Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
770
Views
1
Helpful
8
Replies

Vlan precedence

ramziabdelhak
Level 1
Level 1

‎08-16-2023 02:00 AM

Hello,

On a C9300L switch, i have interface with ISE Dot 1 x configuration, what i want is that the statically assigned vlan using " switchport Access vlan XX" takes precedence over the vlan pushed by the ISE after a succesfull authentication,

For now, the ISE assigned vlan takes effect,

is there a solution ?

Thanks in advance

0 Helpful
8 Replies 8

Rob Ingram
VIP
VIP

‎08-16-2023 02:10 AM

@ramziabdelhak you should modify your ISE authorisation rules to not push down the VLAN to the switch as this takes presedence over the statically assigned VLAN.

ramziabdelhak
Level 1
Level 1
In response to Rob Ingram

‎08-16-2023 02:17 AM

Thanks for the reply,

But this type of configuration has already worked with 3750 Switch serie, do you it  is purhaps a deprectated behaviour ?

Thnks

0 Helpful

Rob Ingram
VIP
VIP
In response to ramziabdelhak

‎08-16-2023 02:57 AM

@ramziabdelhak sorry, not sure, that's not my experience.

Why do you need to send a dynamic VLAN assignment if you do not wish to use it? You can modify your ISE authorisation rules to send (or not send) a dynamic VLAN depending on the NAD group, connected user etc.

0 Helpful

ramziabdelhak
Level 1
Level 1
In response to Rob Ingram

‎08-16-2023 03:09 AM

Hi @Rob Ingram 

On the ISE, there a bunch of policies that apply to hundreds of users, and only 20-30 of them needs a special vlan; so instead of creating a new policy for them, we assign it statically on there interfaces.

0 Helpful

Rob Ingram
VIP
VIP
In response to ramziabdelhak

‎08-16-2023 03:18 AM

@ramziabdelhak sure ok, create a group (or a couple of groups) for those 20-30 users, create an new authorisation rule(s) above the existing rule(s) and match against the group of users and push the dynamic VLAN. Then on the existing rules remove the dynamic VLAN.

0 Helpful

ramziabdelhak
Level 1
Level 1
In response to Rob Ingram

‎08-16-2023 04:08 AM

@Rob Ingram Thank you, i think it is a more scalabale solution,

Nevertheless, i realy want to know why this behavious was once supported by the 3750x,

Thanks again Rob

0 Helpful

Peter Koltl
Level 7
Level 7

‎08-17-2023 12:05 AM

Probably the dynamic VLAN will not be applied on this switch if the 

aaa authorization network ... group RADIUSxxxx

command is removed. But it may have other effects.

 

0 Helpful

ramziabdelhak
Level 1
Level 1
In response to Peter Koltl

‎08-17-2023 07:50 AM

Hi @Peter Koltl 

That would not be possible since removing this command will desable AAA authorization on the switch as a whole,

Thanks for your help

0 Helpful
Customers Also Viewed These Support Documents