Re: Why local SVI do not recognize ISE dynamically assigned vlan?

KelvinT · ‎09-09-2022

ISE 3.1 patch 3

C9300-48U cat switch IOSXE 17.05.01

IBNS 2.0 enabled and used.

Hello,

I have an access layer switch with all it's vlan SVI local.

All vlan is removed from the interface.

When ISE successfully assign dynamically the interface's vlan....the SVI still show protocol down.

Question: Why the SVI do not recognize ISE dynamically assigned vlan and come up?

Arne Bier · ‎09-11-2022

I am pretty sure, you must still configure an access vlan on an interface, even if it's a dummy VLAN that is overridden by ISE's dynamically assigned VLAN.

I have seen other weird stuff like, forgetting to define a VLAN on a switch - ISE returns VLAN x during AuthZ, but VLAN x does not exist on the switch (i.e. no vlan x in global config). Strange things happen.

KelvinT · ‎09-12-2022

Thanks Arne,

I have done this before and it work like a charm. What make this deployment unique is the uplink is layer 3 and not trunked. Also the SVI is local to the switch because the uplink isn't trunked. In the traditional network design the SVI is on the aggregate/distribution switch.

My question is why the SVI do not recognize the ISE dynamically assigned vlan similar to manually adding the vlan? I.e. why the SVI protocol do not come up?

Thanks again.

Arne Bier · ‎09-18-2022

I think this must be default switch behaviour. You must have at least one VLAN defined on an interface before the SVI becomes active. If you think about it, the switch does not need the SVI if there are no interfaces using that VLAN. I know what you're saying though - you want this to be an on-demand assignment.