Solved: Re: ISE with Private VLANs (PVLANs) and 802.1x

nspasov · ‎02-07-2018

I have a customer that is looking to deploy ISE in switching environment that is utilizing Private VLANs. If memory serves me right, dot1x was NOT supported on PVLAN enabled port. However, I was checking out the latest 3750/3850 configuration guide and it appears that this is no longer the case:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/37e/consolidated_guide/b_37e_consolidated_3850_cg/b_37e_consolidated_3850_cg_chapter_01110100.html

With that being said, I have a few questions:

Is such configuration really supported
Can ISE push a PVLAN through an Authorization Profile? I searched but could not find such RADIUS attribute
Any other gotchas that my customer should be aware of?

Neno

Craig Hyps · ‎02-08-2018

It will depend on the switch support as covered here for Cat4500: Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(31)SG - Configuring 802.1X Port-Based Authentic…

This document also covers restrictions and methods to configure.

Be sure to read closely any caveats and restrictions listed under the appropriate switch configuration guide.

View solution in original post

Craig Hyps · ‎02-08-2018

It will depend on the switch support as covered here for Cat4500: Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(31)SG - Configuring 802.1X Port-Based Authentic…

This document also covers restrictions and methods to configure.

Be sure to read closely any caveats and restrictions listed under the appropriate switch configuration guide.

Jason Kunst · ‎02-08-2018

Have you considered segmenting traffic using SGTs with Trustsec?

nspasov · ‎02-08-2018

Thank you for the suggestion Jason.

My initial thought was TrustSec. However, they also have a requirement where they also want to be able to allow exceptions for particular users/machines so they are allowed to communicate with each other. Essentially, combining SGTs with additional attributes such as IPs, MACs, AD Groups, for a switch level enforcement. This does not appear to be possible based on my research and another thread that I opened.. Here is an example:

Permit

Src_sgt_10 and ad_user=User1 to Dst_sgt_10 and ad_user=User2

Deny

Src_sgt_10 to Dst_sgt_10

The other two alternatives that we considered are:

Private VLANs:

- No support for dynamic PVLANs

- No support for Voice VLANs

DACLs

- DACL Entries could potentially become too long and exhaust TCAM resources

Neno

Jason Kunst · ‎02-09-2018

You have same question under Trustsec Community please work thru with them first and if no solution continue here

https://communities.cisco.com/message/281661<https://communities.cisco.com/message/281661?mobileredirect=true>

nspasov · ‎02-12-2018

Thank you Jason. I closed the other thread as it appears that TrustSec would not be able to satisfy the requirements. I think DACLs are the only option here as I can't think of anything else.