This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I'm looking for an architecture recommendation to segment Guest LAN connected traffic located on the inside of the network with ISE offering guest hotspot portal. We currently have a guest anchor/dmz setup with ISE guest hotspot working fine. Now the consideration is offering a guest network for LAN connected guest clients. Any ideas would be appreciate.
I was going to try and see if I could run this in a lab and test but I also need to use ISE to host the guest hotspot
I never tested the guest lan feature with ise. Usually, for guest wired, i push them on a vlan hosted on the same zone as anchor guest wifi.
After it depends also on the architecture you have. If the L2 from the anchor guest wifi isn't available at your access switches, you can have a dedicated vlan put into a vrf that'll terminate on a dedicated zone of your firewall. I also configure a dedicated interface for ise serving the guest portal. This interface is part of the same fw zone to get all guest traffic contained without opening rules to the lan infrastructure.
Does that make sense?
How did you solve the change vlan issue for mab users?
Without some port bouncing it's common issue for wired guests to never notice vlan change and retain ip address of the vlan originally used to access guest portal
Yes this makes sense and this is exactly what I had in mind. Unfortunately our switches don't have access to the guest anchor VLAN so we would have to try other alternatives.