cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17740
Views
36
Helpful
2
Comments
faylee
Cisco Employee
Cisco Employee

Introduction

Critical VLAN was introduced to address the situation when the fabric edges are unable to reach the configured RADIUS servers due to some outage such as a WAN outage.  During this outage, authentications are not possible for newly  connecting endpoints.  This feature creates a “fall back” VLAN so that endpoints can successfully onboard and receive some level of access, that’s restricted by policies that you define, during this temporary outage

critical.png

Functional Overview

  1. New user connects
  2. Switch sends RADIUS traffic which are unanswered
  3. Switch determines RADIUS server is offline and moves the authenticating ports to critical mode.  Voice VLAN=2046, Data VLAN=2047.  (VLAN based SGT assignment is possible)
  4. User gets connected and gains network access based upon locally configured ACLs and/or Group-Based Policies
  5. When RADIUS server comes back online, users in critical vlan are re-authenticated.

Note: Users that are connected prior to RADIUS going offline will remain connected and un-impacted because re-authentication is paused when AAA is detected as offline.   Once AAA comes back online, the user is re-authenticated.

Configuration

Enable Critical VLAN feature 

Cisco DNA Center 1.3.3.1 adds the option to enable critical VLAN functionality. This functionality is enabled per site.  To enable critical VLAN, navigate to Provision-->Fabric--><Site>-->Fabric Infrastructure and click the link to "Enable Authentication on Extended Node and Critical VLAN"

global.png

 

Critical IP Pool Assignment

Next step is to associate IP pools, or "critical pools",  for "critical data"  and "critical voice" traffic.  The VLAN ids for data and voice are 2047 and 2046 respectively. These ids cannot be modified.  

 

It is important to highlight that there is only 1 critical data vlan and 1 critical voice vlan per fabric.  With SD-Access, a VLAN and its associated IP pool are mapped to a single virtual network.  In the example below, the IP address pool, 172.16.102.0/24, is mapped as a critical pool for data traffic.

 

poolmapping.png

 

With the above configuration, when the AAA server is down, users in the User_VN will get an IP from 172.16.102.0/24.  For a demonstration of this, please reference: Critical VLAN  

Considerations

  1. If fallback is desired for multiple VNs within a fabric, the best option is to create a "Critical VN" and assign a "Critical SGT". 
  2. Policies associated with "Critical SGT" should be configured locally since AAA (ISE) will not be available for policy download during the outage.

 

Comments
Martin L
VIP
VIP

Interesting, thanks for sharing!

agutierrez44
Level 1
Level 1

Question, how does one configure for when ise actually goes down and what does this line technically mean

  1. Policies associated with "Critical SGT" should be configured locally since AAA (ISE) will not be available for policy download during the outage.

I am in the process of making the critical vlan work in a situation where ise is completely down and have the critical vlan work without using sgt since it wont work if ise is down and how can have it still working using the vn from dna

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking for a $25 gift card