cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

721
Views
15
Helpful
8
Replies
athan1234
Beginner

Dynamic vlan two diferent vlan´s

I have this set up as a dynamic vlan through domain AD. If the user belongs to this AD group, they get vlan 12.

athan1234_0-1650445009213.png

 

 

 

All of the ports are configured with vlan 10 (external USER). If an external user connects his PC to each switch port, and he does not belong to the AD group, he will obtain

 

switchport access vlan 10

 switchport mode access

 switchport voice vlan 25

 speed 100

 duplex half

 priority-queue out

 authentication event fail action next-method

 authentication event server dead action authorize

 authentication event server dead action authorize voice

 authentication event server alive action reinitialize

 authentication host-mode multi-auth

 authentication open

 authentication order mab dot1x

 authentication priority dot1x mab

 authentication port-control auto

 authentication periodic

 authentication timer reauthenticate server

 authentication violation restrict

 mab

 mls qos trust device cisco-phone

 mls qos trust cos

 dot1x pae authenticator

 dot1x timeout tx-period 7

 

I need to configure a new center. This center has two VLANs. VLAN 12-30 When using VLAN 12, they don't have a problem; they belong to the AD group in ISE; they will get the correct VLAN. The problem is that users with vlan 30 don't have an AD group.

 

 

My idea was to use the switch port with this vlan 30. Do not configure the default vlan (10) on these ports. I know if an external user connects his PC to these ports, he does get vlan external.

 

switchport access vlan 30

 switchport mode access

 switchport voice vlan 25

 speed 100

 duplex half

 priority-queue out

 authentication event fail action next-method

 authentication event server dead action authorize

 authentication event server dead action authorize voice

 authentication event server alive action reinitialize

 authentication host-mode multi-auth

 authentication open

 authentication order mab dot1x

 authentication priority dot1x mab

 authentication port-control auto

 authentication periodic

 authentication timer reauthenticate server

 authentication violation restrict

 mab

 mls qos trust device cisco-phone

 mls qos trust cos

 

 

I will need some conditions to secure this deployment.If somebody will connect  a laptop to these ports, he  will get the vlan 30. is not secure. I am thinking of any conditions to make this more secure, but I have no idea. Also, I don't know if my deployment is correct. I guess I'll have to ask the client what type of authentication service they use for these users and if they have any certificates... for try to put any condition to theses users

 

8 REPLIES 8
athan1234
Beginner

Thanks for your reply @balaji.bandi

Assume I have 100 users who need to get vlan 12, and 200 users to get vlan 30, and 120 users to get  vlan 40  . It is assumed that the solution attributable to AD is a good choice, but I didn't get to see it. I don't have any idea about AD. My client has a personal assistant who manages the AD. I guess I will have to add one attribute per user. I guess it is hard work for AD people to be administrators. It is easier to use the traditional method of putting these users in a specific AD group.

So I can understand putting atrributes only when there are a few users who want to get a dynamic vlan. Maybe I am wrong. Is there any way in AD to manage a bulk user to put an especific attribute on it?

@athan1234 why do these users need to go a specific VLAN? If restricting access, why not push down a DACL or use TrustSec?

 

Generally you'd use AD groups to achieve what you want to do.

https://integratingit.wordpress.com/2018/05/07/configuring-cisco-ise-dynamic-vlan-assignment/

 

You could use Dynamic Variable assignment to query attribute under the AD account.

https://integratingit.wordpress.com/2018/12/01/ise-dynamic-variables-from-ad/

 

 

 

athan1234
Beginner

@Rob Ingram  Thanks for your reply

Maybe I am confused about concep DACL for deployment in my scenario. 

 

Let me know you my scenario.

The same AD group users  VLAN X ,  VLAN Y, VLAN Z

 VLAN X  ------- Users A

VLAN Y ----- Users B

VLAN Z----- Users C

////////////////////////////

VLAN C -- External users

 

I'll have to do a deployment of three different VLans in the same domain group as AD. Each vlan has its own range of IPs and IP helpers in the router. Some devices have an IP static address. All of those switches have a configured vlan by default ( "VLAN C "for external users).

How do I do it? When a users hits "VLAN X" I would like get the vlan X, if the users hits "VLAN Y" get "vlan Y", and if the users hits "VLAN Z" to get the correct "vlan Z", Remember, all of those ports switches have the default "VLAN C."


Is it possible to deply my scenario with DACL? If so, could you give me an example?

I saw TrustSec. I think it is able to be deployed without AD. but I think it is complex to deploy.

@athan1234 moving users/devices to a different VLAN dynamically has it's issues with certain types of operating systems.

However if you think you need to do it, the first link I provided seems to match your request.

athan1234
Beginner

Hi @Rob Ingram 

Ohh yes, the first link, it says I can make it in the generic group AD, is great.

What is the difference between assignament through  name  vlan and number vlan?

 

Rob Ingram
VIP Expert

@athan1234 the VLAN number may vary on each switch stack, so you can use a common name "DATA" or "VOICE" for those VLANs.

athan1234
Beginner

Thanks

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube