01-20-2015 05:16 AM - edited 03-10-2019 10:21 PM
Hello
I have a question relating to RADIUS CoA Port Bounce.
I'm planning to deploy 802.1x with ISE 1.3 to:
In order for an authenticated corporate desktop to pick up an IP address on its dynamically assigned VLAN I was thinking of using CoA Port Bounce. If this desktop was connecting through a successfully profiled Cisco IP phone, am I right in saying that the resulting Port Bounce will also affect the phone (phone will de-register from callmanager)?
Thanks
Andy
Solved! Go to Solution.
01-20-2015 11:29 AM
Hi Andy, if you are using PoE then a port-bounce the phone would definitely drop from the network and Call Manager. The phone would basically power down and then power back up.
Now with that being said you should keep in mind that a port-bounce would remove the existing dot1x session and will a new session would be initialized. Thus, the endpoint would end up starting at the original VLAN again and then getting the new VLAN after authorization :) So I guess what I am trying to say is that port-bounce is not the solution for this. Instead, you should consider:
1. Using dACLs instead of dynamic VLANs. That way you can have everyone in the same VLAN but use different dACLs to define network access
2. Continue to use dynamic VLANs but keep in mind that some "dumb" devices won't detect the VLAN change, thus not grabbing a new IP address. The good news is that most modern devices will detect the VLAN change and should grab a new IP. For instance, you should not have any issues with Windows 7 and newer devices
My recommendation is to go with option #1 though as that has always worked for me.
I hope this helps!
Thank you for rating helpful posts!
01-20-2015 11:29 AM
Hi Andy, if you are using PoE then a port-bounce the phone would definitely drop from the network and Call Manager. The phone would basically power down and then power back up.
Now with that being said you should keep in mind that a port-bounce would remove the existing dot1x session and will a new session would be initialized. Thus, the endpoint would end up starting at the original VLAN again and then getting the new VLAN after authorization :) So I guess what I am trying to say is that port-bounce is not the solution for this. Instead, you should consider:
1. Using dACLs instead of dynamic VLANs. That way you can have everyone in the same VLAN but use different dACLs to define network access
2. Continue to use dynamic VLANs but keep in mind that some "dumb" devices won't detect the VLAN change, thus not grabbing a new IP address. The good news is that most modern devices will detect the VLAN change and should grab a new IP. For instance, you should not have any issues with Windows 7 and newer devices
My recommendation is to go with option #1 though as that has always worked for me.
I hope this helps!
Thank you for rating helpful posts!
01-20-2015 01:36 PM
Hi Neno. Thanks for the reply. Option 1 with dACLs was my initial thought for this but the size of the dACLs may cause issues with TCAM utilization - the deployment will be on Instant Access with around 1000 clients. I'll test both dACLs and dynamic vlan assignment and see what best suits but at least I can also rule out CoA for this.
Thanks again
Andy
01-20-2015 01:41 PM
Try keeping the dACLs small by using more generic statements. Also, if you need a very complex segregation then you could perhaps look into TrustSec/SGA/SGT.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide