Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE and VLAN assignment

Hi All,

Can ISE place a connection into a VLAN based on MAC address? (Both wired and wireless).

Scenario is as follows:

  • •- Users are wired and wireless, distributed around the campus. There are a dozen VLANs, one per closet, that are dedicated to users.
  • •- Laptops are bad at least in the mind of the customer. So a laptop (wired or wireless) leaves the campus and returns; possibly with the plague.
  • •- For each closet we want to create a “restricted” VLAN for bad laptops; and a “good” VLAN for desktop users.
  • •- We have a list of all the laptop MAC addresses; and a list of all the desktop MAC addresses.
  • •- Can we see the laptop MAC address logging in; and place that laptop into a relevant “restricted” VLAN, based on location?
  • •- Likewise can we see all the other MAC addresses and place the user into a relevant “good” VLAN, based on location?

Thanks for your comments!

Andrew

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: ISE and VLAN assignment

If you create a rule per location then yes.
If a rule per location is not suitable then you could use one rule, which dumps them in to a vlan based on the vlan name, but then you obviously need separate vtp domains per location.
Careful when you dynamically allocate vlans that you may need to change to port bounce for COA to allow DHCP to do its thing, which is a global setting up until version 1.2.
Version 1.2 also has other flexibilities which might be useful to you (nested rules so I believe you may be able to have one rule with multiple profiles based on location), but I've not played with them too much yet.

Sent from Cisco Technical Support iPhone App

Cisco Employee

Re: ISE and VLAN assignment

You have to create location based rule in ISE  then it is possible. ISE 1.2 is providing lots of feature on location basis. Please check the release notes of ISE 1.2

3 REPLIES
New Member

Re: ISE and VLAN assignment

If you create a rule per location then yes.
If a rule per location is not suitable then you could use one rule, which dumps them in to a vlan based on the vlan name, but then you obviously need separate vtp domains per location.
Careful when you dynamically allocate vlans that you may need to change to port bounce for COA to allow DHCP to do its thing, which is a global setting up until version 1.2.
Version 1.2 also has other flexibilities which might be useful to you (nested rules so I believe you may be able to have one rule with multiple profiles based on location), but I've not played with them too much yet.

Sent from Cisco Technical Support iPhone App

Cisco Employee

Re: ISE and VLAN assignment

You have to create location based rule in ISE  then it is possible. ISE 1.2 is providing lots of feature on location basis. Please check the release notes of ISE 1.2

New Member

ISE and VLAN assignment

Bike, Ravi,

Thank you both for the quick and great responses. Very valuable info.

I still have reluctance to implement things this way for more of a human rather than technical reason.

The customer is proposing they will have two MAC adddress lists, one for "trusted" corporate devices and one for "not so trusted" devices.  I see that being the weak link in the policy more than anything.

Again, thanks for the comments.

Andrew

2033
Views
0
Helpful
3
Replies
CreatePlease to create content