9300 Template issue.

Dustin Anderson · ‎08-16-2022

So, I am playing with ISE to do a template to change a PC port to a trunk for an AP. This is working fine except for one issue, when I disconnect the AP the port is retaining the native vlan as the access vlan instead of the original.

Before AP:

switchport access vlan 1204
switchport mode access
switchport voice vlan 1304
ip arp inspection limit rate 20 burst interval 4
ip access-group unauth in
no logging event link-status

With AP:

switchport trunk native vlan 164
switchport mode trunk
switchport voice vlan 1304
ip arp inspection limit rate 20 burst interval 4
no logging event link-status

After AP:

switchport access vlan 164
switchport mode access
switchport voice vlan 1304
ip arp inspection limit rate 20 burst interval 4
ip access-group unauth in
no logging event link-status

How do I get the access vlan to not permanently change.

Here is the template on the switch

template AP

switchport trunk native vlan 164
switchport trunk allowed vlan 136,157,159,164,200,201,209,316,362,364,710,711
switchport mode trunk
ip access-group auth in

balaji.bandi · ‎08-16-2022

Personally where ever AP is connected, and that config will be used as same since we do not remove AP as quick as compared to end device Phone to PC.

check out NEAT.

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId--1908104767

I have seen Long back @Arne Bier posted same problem, not seen any solution.

https://community.cisco.com/t5/network-access-control/profiling-flexconnect-ap-and-switch-interface-template/td-p/3924659

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Dustin Anderson · ‎08-17-2022

I was using the NEAT guide, auth and everything works, my issue is the port is not going back to the original once a device is unplugged. I'm trying to avoid manually configuring ports as we have over 1,000 APs so using MAB is preferred.