cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3201
Views
3
Helpful
3
Replies

Cisco ISE dyanmic vlan assignment.

sanders.ryan
Level 1
Level 1

I'm reading the Closed Mode deployment strategy for Cisco ISE and was wondering if anyone had any experience with Cisco ISE and dynamic vlan assignment? My situation is 2 user vlan IDs that are /23's  lets say vlan 10 and 20... Instead of creating 2 authorization policies assigning a single Vlan ID is there a way inside of ISE to have 1 policy and dynamically assign a vlan group? I know on the switch level you can creat a vlan group and add vlan IDs 10 and 20 to that group... How can I tell ISE to look for that Vlan group name now?

The documentation describes a "User Distribution Feature" which maps multiple Vlans to a Vlan group name, and the switch will load balance users in the same group across different Vlans, thus reducing broadcast domain for a single Vlan.

Thanks! Appreciate any feedback!

1 Accepted Solution

Accepted Solutions

smashash
Cisco Employee
Cisco Employee

From ISE side, you should just insert the VLAN group name you have created on switch in VLAN option field under  authorization profile.

See attached file

From switch side, just create one VLAN group with vlans you want to use .

  • [no] vlan group <VLAN-group-name><VLAN list>
  • show vlan group group-name <vlan-group-name>
  1. e.g:

2041-Cisco-Access-Switch-41#show vlan group g DHCP-Test user-count

  VLAN     : Count

-------------------

  104       : 1

  105       : 0

  106       : 0

  107       : 0

  108       : 0

  109       : 0

  110       : 0                   

View solution in original post

3 Replies 3

smashash
Cisco Employee
Cisco Employee

From ISE side, you should just insert the VLAN group name you have created on switch in VLAN option field under  authorization profile.

See attached file

From switch side, just create one VLAN group with vlans you want to use .

  • [no] vlan group <VLAN-group-name><VLAN list>
  • show vlan group group-name <vlan-group-name>
  1. e.g:

2041-Cisco-Access-Switch-41#show vlan group g DHCP-Test user-count

  VLAN     : Count

-------------------

  104       : 1

  105       : 0

  106       : 0

  107       : 0

  108       : 0

  109       : 0

  110       : 0                   

Sorry for delayed response, but this totally worked! Appreciate your help!

One gotcha I found tho... If you have "switchport acces vlan 30" command on the interface, and that SVI has DHCP helper address, it will cause problems as the switch tries to load balance n throw you to another vlan ID inside Vlan group "xx" which ultimately trys to kick you another address as well.

Everyone probably already knows this, but long story short all access port now say "switchport access vlan 87" where vlan 87 = Null  vlan.

Cheers!

Thank You

hi @smashash , I would like to clarify if there is a vlan group command in CAT9300? I am trying to search here in the community or the official guides of Cisco for CAT9300 and I cannot see any.