Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1230
Views
1
Helpful
3
Replies

Dynamic VLAN assignment based on vlan-name to vlan-id assignment

Go to solution
pio.gra
Level 1
Level 1

‎03-03-2023 12:50 AM

Hi,

Is there a way for ISE to work similar to C9800 controller in terms of the VLAN assignment for specific sites? I'm trying to prepare the global policies as unified as possible and I wonder if it's doable to assign different VLAN ID's based on some "database" that includes vlan names and ID's, like "corp-vlan", "guest-vlan" and the ID's are different based on the site name for example (NAS-Identifier).

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎03-05-2023 12:29 PM

@pio.gra - it sounds like you want ISE to return a VLAN Name (or VLAN ID) based on some logic/identifier about where there request came from. In my experience, that is better handled by the switch itself, based on local knowledge. If you need to return a VLAN to a switch interface, then ISE should not contain this logic - ISE should return a VLAN Name (and not a VLAN ID) and the switch has the mapping of VLAN Name -> VLAN ID.  e.g. in large buildings where each floor has its own Voice VLAN and Data VLAN, ISE should return a Name each time - and the switch on each Floor must have the appropriate VLAN ID. This works.

And as @ahollifield says, dynamic VLAN ID assignment can be tricky - for 802.1X the VLAN assignment happens BEFORE the DHCP - that's fine. But if you're doing dynamic VLAN assignment for endpoints AFTER the DHCP stage, then you can have issues, because the host won't know to do another DHCP after the VLAN has been changed. How would it know? Be careful.

View solution in original post

3 Replies 3

Go to solution
ahollifield
VIP
VIP

‎03-03-2023 07:14 AM

It is best practice not to change VLANs.  What is your use-case?  Why not use a different enforcement method such as dACL or TrustSec.

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎03-05-2023 12:29 PM

@pio.gra - it sounds like you want ISE to return a VLAN Name (or VLAN ID) based on some logic/identifier about where there request came from. In my experience, that is better handled by the switch itself, based on local knowledge. If you need to return a VLAN to a switch interface, then ISE should not contain this logic - ISE should return a VLAN Name (and not a VLAN ID) and the switch has the mapping of VLAN Name -> VLAN ID.  e.g. in large buildings where each floor has its own Voice VLAN and Data VLAN, ISE should return a Name each time - and the switch on each Floor must have the appropriate VLAN ID. This works.

And as @ahollifield says, dynamic VLAN ID assignment can be tricky - for 802.1X the VLAN assignment happens BEFORE the DHCP - that's fine. But if you're doing dynamic VLAN assignment for endpoints AFTER the DHCP stage, then you can have issues, because the host won't know to do another DHCP after the VLAN has been changed. How would it know? Be careful.

Go to solution
pio.gra
Level 1
Level 1

‎03-07-2023 02:11 PM

@Arne Bier - that sounds like a great idea, I didn't knew that we can use vlan name instead of ID. Thanks for that, it will make my life easier

0 Helpful
Customers Also Viewed These Support Documents