04-24-2020 02:06 PM
Hi All,
I'm looking for an architecture recommendation to segment Guest LAN connected traffic located on the inside of the network with ISE offering guest hotspot portal. We currently have a guest anchor/dmz setup with ISE guest hotspot working fine. Now the consideration is offering a guest network for LAN connected guest clients. Any ideas would be appreciate.
I was going to try and see if I could run this in a lab and test but I also need to use ISE to host the guest hotspot
04-24-2020 07:40 PM - edited 04-24-2020 07:40 PM
Hi
I never tested the guest lan feature with ise. Usually, for guest wired, i push them on a vlan hosted on the same zone as anchor guest wifi.
After it depends also on the architecture you have. If the L2 from the anchor guest wifi isn't available at your access switches, you can have a dedicated vlan put into a vrf that'll terminate on a dedicated zone of your firewall. I also configure a dedicated interface for ise serving the guest portal. This interface is part of the same fw zone to get all guest traffic contained without opening rules to the lan infrastructure.
Does that make sense?
04-24-2020 10:45 PM
How did you solve the change vlan issue for mab users?
Without some port bouncing it's common issue for wired guests to never notice vlan change and retain ip address of the vlan originally used to access guest portal
04-26-2020 04:59 PM
04-27-2020 06:38 AM
That's very interesting, I'll give it a try
05-06-2020 08:18 AM
Yes this makes sense and this is exactly what I had in mind. Unfortunately our switches don't have access to the guest anchor VLAN so we would have to try other alternatives.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide