802.1x VLAN User Distribution (VLAN Group)

In this blog post, I will be going over 802.1x VLAN User Distribution (sometimes referred to as “VLAN Groups”) in Cisco IOS and a use case scenario that involves Cisco ISE (Identity Services Engine).

First, some background around VLAN Groups. Based on my research it seems there are two major types of VLAN Groups: The Firewall Service Module (FWSM) on the 6500 and on Cisco IOS & IOS XE Switches. It appears to possibly have other functionality within the Wireless Space for user assignment, but I did not do extensive research on that aspect to find an inclusive answer. In the world of IOS a VLAN group is simply a group that has a name assigned to it that can contain one or more VLANs assigned to that group.

The main purpose of 802.1x VLAN User Distribution is to dynamically provide VLAN load balancing by having the RADIUS server dictate the VLAN Group name within attribute 81 (Tunnel-Private-Group-ID) in the RADIUS response instead of a regular VLAN ID/Name. When the switch receives the VLAN Group name, it will assign the endpoint to the least populated configured VLAN for that group. Prior to IOS release 12.2(33)SXI1, this was accomplished by having multiple VLAN names specified under attribute 81.

A use case I have found outside of VLAN distribution load balancing (and the reason I know about VLAN Groups) is to provide a way to dynamically assign a preconfigured VLAN that does not have a uniform number across the enterprise from ISE. This case in particular was to have a predefined VLAN, that would span multiple different VLAN numbers, specific for Cisco IP Phones not tied to a Cisco CM dynamically assigned once the appropriate device profile in ISE was determined. This allows for the ability to have a different option 80 fields in the DHCP response to direct the phones to their non-Cisco based Call Manager.

To take advantage of this configuration, the VLAN group assigned with your desired VLAN(s) must be configured on the switch and the authorization profile that will be applied from ISE must be configured with RADIUS attribute 81 set to the VLAN group name.

To configure a VLAN group in IOS perform the following task:
SW1(config)# vlan group group-name vlan-list vlan-list

To note:

  • A VLAN Group name can be up to 32 characters
  • A VLAN Group name must start with a letter
  • Group members can be specified as a single VLAN ID, a list of VLAN IDs, or a VLAN ID range. Multiple entries are separated by a hyphen (-) or a comma (,) similar to the interface range command.
  • To remove a VLAN from the VLAN group, use the no version (no vlan group group-name vlan-list vlan-ID).
  • The VLAN Group will be removed once the last VLAN ID is removed from the group.

Configuring a VLAN Group on a Cisco Switch:rh3cn9l
vlan group TEST_VG vlan-list 410

Configuring VLAN Group assignment in ISE:
image002
Navigate to Policy Elements > Results > Authorization > Authorization Profiles > Profile
Select VLAN and Enter VLAN Group Name

Once a endpoint is authenticated against the switch via 802.1X and the appropriate authorization profile is assigned, the VLAN configured on the switch for the VLAN group is assigned:Verfication

Some bonus verification information:

When a VLAN is statically assigned via 802.1X, the VLAN assignment can be seen across multiple switchport / VLAN status commands.

The first command is show vlan.

Before dynamic VLAN assignment (port configuration):verification1

After dynamic VLAN assignment (via 802.1X with VLAN Group):verification2

The second command is show interface interface-name switchport:

Before dynamic VLAN assignment (port configuration):verification3

After dynamic VLAN assignment (via 802.1X with VLAN Group):verification4

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s