Description of the issue
The expected VLAN is not pushed to the Switches. When a virtual network is created and an IP address pool is associated in DNAC, the corresponding VLAN and SVI interfaces are created on the Switches. After the users are authenticated, an appropriate VLAN ID is allocated.
Possible causes
- Incorrect configuration in DNAC or ISE
- Switch provisioning failure
Solution
Check the configuration of the authorization profile on DNAC, ISE, and on the Switch.
Verify on DNAC
Verify whether the IP Address Pool has been created
- In Cisco DNA Center, go to Network Settings under Design.
- Choose Global from the left pane.
- Select IP Address Pools.
Check whether the IP address pool appears in the list.
Verify whether the IP address pool is reserved under the appropriate site
- In Cisco DNA Center, go to Network Settings under Design.
- Choose the site under Global in the left pane.
Check whether the IP address pool appears in the list.
Verify whether the virtual network has been created in Cisco DNA Center
- In Cisco DNA Center, go to Network Settings under Design.
Check whether the virtual network is listed in the left pane.
Verify whether the IP address pool is associated with the virtual network
- In Cisco DNA Center, go to Fabric under Provision.
- Select the Fabric Domain and select the required Fabric-Enabled Site.
- Click Host Onboarding.
- Choose the virtual network.
- Verify whether the associated IP address pool in the virtual network has the check box selected.
If the issue is seen only on one switch, verify the provisioning status of the switch
- In Cisco DNA Center, go to Devices under Provision.
- In the Device Inventory, check the Provision Status of the Switch. The status should be Success.
Verify on ISE
Verify the authorization profile configuration on ISE
The authorization profile is used to associate an IP address pool to an endpoint or user as part of the authorization rule.
- In Cisco Identity Services Engine, navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles.
- Select the authorization profile.
- Verify whether the VLAN check box is selected under Common Tasks and the ID or Name field is configured with a VLAN ID or VLAN name.
Verify on the Switch
Use the show run command to check whether the VRF, VLAN, and SVI interfaces are created
Following is a sample output of the show run command. This output displays a VRF, VLAN, and SVI interface.
Device# show run vrf definition WIRED ! address-family ipv4 exit-address-family ! . . . . . vlan 1021 name 20_20_20_0-WIRED . . . . . interface Vlan1021 description Configured from apic-em mac-address 0000.0c9f.f45c vrf forwarding WIRED ip address 20.20.20.254 255.255.255.0 ip helper-address 172.18.202.3 no ip redirects ip local-proxy-arp ip route-cache same-interface no lisp mobility liveness test lisp mobility 20_20_20_0-WIRED !
Verify whether an appropriate VLAN has been allocated to the user
Device# show authentication sessions interface gi details
Interface: GigabitEthernet
IIF-ID: 0x10C8CBAA
MAC Address: 0050.5682.87b8
IPv6 Address: Unknown
IPv4 Address: 20.20.20.0
User-Name: 00-50-56-82-87-B8
Status: authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Common Session ID: 265DA8C00000001CD33840F8
Acct Session ID: 0x00000012
Handle: 0x55000012
Current Policy: POLICY_Gi
Local Policies:
Idle timeout: 65536 sec
Server Policies:
Vlan Group: Vlan: 1021
SGT Value: 14
Method status list:
Method State
dot1x Stopped
mab Authc Success
Check whether the VLAN shows up in the output of the show interface command
For a port which has static SGT instead of dot1x and no authentication, the VLAN should show up in the output of the show interface <interface-name> command.
