Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1890
Views
5
Helpful
7
Replies

Dynamic VLAN assignment from a pool of VLANs in round robin fashion

Go to solution
frodestra
Level 1
Level 1

‎05-08-2018 03:19 AM - edited ‎02-21-2020 10:55 AM

Hi Cisco community,

Is it possible for Cisco ISE to dynamically assign user VLANs from a pool of possible VLANs on a round robin fashion?

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
RichardAtkin
Level 3
Level 3
In response to frodestra

‎05-09-2018 06:38 AM

Unfortunately Flex isn’t really geared to large sites or large numbers of users. Flex can’t use groups like you describe. The ‘best’ solution would be to use a WLC I’m afraid.

View solution in original post

7 Replies 7

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎05-08-2018 03:45 AM

I don't think that is possible. ISE will assign VLAN configured under a
rule but won't pick a vlan from a pool
0 Helpful

Go to solution
RichardAtkin
Level 3
Level 3

‎05-08-2018 04:48 AM

No, but you can tell ISE to supply a pool name and you just let the device with the pool do the actual load balancing... Cisco WLCs and Catalyst Switches both support VLAN pools.

0 Helpful

Go to solution
frodestra
Level 1
Level 1
In response to RichardAtkin

‎05-08-2018 06:30 AM

Thanks for the info. Are there any configurations example for this? I could not find any online

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to RichardAtkin

‎05-08-2018 09:48 PM

Hi, if you have referring to vlan select feature that is in WLC only not
catalyst. If I am wrong, can you share a doc explaining the pooling which
you are referring to.
0 Helpful

Go to solution
RichardAtkin
Level 3
Level 3
In response to Mohammed al Baqari

‎05-08-2018 10:41 PM

Yep, so ‘interface groups’ in the WLC is equivalent to ‘VLAN-Group’ on a Catalyst switch. You define a group, add VLANs to it, then when you authenticate a new Client, you have ISE return the VLAN-Group name via RADIUS and the Switch will load-balance(ish) Users across all of the VLANs in the Group.

 

It is not a particularly well documented feature.

 

See here, page 9-56, ‘Configuring 802.1X User Distribution’;

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/15-0_1_se/configuration/guide/scg3560/sw8021x.pdf

 

VLAN Group [vlan-group-name] vlan-list [list-of-vlans]

0 Helpful

Go to solution
frodestra
Level 1
Level 1
In response to Mohammed al Baqari

‎05-09-2018 04:00 AM

What I'm trying to achieve is that I have several huge locally switched FlexConnect locations which I would like to put in one FlexConnect group due to roaming considerations. I would like to use AAA ACL mappings for more than 10 VLANs on the same FlexConnect Group and hence pre-configure all VLANs for all AP. Users would then be assigned to different VLANs in the same WLAN-SSID and be able to move around with the their IP on the premises.

 

 

0 Helpful

Go to solution
RichardAtkin
Level 3
Level 3
In response to frodestra

‎05-09-2018 06:38 AM

Unfortunately Flex isn’t really geared to large sites or large numbers of users. Flex can’t use groups like you describe. The ‘best’ solution would be to use a WLC I’m afraid.

Customers Also Viewed These Support Documents