cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1228
Views
5
Helpful
5
Replies

Cisco Switch configuration for ISE

sajid231088
Level 1
Level 1

Hi All,

 

Hope you all are doing good.

 

I am new on ISE and facing many challenges first and most important for me is to get the proper switch configuration.

 

I have below devices in my LAB ( This LAB is Only for Testing & Learning purpose ) 

 

2 Nos 3560

1 2960 (IP Base)

1 WLC 2504

 

3560 would be my Core/aggregation switches and 2960 would be access switches.

We have 4 vlans ( Corporate, Guest, BYOD, Limited ) 

 

Our Requirement

 

We want to have a setup in which, When any device connect to our network first it should connect on our Limited VLAN, Where Posturing will be done, Once device is get sanitized/ Postured it should get its respective Vlan, for example if its a corporate device it should get a CORP vlan IP or if its a Guest device it should connect to Guest Vlan.

 

Below are my queries 

 

Do i have to create all vlans on my Core switch as well as on my access switch

The link between the core and Access SW should be trunk 

Do i need to create SVIs ? If yes then please explain how

As i have 2960 access switch where i cannot create more the one L3 interface, What interface it should be ? I mean what vlan it should belongs to ?

 

Please forgive typo errors, I might have asked some silly questions but i just wanted to clear my doubts only.

 

Regards,  

 

 

 

 

 

 

 

 

1 Accepted Solution

Accepted Solutions

No problem, always a pleasure to help out.

Check out the links below, they will explain to you in detail how to set this up.

https://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.html
https://www.youtube.com/watch?v=BOFHo13ATZE



<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>




View solution in original post

5 Replies 5

Jurgens L
Level 3
Level 3

Hi There,

 

To your queries:

Do i have to create all vlans on my Core switch as well as on my access switch

Correct

The link between the core and Access SW should be trunk 

Correct

Do i need to create SVIs ? If yes then please explain how

Yes, you will need your SVI's on your core/distribution layer. You create this by adding a VLAN interface such as

conf t

interface vlan 5

ip address 10.10.5.1 255.255.255.0

no shut

des VLAN5

 

Don't forget to add "ip routing" under your global config, this will allow the switch to do L3 routing and to add the vlan's in your VTP table

 

As i have 2960 access switch where i cannot create more the one L3 interface, What interface it should be ? I mean what vlan it should belong to ?

If you use the 2960's as access layer switches, then you won't need to worry about creating multiple L3 interfaces, you only need a management interface for each access layer switch.

 

 

<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>

 

Hi Jurgens,

 

Thanks for your prompt response.

 

Its very helpful for me, could you please share core switch config template if you have any or you can share the link from where i can see the config.

No problem, always a pleasure to help out.

Check out the links below, they will explain to you in detail how to set this up.

https://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.html
https://www.youtube.com/watch?v=BOFHo13ATZE



<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>




Mike.Cifelli
VIP Alumni
VIP Alumni

We want to have a setup in which, When any device connect to our network first it should connect on our Limited VLAN, Where Posturing will be done, Once device is get sanitized/ Postured it should get its respective Vlan, for example if its a corporate device it should get a CORP vlan IP or if its a Guest device it should connect to Guest Vlan.

 

These are some questions that you will want to consider while designing your build:

Do you have 8021x enabled in your environment? Do you have PKI certificates to use or do you plan to use MAB?  Do you have the Anyconnect client with the ISE posture module on your clients you are testing? Are you planning to use client provisioning in ISE for clients that do not have the posture module?

 

You will need quite a bit of configs on your NADs to achieve your requirements.  For a better understanding of how to configure 8021x on your NADs see this:

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html

 

Hope this helps.

This approach "We want to have a setup in which, When any device connect to our network first it should connect on our Limited VLAN, Where Posturing will be done, Once device is get sanitized/ Postured it should get its respective Vlan, for example if its a corporate device it should get a CORP vlan IP or if its a Guest device it should connect to Guest Vlan." will definitely lead to challenges.  VLAN switches after the device already has an IP address on the first VLAN is usually a challenge.  I wouldn't advocate doing an VLAN switches after the initial IP is received, but your mileage may vary.