Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1456
Views
0
Helpful
2
Replies

Cisco ISE dynamic vlan assignment

Go to solution
kalien3
Level 1
Level 1

‎12-20-2023 05:36 AM

I have about 30 individual data vlans all with unique vlan IDs and names, the names all have the word data in them. 1 on each switch. I’m also running Cisco ISE. Is there a way that I can use the dynamic vlan assignment for each of these? Basically, can I create a single authorization policy for workstations and that policy dynamically assign the data vlan using some kind of variable that assigns it to the vlan with the work data in it? I don’t want to have to create 30 individual authorization policies and policy rules for each switch. I’m already doing this with an authorization policy for a different type of device but they are all on one vlan across all the switches so its easy.

Speed Test https://vidmate.bid/
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎12-20-2023 02:49 PM

@kalien3 it depends on what your criterion is for assigning a specific VLAN in a particular Authorization Rule. If you are assigning VLANs based on the NAD Device Location, then you're possibly in for a hard slog.

I think the ideal case would be to normalise all the VLAN names on all of your switches, to enable ISE to send back the VLAN name to the switch, instead of messing around with VLAN IDs.  This might be a bit of upfront work. Touch each switch and rename the VLAN in question to the common name - e.g. CORPDATA - you leave the VLAN ID as is, because this has no bearing on ISE. Once this has been done (and verified to exist on all your relevant access switches) you can reliably return the VLAN Name in your ISE Authorization Profiles.

By the way, this concept has been working very well for network deployments in multi-floor buildings, where each floor has its own VLAN ID for things like corporate data or voice VLANs. Using a common VLAN Name keeps the ISE logic clean and simple.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎12-20-2023 05:43 AM

@kalien3 you could use dynamic attributes lookup to determine which VLAN a specific workstation needs to go in, then reference that attribute in the single authorisation rule.

Example: https://integratingit.wordpress.com/2018/12/01/ise-dynamic-variables-from-ad/

https://integratingit.wordpress.com/2018/05/07/configuring-cisco-ise-dynamic-vlan-assignment/

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎12-20-2023 02:49 PM

@kalien3 it depends on what your criterion is for assigning a specific VLAN in a particular Authorization Rule. If you are assigning VLANs based on the NAD Device Location, then you're possibly in for a hard slog.

I think the ideal case would be to normalise all the VLAN names on all of your switches, to enable ISE to send back the VLAN name to the switch, instead of messing around with VLAN IDs.  This might be a bit of upfront work. Touch each switch and rename the VLAN in question to the common name - e.g. CORPDATA - you leave the VLAN ID as is, because this has no bearing on ISE. Once this has been done (and verified to exist on all your relevant access switches) you can reliably return the VLAN Name in your ISE Authorization Profiles.

By the way, this concept has been working very well for network deployments in multi-floor buildings, where each floor has its own VLAN ID for things like corporate data or voice VLANs. Using a common VLAN Name keeps the ISE logic clean and simple.

0 Helpful
Customers Also Viewed These Support Documents