10-16-2020 01:57 AM
Hi All,
For a customer I'm trying to come up with a dynamic solution to configure a fabric switchport with a static access VLAN in support of their Wake-on-LAN based desktop support processes.
Specifically, DNAC v2.1.2.0 introduces support for Subnet Directed Broadcasts, which is great, but it also requires static host onboarding (according to the release notes), if I understand correctly. I'd rather find a solution that dynamicaly writes the VLAN send from ISE to the switchport.
In both cases, this would allow the PC to shutdown, while the last authorized VLAN remains active on the switchport and (in this case) SCCM is able to send a WoL magic packet to wake up that PC.
I've lookup into sticky templates, but that solution is not surviving a reload of the switch.
Now I'm looking into auto smart ports. Making the macro part of the ISE authorisation profile, the macro would be able to statically program the VLAN to the switchport.
I feel that in conjunction with a Closed Authentication policy, I should be able to keep the link-up and link-down triggers the same, so the VLAN config remains when the PC shuts down. Once the switchport reauthenticates a different use-case, another VLAN is written to the switchport.
Is the scenario "DNAC - ISE - Cat9000 - Smart Port macros" a viable solution or are there incompatibilities that would make this solution a no-go?
10-17-2020 02:40 AM - edited 10-17-2020 06:57 AM
Hi Hans
i assume u want to treat the case when port remains UP but both no MAC & no authen sess are there anymore on the port. I think u could stick last authorized VLAN on the port with either ASP (though i've heard it's not supported anymore on 16.9.*) or dynamic interface template (Cisco's recommended replacement for ASPs). But u will face scalability problem with this approach because u will need to create corresponding AuthZ profile for each target VLAN on the ISE as well as to configure either ASP or dynamic template with target VLAN assignment within it on all the relevant switches.
03-04-2021 11:17 AM
For closed authentication with dynamic vlan Cisco recommends the following:
Use EEM script to set the dynamic vlan as switchport acces vlan on the port. That way your silent host will stay in the vlan if it shutdown so you can use wake on lan. Also in this way your dynamic vlan will still work, it just puts the new vlan on the port.
03-04-2021 10:58 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide