Presentation is loading. Please wait.

Presentation is loading. Please wait.

Change of VLAN for Wired Guest

Published byDavid Francis Modified over 6 years ago

Similar presentations

Presentation on theme: "Change of VLAN for Wired Guest"— Presentation transcript:

1 Change of VLAN for Wired Guest

2 Limitation Requirement
Customers are looking to implement Wired Guest Flow and assign Guest Endpoint to a Guest VLAN Currently, this functionality is difficult/impossible to implement by Change of VLAN from ISE and hence is not recommended by ISE BU Limitation Wired Guests access portal in corporate VLAN ISE pushes dynamic VLAN but cannot port-bounce to refresh the IP in Guest VLAN. No connectivity to Guest Endpoint until the guest unplugs and plugs manually

3 Solution Utilize Auto Smart Port Switch Macro
Two Authorization Policies in ISE Catch-All rule that re-directs endpoint to Guest Portal and Registers Guest MAC Addresses in endpoint database Rule for Registered Guest Endpoints that sends trigger to execute a pre-defined Auto Smart Port Switch Two Pre-Defined Macros will be defined and executed as shown on next slide… The solution was validated in our lab running ISE 2.1 patch 2 and 3650 running 3.7.5

4 Define Two Macros on the switch
guestvlan_removedot1x … triggered from ISE Triggered when a Registered Guest Endpoint connects Reference made from ISE using auto-smart-port Cisco AVP Switches interface VLAN from Corporate to Guest Disables dot1x to avoid loop Bounces Port Applies the corporatevlan_applydot1x macro to the interface corporatevlan_applydot1x … triggered from above macro Switches VLAN from guest to corporate Enables dot1x Removes corporatevlan_applydot1x reference

5 Wired Flow for assigning Guest Endpoint to Guest VLAN
Wired Flow for assigning Guest Endpoint to Guest VLAN.. Guest Endpoint connecting for the first time Guest User Wired NAD PSN Auth Policies Endpoint connects for first time RADIUS from NAD to PSN Default Authorization Rule, Redirect to Web Portal Guest Endpoint Database RADIUS Response PSN to NAD Redirect to Guest Portal Endpoint redirected to Portal and User clicks OK Guest Endpoint added to DB ISE Issues a CoA Reauth PSN queries Guest Endpoint DB Endpoint redirected to Portal and User clicks OK Guest Auth Rule, ISE sends a trigger to execute a smart Port Macro Radius Accept, Run Macro Switch Runs macro to change the VLAN to Guest VLAN and issues shut/no-shut commands User Disconnects Switch Runs macro to change the VLAN to DATA VLAN

6 Wired Flow for assigning Guest Endpoint to Guest VLAN
Wired Flow for assigning Guest Endpoint to Guest VLAN.. Registered Guest Endpoint connects Guest User Wired NAD PSN Auth Policies Registered Guest Endpoint connects RADIUS from NAD to PSN Guest Auth Rule, ISE sends a trigger to execute a smart Port Macro Guest Endpoint Database Radius Accept, Run Macro PSN queries Guest Endpoint DB Switch Runs macro to change the VLAN to Guest VLAN and issues shut/no-shut commands User Disconnects Switch Runs macro to change the VLAN to DATA VLAN

7 guestvlan_removedot1x macro
macro auto execute guestvlan_removedot1x { if [[ $LINKUP == YES ]]; then configure terminal interface $INTERFACE no authentication port-control auto switchport access vlan 20 macro description $TRIGGER shut no shut fi if [[ $LINKUP == NO ]]; then configure terminal interface $INTERFACE description Guest no macro description $TRIGGER macro description corporatevlan_applydot1x fi }

8 corporatevlan_applydot1x
macro auto execute corporatevlan_applydot1x { if [[ $LINKUP == NO ]]; then configure terminal interface $INTERFACE authentication port-control auto switchport access vlan 10 no macro description $TRIGGER description corporate fi }

9 ISE Authorization Policies
Endpoints hit Default authorization rule when it connects for the first time Endpoint is registered in GuestEndpoints identity group after accepting the AUP and hits the Hotspot_Guests authorization rule

10 Guest_AUP Authorization Profile

11 Hotspot Portal Configuration

12 Hotspot_Guests Authorization Profile

13 Original Interface Config

14 After Guest Connect corporatevlan_applydot1x will enable the switch to switch the VLAN back to corporate and reapply dot1x config (Refer to slide 4)

15 Guest Disconnects corporatevlan_applydot1x reapplies the corporate vlan and re-enables dot1x

Download ppt "Change of VLAN for Wired Guest"

Similar presentations

CCNA3: Switching Basics and Intermediate Routing v3.0 CISCO NETWORKING ACADEMY PROGRAM Chapter 6 – Switch Configuration Switch Configuration Starting the.

CCNA3: Switching Basics and Intermediate Routing v3.0 CISCO NETWORKING ACADEMY PROGRAM Chapter 6 – Switch Configuration Switch Configuration Starting the.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.
Virtual LANs.

Virtual LANs.
Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.

Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
LAN Switch configuration Telecom II May 2, 2007 TEL 202 Prof. Scott Stimpson Scott Robinson Concetta Sardzinski Jim Donovan.

LAN Switch configuration Telecom II May 2, 2007 TEL 202 Prof. Scott Stimpson Scott Robinson Concetta Sardzinski Jim Donovan.
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.

IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
AutoMAC: A Tool for Automating Network Moves, Adds, and Changes Christopher J. Tengi Princeton University.

AutoMAC: A Tool for Automating Network Moves, Adds, and Changes Christopher J. Tengi Princeton University.
VLANs- Chapter 3 CCNA Exploration Semester 3 Modified by Profs. Ward

VLANs- Chapter 3 CCNA Exploration Semester 3 Modified by Profs. Ward
Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1.

Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1.
Cisco Confidential 1 © 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 1 © 2011 Cisco and/or its affiliates. All rights reserved.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Router and Switch Security By: Kulin Shah Krunal Shah.

Router and Switch Security By: Kulin Shah Krunal Shah.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.
Cisco CatOS vs. IOS 08/07/07 David Mitchell and Teresa Shibao.

Cisco CatOS vs. IOS 08/07/07 David Mitchell and Teresa Shibao.
Voice VLANs Lecture 7 VLANs.ppt 21/04/ Apr-17

Voice VLANs Lecture 7 VLANs.ppt 21/04/ Apr-17
Starting the switch Configuring the Switch

Starting the switch Configuring the Switch
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration.

Similar presentations

Ads by Google