12-05-2019 05:12 AM
Maybe one very simple question but I need help:
Scenario should be
Phone and a client PC on same Switch port, Client connected behind Phone (example Cisco Phone).
Switchport in multiple auth domain and ISE gives back 2 policy with diffrent dACls
1. dACL for Phone
2. dACL for Client
Will that work? so two applied dACLs on same port. Maybe also additional VLAN change.
Solved! Go to Solution.
12-05-2019 09:09 AM
That works just fine. The switch will just merge the ACLs and replace the "Any" source with the client's actual IP address. For example, let's say your PC is 192.168.5.5 and your phone is 192.168.10.10 and each would be a permit any any dACL. The end result of the ACL applied to the port would be something as follows:
permit ip host 192.168.5.5 any
permit ip host 192.168.10.10 any
deny ip any any
It is completely normal to have clients behind IP phones and the switches are smart enough to handle them as if they are on two separate domains, data and voice.
However, I would try to stay away from dynamic VLAN assignment, especially for PCs. This is because when you change the VLAN, you also change IP addresses. That can break things like GPO's, drive mappings, etc. For printers and other miscellaneous devices, the VLAN change wouldn't be that bad. So if you have to do it, try to make the default access VLAN on the ports the one that the PC will be in and then just change to other VLAN as needed for printers and other miscellaneous devices.
12-05-2019 06:10 AM
- Your question kind of really lies in the area of I want to make things difficult ; my advise is always on Intranet where authentication (ISE) is used in combination with port security and access requirements to no put end devices behind phones and provision separate connections. It makes things more consistent combined with using the policy-possibilities of ISE.
M.
12-05-2019 09:09 AM
That works just fine. The switch will just merge the ACLs and replace the "Any" source with the client's actual IP address. For example, let's say your PC is 192.168.5.5 and your phone is 192.168.10.10 and each would be a permit any any dACL. The end result of the ACL applied to the port would be something as follows:
permit ip host 192.168.5.5 any
permit ip host 192.168.10.10 any
deny ip any any
It is completely normal to have clients behind IP phones and the switches are smart enough to handle them as if they are on two separate domains, data and voice.
However, I would try to stay away from dynamic VLAN assignment, especially for PCs. This is because when you change the VLAN, you also change IP addresses. That can break things like GPO's, drive mappings, etc. For printers and other miscellaneous devices, the VLAN change wouldn't be that bad. So if you have to do it, try to make the default access VLAN on the ports the one that the PC will be in and then just change to other VLAN as needed for printers and other miscellaneous devices.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide