Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1458
Views
2
Helpful
19
Replies

Dynamic vlan using Cisco ISE

Go to solution
Chaminda1912
Level 1
Level 1

‎10-06-2025 12:55 AM

Hi all,

we have deployed voice solution across the estate using dynamic vlan via Cisco ISE. All the switches configured with vlan 5 as the default vlan and voice vlan will be vlan 488 ,deployed via cisco ISE using dynamic vlan.

My question is , if both ISE nodes (primary and secondary) goes down , will it break the voice traffic as dynamic vlan will enforce via cisco ISE and if both ISE nodes gone down , default vlan (vlan 5) will be passing traffic oppose to voice vlan (488).

Appreciate your advise on this 

0 Helpful
19 Replies 19

Go to solution
Arne Bier
VIP
VIP
In response to Chaminda1912

‎10-09-2025 03:01 PM

@Chaminda1912- to your question about DHCP and critical auth - the client initiates the DHCP based on some initial trigger - either due to a link up, or a device driver restart - the switch can't trigger this unless you can somehow cause a port bounce (which in itself can cause issues with PoE devices). Long story short - dynamic VLAN assignment and DHCP don't play well together, unless you can ensure that by the time the client sends the DHCP Discovery packet, that the switch has set the intended VLAN that will result in a DHCP Offer etc. If somewhere along the lines the client's VLAN is switched, the client won't know about it. You can imagine the rest.  

0 Helpful

Go to solution
Ping Zhou
Level 8
Level 8
In response to Greg Gibbs

‎10-09-2025 03:00 PM

This is a great news… Do you mind to share the screenshots of the ISE Auth Profile where you specify the voice vlan ID or name, and the corresponding Cat9k switch port config as well? Much appreciated. 

0 Helpful

Go to solution
Chaminda1912
Level 1
Level 1
In response to Arne Bier

‎10-09-2025 12:59 PM

@Arne Bier if a phone connects to back of a pc ,switchport can configure as access session  host-mode multi domain as per below

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/sec-ieee-mda.html

0 Helpful

Go to solution
k2no
Level 1
Level 1

‎10-08-2025 01:38 PM

Hi, 

I don't use IBNS 2.0 on a lot of legacy switches which can be a nightmare to manage and which is not common for everybody yet..

Usually I just set set up critical vlan on switch interface by keeping the legacy model such as : 

authentication event fail action (next-method | authorize vlan XX)  -> If auth failed
authentication event server dead action authorize vlan XX -> If K.O
authentication event server dead action authorize voice -> If K.O For voice
authentication event server alive action reinitialize -> Once reachable remove critical vlan and go back to common authentication with ISE

 I never experienced any issue with this kind of configuration even in testing phase where ise cluster was fully down. 

Hope it's help.

0 Helpful

Go to solution
Chaminda1912
Level 1
Level 1
In response to k2no

‎10-10-2025 01:47 PM

Thanks

0 Helpful
Customers Also Viewed These Support Documents