@cappalli wrote:
The role should really be the security context and each role would have a VLAN attached. VLAN names are recommended to abstract the VLAN-ID across the environment from a policy standpoint
Examples:
STUDENT
vlan-name student
FACULTY
vlan-name faculty
STAFF
vlan-name staff
MEDIA-PLAYER
vlan-name headless
PRINTER
vlan-name headless
QUARANTINE
Vlan-name quarantine
PROFILE
vlan-name guest
GUEST-REG
vlan-name guest
GUEST
vlan-name guest
Tim, do you have any suggestion for someone who wants the VLAN names to be unique to each VLAN ID?
For example I use a VLAN ID of 2314 for printers at one site and 2414 for printers at another. Rather than calling both VLANs "PRINTERS", I like to name them uniquely to avoid any possible confusion, such as "SITEA_PRINTERS" and "SITEB_PRINTERS".
Is there any other soluton besides changing my naming convention to be more ambigious(IMO)?
It seems like it would work if there was a way to do VLAN translation (I'm thinking of IAP clusters, where I can pass the same VLAN name as a VSA for all sites, but translate it in each site's IAP to the correct VLAN ID). However, I'm not seeing a way to do this with DURs on the switches. Wanted to make sure I wasn't missing anything.
My next-best workaround (besides an insane amount of logic and additional enforcement profiles) is to use LURs and define the different VLANs within them on each switch. For example on SITEA switch:
aaa authorization user-role name "PRINTERS"
reauth-period 86400
vlan-name "SITEA_PRINTERS"
exit
And on SITEB switch:
aaa authorization user-role name "PRINTERS"
reauth-period 86400
vlan-name "SITEB_PRINTERS"
exit
That way I can just pass back PRINTERS as the HPE-User-Role to all sites.