Re: Dynamic vlan two diferent vlan´s

athan1234 · ‎04-20-2022

I have this set up as a dynamic vlan through domain AD. If the user belongs to this AD group, they get vlan 12.

All of the ports are configured with vlan 10 (external USER). If an external user connects his PC to each switch port, and he does not belong to the AD group, he will obtain

switchport access vlan 10

switchport mode access

switchport voice vlan 25

speed 100

duplex half

priority-queue out

authentication event fail action next-method

authentication event server dead action authorize

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

mls qos trust device cisco-phone

mls qos trust cos

dot1x pae authenticator

dot1x timeout tx-period 7

I need to configure a new center. This center has two VLANs. VLAN 12-30 When using VLAN 12, they don't have a problem; they belong to the AD group in ISE; they will get the correct VLAN. The problem is that users with vlan 30 don't have an AD group.

My idea was to use the switch port with this vlan 30. Do not configure the default vlan (10) on these ports. I know if an external user connects his PC to these ports, he does get vlan external.

switchport access vlan 30

switchport mode access

switchport voice vlan 25

speed 100

duplex half

priority-queue out

authentication event fail action next-method

authentication event server dead action authorize

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

mls qos trust device cisco-phone

mls qos trust cos

I will need some conditions to secure this deployment.If somebody will connect a laptop to these ports, he will get the vlan 30. is not secure. I am thinking of any conditions to make this more secure, but I have no idea. Also, I don't know if my deployment is correct. I guess I'll have to ask the client what type of authentication service they use for these users and if they have any certificates... for try to put any condition to theses users

balaji.bandi · ‎04-20-2022

Look at some dynamic VLAN assingment :

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/sec-usr-8021x-15-e-book/config-ieee-802x-pba.html

https://community.cisco.com/t5/security-documents/dynamic-attribute-with-ise-vlan-also-for-ipsk-and-sgt-assignment/tac-p/3688960#M5899

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

athan1234 · ‎04-21-2022

Thanks for your reply @balaji.bandi

Assume I have 100 users who need to get vlan 12, and 200 users to get vlan 30, and 120 users to get vlan 40 . It is assumed that the solution attributable to AD is a good choice, but I didn't get to see it. I don't have any idea about AD. My client has a personal assistant who manages the AD. I guess I will have to add one attribute per user. I guess it is hard work for AD people to be administrators. It is easier to use the traditional method of putting these users in a specific AD group.

So I can understand putting atrributes only when there are a few users who want to get a dynamic vlan. Maybe I am wrong. Is there any way in AD to manage a bulk user to put an especific attribute on it?

Rob Ingram · ‎04-21-2022

@athan1234 why do these users need to go a specific VLAN? If restricting access, why not push down a DACL or use TrustSec?

Generally you'd use AD groups to achieve what you want to do.

https://integratingit.wordpress.com/2018/05/07/configuring-cisco-ise-dynamic-vlan-assignment/

You could use Dynamic Variable assignment to query attribute under the AD account.

https://integratingit.wordpress.com/2018/12/01/ise-dynamic-variables-from-ad/

athan1234 · ‎04-25-2022

@Rob Ingram Thanks for your reply

Maybe I am confused about concep DACL for deployment in my scenario.

Let me know you my scenario.

The same AD group users VLAN X , VLAN Y, VLAN Z

VLAN X ------- Users A

VLAN Y ----- Users B

VLAN Z----- Users C

////////////////////////////

VLAN C -- External users

I'll have to do a deployment of three different VLans in the same domain group as AD. Each vlan has its own range of IPs and IP helpers in the router. Some devices have an IP static address. All of those switches have a configured vlan by default ( "VLAN C "for external users).

How do I do it? When a users hits "VLAN X" I would like get the vlan X, if the users hits "VLAN Y" get "vlan Y", and if the users hits "VLAN Z" to get the correct "vlan Z", Remember, all of those ports switches have the default "VLAN C."

Is it possible to deply my scenario with DACL? If so, could you give me an example?

I saw TrustSec. I think it is able to be deployed without AD. but I think it is complex to deploy.

Rob Ingram · ‎04-25-2022

@athan1234 moving users/devices to a different VLAN dynamically has it's issues with certain types of operating systems.

However if you think you need to do it, the first link I provided seems to match your request.

athan1234 · ‎04-28-2022

Hi @Rob Ingram

Ohh yes, the first link, it says I can make it in the generic group AD, is great.

What is the difference between assignament through name vlan and number vlan?

Rob Ingram · ‎04-28-2022

@athan1234 the VLAN number may vary on each switch stack, so you can use a common name "DATA" or "VOICE" for those VLANs.

athan1234 · ‎04-28-2022

Thanks