Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2008
Views
5
Helpful
6
Replies

ISE Dynamic VLAN assignment using partial VLAN names

dal
Level 3
Level 3

‎06-19-2018 01:46 PM - edited ‎02-21-2020 10:58 AM

Is this possible?

I have several hundred buildings, each with a set of unique VLAN ID's tied to unique VLAN names

For example:

Building1_Teacher

Building1_Student

Building1_Health

Building1_Management

Building2_Teacher

Building2_Student

Building2_Health

Building2_Management

and so on..

This will of course give a lot of rules in ISE if I was to use VLAN ID's.

Then I read that it is possible to use VLAN Names to assign the correct VLAN

But is it possible to use partial names when setting up the rule, for example Teacher or Students? Since that part is the same in all buildings.

If not, is it possible to implement?

If would save me (an other with similar name regimes) a lot of time if it was possible.

I also kinda like having unique names tied to unique VLANs

Thank you

Labels:
0 Helpful
6 Replies 6

thomas
Cisco Employee
Cisco Employee

‎06-19-2018 02:58 PM

Having VLAN names that are all totally unique as all of your numbered VLANs defeats the purpose - it just makes them more human-readable.

The purpose of VLAN Names is to generalize your segmentation policy (Teacher,Student,Health,Management) and not care about the specific VLAN on a specific switch on a specific floor in a specific building. In large buildings with large switches, you could even have multiple VLAN numbers handling the same named VLAN for scaling.

Keep your VLANs general for segmentation and consider using Network Device Group (NDGs) if you need to create special location-based policies for certain buildings.

0 Helpful

dvan
Cisco Employee
Cisco Employee
In response to thomas

‎08-02-2018 02:50 AM

Hi Thomas,

 

Apologies for opening up an old thread.

 

Would like to know a bit more about utilising multiple vlans with the same name on a switch if possible…

 

Am looking for a way to implement similar functionality as WLAN interface groups on the wired switch side – is this possible with dynamic vlan, and if so, can you please provide an example?

 

Use Case: Large building switch with multiple vlans per user type.

 

Thanks,

Denis

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to dvan

‎08-02-2018 02:59 AM

ISE will create a session per user and each session will have its own
context information including DACL, VLAN, etc even if they are on the same
physical ports.
0 Helpful

dvan
Cisco Employee
Cisco Employee
In response to Mohammed al Baqari

‎08-04-2018 05:11 AM - edited ‎08-04-2018 05:14 AM

Thanks for the response.

 

What I am referring to is whether wired dynamic vlan assignment can be performed in a similar way as WLAN interface groups feature wherein an interface group name is passed from ISE, and the WLC picks a vlan associated with the WLC defined interface group.

 

The use case for this question is a large building switch with multiple vlans per user type (eg. 3x vlans for staff - staff1, staff2, staff3), and the ability for ISE to dynamically select an interface group or partial name(eg.vlan name wilcard: 'staff.*') and for the switch to select one of the many vlans associated with that user type vlan (eg. staff3).

 

Hope this is a bit clearer :)

0 Helpful

dvan
Cisco Employee
Cisco Employee
In response to hslai

‎08-19-2018 06:27 PM

Thanks, I'm after the equivalent functionality for wired Cisco access switches - is there a way to do this?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents