize the rules in the ISE and you can differentiate users from different floors by different IP address.

Else the rules in the ISE would keep increasing and it would be a nightmare for administrator to manage or troubleshoot the rules.

Eg.

Regards,

Sai