Security

Reply
Occasional Contributor II

Vlan query

Hi,

I have two flavors of switches - hpe and Cisco.

All ports have below config
Access vlan 10 ,
Voice vlan is 20
The four vlans 10, 20,30 and 40 are configured on switch.

Now during enforcement - CPPM is returning vlan 30 for user standard PC and vlan 40 for IP phones.

So my question is do we have to manually put the user port in vlan 30 and IP phone in vlan 40 ?

Or Radius attribute / enfoced vlan takes prefer ence without doing any change on anyport ?

I need this on both Cisco and hpe switch
Guru Elite

Re: Vlan query

Please follow the ClearPass Solution Guide for Wired Policy Enforcement.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Vlan query

Hi Tim

I have gone through it . But this is still not clear . Whatever cppm returns back as enforcement vlan, port will take it does not matter whether port is preconfigured in that vlan or not . But this is not confirmed from wired guide. And moreover for Cisco switch it is not specifically mentioned
Occasional Contributor II

Re: Vlan query

To the best of my knowledge, Radius assigned VLANs will always take precedence over the port VLAN. If you want to do radius authentication while still keeping the port configuration, you should be able to do a simple "allow access" radius profile






Chris Wickline | Network Engineer | York College of Pennsylvania
Guru Elite

Re: Vlan query

There is a whole Cisco section of the doc...

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Vlan query

Hello Chris . Yes radius always take preference . My query is for example radius returns vlan 20 but is it essential that port must be preconfigured in vlan 20 ? It could be configured in any vlan beforehand right ?
Guru Elite

Re: Vlan query

No. The VLAN only needs to be defined on the switch.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Vlan query

Thanks Tim .really appreciate. I guess this is applicable for Cisco ( newer version I would say) and hpe both ?
Highlighted
Guru Elite

Re: Vlan query

Pretty standard across the industry.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: