01-26-2022 07:38 AM
Hi colleagues,
I was wondering whether anyone has come across the following situation, related to migration of a standard LAN to SDA.
In the traditional LAN (typical 2-tier with L3 on the core and L2 downstream on the access) there could be multiple VLANS serving the same client types on different access-switches (worst case - a VLAN per access switch). Looking at the transition to SDA, and where we can't change existing used IPs, what are the options? Any thoughts pls?
Thanks,
Guy
01-26-2022 08:27 AM
This is a very typical request for migration where IP subnets must be both in and out of the fabric at the same time. I recommend having a look at the SD-Access Migration sessions in the Cisco Live On-Demand Library, specifically:
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking and Cloud Group
01-26-2022 08:47 AM - edited 01-26-2022 08:49 AM
Thanks Scott,
Indeed - the multiple IP pools in a VN is OK - just having i.e. 10 IP pools for the same user community (example "employees"), not sure how to deal with that from an ISE policy point of view (authorization VLANs?). So perhaps this is more an ISE question than SD-Access...
I'll take a look at the listed CL sessions.
Cheers,
Guy
01-26-2022 09:28 AM
Yes, ISE will assign a VLAN based on the authentication result and then that VLAN is mapped to a VN (aka VRF) on the SVI.
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking and Cloud Group
01-26-2022 10:57 PM - edited 01-26-2022 10:57 PM
Hi Scot,
Indeed - so in the scenario where you end up, in SDA (not traditional networking), with multiple VLANS for the same user community within the same VN - how do you craft the ISE policy so that users are shared across these multiple vlans after they authenticated? That's really the scenario i'm looking into.
user "employees" and I have vlan names employee_1, employee_2, employee_3, employee_4, etc..
Best regards,
Guy
01-27-2022 12:06 AM
In ISE there will be policy sets that will assign a VLAN based on the authentication / authorization information or perhaps even device profiling (or both). So perhaps the VN "Employees" has VLANs for HR, Sales, Engineering, Finance, IT, etc, and the employees in those groups are assigned to those VLANs when they are authenticated by ISE.
Have a look at the Policy Sets chapter at https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_segmentation.html#ID37 . If you can get yoru hands on a a demo ISE in dcloud.cisco.com or developer.cisco.com (see the sandboxes), then that will help you look at the GUI to better understand what is being discussed in the admin guide.
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking and Cloud Group
01-27-2022 12:53 AM - edited 01-27-2022 12:54 AM
Thanks Scott,
Let me add one more layer - in my example assume all users are Engineering and they need to get "distributed" across these multiple vlans (on SDA). How would we do that in ISE?
Cheers,
Guy
01-27-2022 03:27 AM
I do not know the inner workings of ISE (not my area of focus), so you may want to follow up with this in the ISE community. That said, the way I believe it works is to add user/device profiles to specific groups in ISE and then those groups are associated with specific policy sets.
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking and Cloud Group
02-03-2022 12:24 PM
Hi Guy
You can archive that one by putting the switches into different location groups. You also have to define different AuthZ Result with the different Vlan assigned.
Then you can make policy sets based on the location of the switches.
For example if Engineer A connected to Switch in Location A he gets Engineer-VLAN-A assigned.
05-04-2023 02:21 PM
Hi
if it's for specific SGT assignment u always can differentiate endpoint with specific attribute as belonging to specific ID-group :0)
does it make sense for u in your case?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: