cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

369
Views
0
Helpful
3
Replies
jpujol
Cisco Employee

Vlan ID in authorisation template from a network device attribute.

Hi, 

 

Does anybody know if it is possible to return in an authorisation template a VLAN number which would be taken from any particular network device attribute ? 

 

A large deployment is on hold because the customer is using VTP (!) and that requires to specify the correct vlanID per switch (without having a dedicated policy entry per switch).

 

I made a try by creating a custom group hierarchy with the vlanID as the group name, but it doesn't help because the complete group hierarchy (including # # # ...) is returned instead of the latest value only :

what I tested : Tunnel-Private-Group-ID = 1:DEVICE:Data_Vlan

 

Is there another custom attribute attached to a network device I could use for that purpose ? (to store the VlanID only)

 

Thanks in advance, 

 

Jean-Francois

3 REPLIES 3
hslai
Cisco Employee

This VLAN attribute may take values other than a numeric ID. Examples are VLAN names and VLAN group names. This way, we may use the same text string which translates to different VLAN IDs on the switches.

If you have to use a custom attribute, then no, ISE does not take it from a NAD. Instead, you would need another means; e.g. add a custom attribute for endpoints.

jpujol
Cisco Employee

Hi, 

 

With the use of VTP, all vlans are presents on all switches, and the vlan name cannot be localised per switch.

Anyway, the vlan name is defined on the switch, so that requires a configuration change on every switch.

 

I was looking for a way to centralise this by using an attribute in ISE instead of something configured on the switch.

There is a way to do it by defining a policy rule per switch, but the size of policy table explodes in that case ...

 

Thanks anyway ...

hslai
Cisco Employee

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube