12-19-2018 08:51 AM
Hi,
Does anybody know if it is possible to return in an authorisation template a VLAN number which would be taken from any particular network device attribute ?
A large deployment is on hold because the customer is using VTP (!) and that requires to specify the correct vlanID per switch (without having a dedicated policy entry per switch).
I made a try by creating a custom group hierarchy with the vlanID as the group name, but it doesn't help because the complete group hierarchy (including # # # ...) is returned instead of the latest value only :
what I tested : Tunnel-Private-Group-ID = 1:DEVICE:Data_Vlan
Is there another custom attribute attached to a network device I could use for that purpose ? (to store the VlanID only)
Thanks in advance,
Jean-Francois
12-19-2018 09:18 AM
This VLAN attribute may take values other than a numeric ID. Examples are VLAN names and VLAN group names. This way, we may use the same text string which translates to different VLAN IDs on the switches.
If you have to use a custom attribute, then no, ISE does not take it from a NAD. Instead, you would need another means; e.g. add a custom attribute for endpoints.
12-20-2018 03:08 AM
Hi,
With the use of VTP, all vlans are presents on all switches, and the vlan name cannot be localised per switch.
Anyway, the vlan name is defined on the switch, so that requires a configuration change on every switch.
I was looking for a way to centralise this by using an attribute in ISE instead of something configured on the switch.
There is a way to do it by defining a policy rule per switch, but the size of policy table explodes in that case ...
Thanks anyway ...
12-21-2018 07:54 AM
Consider VLAN Groups, perhaps. See What is the purpose of "vlan group"? - 28500 - The Cisco Learning Network
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide