03-07-2017 05:11 PM
I'm reading the Closed Mode deployment strategy for Cisco ISE and was wondering if anyone had any experience with Cisco ISE and dynamic vlan assignment? My situation is 2 user vlan IDs that are /23's lets say vlan 10 and 20... Instead of creating 2 authorization policies assigning a single Vlan ID is there a way inside of ISE to have 1 policy and dynamically assign a vlan group? I know on the switch level you can creat a vlan group and add vlan IDs 10 and 20 to that group... How can I tell ISE to look for that Vlan group name now?
The documentation describes a "User Distribution Feature" which maps multiple Vlans to a Vlan group name, and the switch will load balance users in the same group across different Vlans, thus reducing broadcast domain for a single Vlan.
Thanks! Appreciate any feedback!
Solved! Go to Solution.
03-08-2017 04:19 AM
From ISE side, you should just insert the VLAN group name you have created on switch in VLAN option field under authorization profile.
See attached file
From switch side, just create one VLAN group with vlans you want to use .
2041-Cisco-Access-Switch-41#show vlan group g DHCP-Test user-count
VLAN : Count
-------------------
104 : 1
105 : 0
106 : 0
107 : 0
108 : 0
109 : 0
110 : 0
03-08-2017 04:19 AM
From ISE side, you should just insert the VLAN group name you have created on switch in VLAN option field under authorization profile.
See attached file
From switch side, just create one VLAN group with vlans you want to use .
2041-Cisco-Access-Switch-41#show vlan group g DHCP-Test user-count
VLAN : Count
-------------------
104 : 1
105 : 0
106 : 0
107 : 0
108 : 0
109 : 0
110 : 0
03-14-2017 10:19 AM
Sorry for delayed response, but this totally worked! Appreciate your help!
One gotcha I found tho... If you have "switchport acces vlan 30" command on the interface, and that SVI has DHCP helper address, it will cause problems as the switch tries to load balance n throw you to another vlan ID inside Vlan group "xx" which ultimately trys to kick you another address as well.
Everyone probably already knows this, but long story short all access port now say "switchport access vlan 87" where vlan 87 = Null vlan.
Cheers!
Thank You
03-11-2019 02:41 AM
hi @smashash , I would like to clarify if there is a vlan group command in CAT9300? I am trying to search here in the community or the official guides of Cisco for CAT9300 and I cannot see any.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide