This article assumes you have the basic knowledge and experience with Cisco DNA Center and Identity Services Engine (ISE). Note when reading this doc the "Authentication Policy" referred to is part of Cisco DNA Center Onboarding section and has no correlation with ISE Authentication Policy.
When choosing a VN and binding an IP Pool to it Cisco DNA Center automatically assigns a name in the "Authentication Policy" field. For example if we have a VN name "Employees" and assign the IP Pool 172.16.16.0 then the "Authentication Policy" will receive the following name "172_16_16_0-EMPLOYEES" as seen below.
This will work just fine but what happens when using Identity Services Engine (ISE) to securely and dynamically onboard your endpoints? You can find out more on How to Onboard Endpoints using ISE at the following link How to SDA Host Onboarding with ISE When referring to the "How to SDA Host Onboarding with ISE" you will understand that ISE Interprets the "Authentication Policy" in Cisco DNA Center to a VLAN ID. In order to dynamically assign the endpoint to that VLAN ID we need to do 2 things in ISE.
Create an "Authorization Profile" with a VLAN ID of the same naming as the "Authentication Policy" in Cisco DNA Center.In this case my VLAN ID name will be "172_16_16_0-EMPLOYEES"
Create an "Authorization Policy" in which if the Condition/s are met the "Result" applied will be the "Authorization Profile" we created in step 1 and endpoints will be onboarded to VLAN "172_16_16_0-EMPLOYEES"
Up until this point, this is exactly how the process is explained in the "How to SDA Host Onboarding with ISE".
Lets now take the following scenario to understand what kind of "issues" we could run into when using the automatic name assigning of "Authentication Policy" when binding IP Pool to VN in Cisco DNA Center.
Use Case The above VN (Employees) and IP pool (172.16.16.0/24) bind to it, is named "172_16_16_0-EMPLOYEES" in the Authentication Policy field relates to a single fabric site , and we are using an Authorization Policy in ISE to onboard the endpoints to VLAN "172_16_16_0-EMPLOYEES"
You have just acquired a company and have migrated them to a new Fabric site within your existing Fabric domain and would like to onboard them using ISE but keep Authorization Profiles and Authorization Policies to a minimum. You could create a new VN (e.g Employees2) and bind an IP Pool to it (e.g 172.16.20.0/24) , the automatic "Authentication Policy" name Cisco DNA Center would create is "172_16_20_0-EMPLOYEES2". Recall this name will be your VLAN ID in ISE , meaning to dynamically onboard the endpoints you would need another Authentication Profile in ISE with VLAN ID "172_16_20_0-EMPLOYEES2" , as well as another "Authorization Policy".
Problem If you have multiple fabric sites this starts to become a management issue as well as resources used in ISE Just think if you had 5 or 10 fabric sites ... Resolution In earlier versions of Cisco DNA Center we did not have the option to modify the "Authentication Policy" name. But now given this option lets say instead of naming the Authentication Policy "172_16_16_0-EMPLOYEES" in VN "Employees" we name it "Employees" (In this case both the VN name and Authentication policy are using the same name , this is in no means a requirement). ISE will recognize this as VLAN ID "EMPLOYEES"
And in the second Fabric site, instead of using the automatically generated Authentication Policy name of "172_16_20_0-EMPLOYEES2" in VN "Employees2" use the same name as used in the first fabric site i.e. "Employees". ISE here will also recognize this as VLAN ID "EMPLOYEES" The outcome is that we now have 2 separate fabric sites with 2 separate IP Pools which ISE defines as VLANID "EMPLOYEES". This means that in ISE we can use one Authorization Profile and one Authorization Policy to dynamically onboard endpoints to the same VLAN ID while each VLAN ID provides its own unique IP Pool .
The above diagram depicts how we can use one Authorization Profile and one Authorization Policy in ISE for 2 different IP Pools within 2 different fabric sites.
If you have any questions regarding this particular Document or would like to see other walk throughs that extend beyond this topic please let us know on our community page SD-Access Community
Hi there.Recently I upgraded a Cisco catalyst switch with the IOS version 16.12, following which smart licensing was enabled. The question is what happens if I do not want to activate it and what happens to the switch and its functionality once its expira...
Hi all, Very basic question but essential for me (since I don't have the hardware in front of me).Can someone tell the interface numbering on a 3560-24TS (the copper ports). The front panel doesn't give me any clue whether the interface n°0 is t...
Hi there, I am trying achieve some form of redundancy using existing 3750 & a 2960 switches. these are active switches but are not currently setup for redundancy. find attach diagram is my idea of achieving some redundancy however i am not sure if the...
I have the one network . this network enable igmp snooping,quirer only. I am not doing multicast routing.
i am using /23 range. All devices are using multcast traffic.I would like to know Broadcast storm can be in that kind of network ? If i usi...