cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2969
Views
10
Helpful
5
Replies

Internal Guest LAN user segmentation with ISE recommendation

Evanjrosado
Level 1
Level 1

Hi All,

 

I'm looking for an architecture recommendation to segment Guest LAN connected traffic located on the inside of the network with ISE offering guest hotspot portal. We currently have a guest anchor/dmz setup with ISE guest hotspot working fine. Now the consideration is offering a guest network for LAN connected guest clients. Any ideas would be appreciate. 

 

I was going to try and see if I could run this in a lab and test but I also need to use ISE to host the guest hotspot

https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_011000.html

5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

Hi

I never tested the guest lan feature with ise. Usually, for guest wired, i push them on a vlan hosted on the same zone as anchor guest wifi.
After it depends also on the architecture you have. If the L2 from the anchor guest wifi isn't available at your access switches, you can have a dedicated vlan put into a vrf that'll terminate on a dedicated zone of your firewall. I also configure a dedicated interface for ise serving the guest portal. This interface is part of the same fw zone to get all guest traffic contained without opening rules to the lan infrastructure.
Does that make sense?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

How did you solve the change vlan issue for mab users?

Without some port bouncing it's common issue for wired guests to never notice vlan change and retain ip address of the vlan originally used to access guest portal  

For these guest users, i leverage ise dhcp services with a very short dhcp lease.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

That's very interesting, I'll give it a try

Yes this makes sense and this is exactly what I had in mind. Unfortunately our switches don't have access to the guest anchor VLAN so we would have to try other alternatives.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: