With SDA/TRUSTSEC and ISE in the mix .
Try to look at options.
lets say you have a SGT for headless devices - cameras, HVAC, badge readers etc. So are you saying that create a VLAN/subnet for each of them ?
So, then what do you put as the default VLAN on a switch ?
Do you split the ports between these VLANs/subnets ? or use a default VLAN/subnet, and then let ISE do the VLAN change after profiling ? In the past, VLAN change was not advised due to some clients not doing well after a VLAN change ?
Same thing with windows machine - if it has not done a user auth, then machine auth happens and you assign lets vlan X, then the user logs in and you determine he is part of specific SGT group, then you have to move the user to a different VLAN/subnet and the ip has to change.
Is there a trade off there ? in some cases especially with a PC, why not keep the same ip /subnet and not change even if they change SGTs membership.
Thanks for the comments MIke. its useful.
What I am saying is that lets its a brown field where a customer already had legacy network and multiple building, floors. Generally everything is lumped together in a single floor - printers, hvac, cameras, pcs etc. phones may be in a different vlan...
How have people migrated to SDA from that construct of VLANs ?
My questions is why change VLANs and have all the issues of changing VLANs like printers are generally sensitive and other devices as well . why not change SGT ? a more cleaner way in my opinion ? what are the benefits of allocating different VLANs/ ip subnets ? looking for real world experiences on how this was done ? I can imagine that we need more than one vlan, but looking for how others have carved out subnets etc...