cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
683
Views
5
Helpful
1
Replies
Tom Teunissen
Beginner

Enabling 2 VLAN's on a NEAT interface (via ISE)

Hello,

 

I am looking for a way to enable only 1 or 2 VLAN's on a NEAT interface.

 

A 3rd party Cisco switch, connected to our switch, is successfully authenticated by ISE and gets the NEAT status and the interface becomes a trunk. However, I don't want all our VLAN's to be on that trunk.

 

Is there a way to enable only a few VLAN's in ISE?

 

Thanks in advance!

BR Tom

 

P.S. I also tried this via an interface template, but we don't want to authenticate all endpoints that are connected to their switch. This was not successful, because in templates, you cannot change 'authentication host-mode multi-auth', that is default on all our ports, into 'authentication host-mode multi-host'.

1 REPLY 1
aukhadiev
Beginner

HI, 

you can use the functionality of Auto SmartPort Macro or Interface Template, second method is preferred.
In short, then
- in the first case, you configure the functionality of Auto SmartPort Macro and send in addition to "device-traffic-class = switch" the following cisco-av-pair - "auto-smart-port = aspName", in the macro you write something like "switchport trunk allowed vlan x, y, z".
- in the second case, you configure the Interface Template and send in addition to "device-traffic-class = switch" the next cisco-av-pair - "interface-template-name = templateName", in this template write something like "switchport trunk allowed vlan x, y, z".
I do not recommend the first method (you will have to understand the Auto SmartPort Macro technology well before this implementation).

As seen from your letter, your switches support Interface Template. With the Interface Template everything is much simpler, a good example you will find in this community -

https://community.cisco.com/t5/security-documents/neat-with-interface-template/ta-p/3642967