Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4223
Views
1
Helpful
5
Replies

ISE with Private VLANs (PVLANs) and 802.1x

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎02-07-2018 11:14 PM

I have a customer that is looking to deploy ISE in switching environment that is utilizing Private VLANs. If memory serves me right, dot1x was NOT supported on PVLAN enabled port. However, I was checking out the latest 3750/3850 configuration guide and it appears that this is no longer the case:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/37e/consolidated_guide/b_37e_consolidated_3850_cg/b_37e_consolidated_3850_cg_chapter_01110100.html

With that being said, I have a few questions:

  1. Is such configuration really supported
  2. Can ISE push a PVLAN through an Authorization Profile? I searched but could not find such RADIUS attribute
  3. Any other gotchas that my customer should be aware of?

Neno

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎02-08-2018 07:46 AM

It will depend on the switch support as covered here for Cat4500: Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(31)SG - Configuring 802.1X Port-Based Authentic…

This document also covers restrictions and methods to configure.

Be sure to read closely any caveats and restrictions listed under the appropriate switch configuration guide.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Craig Hyps
Level 10
Level 10

‎02-08-2018 07:46 AM

It will depend on the switch support as covered here for Cat4500: Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(31)SG - Configuring 802.1X Port-Based Authentic…

This document also covers restrictions and methods to configure.

Be sure to read closely any caveats and restrictions listed under the appropriate switch configuration guide.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎02-08-2018 08:00 AM

Have you considered segmenting traffic using SGTs with Trustsec?

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎02-08-2018 09:40 PM

Thank you for the suggestion Jason.

My initial thought was TrustSec. However, they also have a requirement where they also want to be able to allow exceptions for particular users/machines so they are allowed to communicate with each other. Essentially, combining SGTs with additional attributes such as IPs, MACs, AD Groups, for a switch level enforcement. This does not appear to be possible based on my research and another thread that I opened.. Here is an example:

Permit

Src_sgt_10 and ad_user=User1 to Dst_sgt_10 and ad_user=User2

Deny

Src_sgt_10 to Dst_sgt_10


The other two alternatives that we considered are:

Private VLANs:

- No support for dynamic PVLANs

- No support for Voice VLANs


DACLs

- DACL Entries could potentially become too long and exhaust TCAM resources

Neno

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to nspasov

‎02-09-2018 04:11 AM

You have same question under Trustsec Community please work thru with them first and if no solution continue here

https://communities.cisco.com/message/281661<https://communities.cisco.com/message/281661?mobileredirect=true>

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎02-12-2018 07:27 PM

Thank you Jason. I closed the other thread as it appears that TrustSec would not be able to satisfy the requirements. I think DACLs are the only option here as I can't think of anything else.

0 Helpful
Customers Also Viewed These Support Documents