cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

525
Views
10
Helpful
5
Replies
Highlighted
Beginner

Internal Guest LAN user segmentation with ISE recommendation

Hi All,

 

I'm looking for an architecture recommendation to segment Guest LAN connected traffic located on the inside of the network with ISE offering guest hotspot portal. We currently have a guest anchor/dmz setup with ISE guest hotspot working fine. Now the consideration is offering a guest network for LAN connected guest clients. Any ideas would be appreciate. 

 

I was going to try and see if I could run this in a lab and test but I also need to use ISE to host the guest hotspot

https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_011000.html

5 REPLIES 5
Highlighted
VIP Advisor

Re: Internal Guest LAN user segmentation with ISE recommendation

Hi

I never tested the guest lan feature with ise. Usually, for guest wired, i push them on a vlan hosted on the same zone as anchor guest wifi.
After it depends also on the architecture you have. If the L2 from the anchor guest wifi isn't available at your access switches, you can have a dedicated vlan put into a vrf that'll terminate on a dedicated zone of your firewall. I also configure a dedicated interface for ise serving the guest portal. This interface is part of the same fw zone to get all guest traffic contained without opening rules to the lan infrastructure.
Does that make sense?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted

Re: Internal Guest LAN user segmentation with ISE recommendation

How did you solve the change vlan issue for mab users?

Without some port bouncing it's common issue for wired guests to never notice vlan change and retain ip address of the vlan originally used to access guest portal  

Highlighted
VIP Advisor

Re: Internal Guest LAN user segmentation with ISE recommendation

For these guest users, i leverage ise dhcp services with a very short dhcp lease.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted

Re: Internal Guest LAN user segmentation with ISE recommendation

That's very interesting, I'll give it a try

Highlighted
Beginner

Re: Internal Guest LAN user segmentation with ISE recommendation

Yes this makes sense and this is exactly what I had in mind. Unfortunately our switches don't have access to the guest anchor VLAN so we would have to try other alternatives.