Solved: Re: Dynamic Vlan -Voice using Cisco ISE

sasanka1912 · ‎06-16-2025

Hi all,

we have planning to deploy Wired voice handset solution using Dynamic vlan via Cisco ISE.

Currently we have vlan 10 as the default vlan and Dynamic vlan for new voice handsets are set for vlan 495.

Now my question is , in case Cisco ISE goes down completely , will that break the network connectivity or is there a work around ?(vlan 495 have a different DHCP scope per site)

Appreciate your advise on this ?

Cham

Aref Alsouqi · ‎06-16-2025

When the switch gets the VLANs attributes from ISE, it won't check those attributes until the authentication sessions are expired or when the devices are disconnected and reconnected to the switch. So let's say ISE returned the data and voice VLAN attributes and those sessions authentications last 1 day. If ISE goes completely down for less than a day then nothing will happen. However, if ISE goes down for more than a day the switch won't be able to get those attributes from ISE (being down) hence this will have an impact. What you can do in those scenarios is enabling critical VLANs. In that case when the switch can't reach out to ISE it will place the data and voice VLANs in predefined critical VLANs. Check out these links for more details please.

PowerPoint Presentation

802.1X Authentication Services Configuration Guide, Cisco IOS Release 15MT - Critical Voice VLAN Support [Support] - Cisco

View solution in original post

Aref Alsouqi · ‎06-16-2025

When the switch gets the VLANs attributes from ISE, it won't check those attributes until the authentication sessions are expired or when the devices are disconnected and reconnected to the switch. So let's say ISE returned the data and voice VLAN attributes and those sessions authentications last 1 day. If ISE goes completely down for less than a day then nothing will happen. However, if ISE goes down for more than a day the switch won't be able to get those attributes from ISE (being down) hence this will have an impact. What you can do in those scenarios is enabling critical VLANs. In that case when the switch can't reach out to ISE it will place the data and voice VLANs in predefined critical VLANs. Check out these links for more details please.

PowerPoint Presentation

802.1X Authentication Services Configuration Guide, Cisco IOS Release 15MT - Critical Voice VLAN Support [Support] - Cisco

sasanka1912 · ‎06-16-2025

@Aref Alsouqi Thanks for your imp suggestions/ Input.

Currently all the estate set for default re-authentication period for 1hr oppose to 24hr. And Currently policy applying to all the switches in the building and not sure which ports connecting to which data points.

so using the critical vlan could be a challenge for us too..

Aref Alsouqi · ‎06-16-2025

You're welcome. Critical VLANs settings can be applied to all access ports, and the critical VLANs will only take effect when ISE goes down.

sasanka1912 · ‎06-16-2025

@Aref Alsouqi, as mentioned, our default re-authentication period is 1 hour across the estate. Let's say that ISE completely fails in 45 minutes; will that disrupt the voice traffic? I am planning to test this tomorrow by forcing the Cisco ISE to ignore the switch and see what happens in 1 hr ?

Aref Alsouqi · ‎06-17-2025

No, nothing should happen because when ISE fails for 45 minutes no reauthentication would happen so no information to be relayed to ISE by the switch during that time. Let me know how your tests go please.

sasanka1912 · ‎06-17-2025

sure ..Thanks

MHM Cisco World · ‎06-16-2025

You can push SW to use specific vlan when server (ISE) is down and specify this vlan as voice vlan.

This make SW use ISE to dynamic assign vlan and use this vlan when it down.

MHM

sasanka1912 · ‎06-16-2025

Thanks