Implementation Plan

Technical Implementation

Phase 1: Switch Configuration (Tony Sun)

1a. VLAN Extension — SRT Access Switches

Existing research VLAN is being repurposed and extended to SRT building switches where it does not yet exist. Verify presence first — only add where missing.

! Check if VLAN already exists on this switch
show vlan id <VLAN_ID>

! If not present — add it (name must match existing VLAN on other switches)
configure terminal
  vlan <VLAN_ID>
    name <VLAN_NAME>
  exit
end
write memory

Repeat on each SRT access switch where the VLAN is not yet present:

  • <SRT-SW-01>

  • <SRT-SW-02>

  • <SRT-SW-03>

  • <ADD_ADDITIONAL_SWITCHES>

1b. Trunk Allowed VLAN Additions — Access to Distribution

! Add research VLAN to trunk between access switch and Nexus distribution

configure terminal
  interface <TRUNK_INTERFACE>
    switchport trunk allowed vlan add <VLAN_ID>
  exit
end
write memory

1c. Nexus Distribution Upstream

! Nexus distribution — create VLAN and verify trunk propagation

configure terminal
  vlan <VLAN_ID>
    name <VLAN_NAME>
  exit
end
copy running-config startup-config

1d. Switch Verification

! Verify on each switch
show vlan id <VLAN_ID>
show interfaces trunk | include <VLAN_ID>
show spanning-tree vlan <VLAN_ID>

Phase 2: ISE Configuration (Evan Rosado)

2a. Authorization Profile

Field Value

Profile Name

<AUTHZ_PROFILE_NAME>

Access Type

ACCESS_ACCEPT

VLAN ID/Name

<VLAN_ID> / <VLAN_NAME>

DACL

<EXISTING_DACL_NAME> (reused)

SGT

<SGT_NAME_IF_APPLICABLE>

Description

Research VLAN assignment for SRT research endpoints — SIEM migration

Navigation: Policy → Policy Elements → Results → Authorization → Authorization Profiles → Add

2b. Authorization Rule

Field Value

Policy Set

Wired 802.1X Closed Mode

Rule Name

<AUTHZ_RULE_NAME>

Condition(s)

<ENDPOINT_GROUP or IDENTITY_GROUP or AD_GROUP>

Result — Profile

<AUTHZ_PROFILE_NAME> (created in 2a)

Rule Position

<ABOVE/BELOW_EXISTING_RULE>

Description

Assign research endpoints in SRT to research VLAN

Navigation: Policy → Policy Sets → Wired 802.1X Closed Mode → Authorization Policy → Insert Rule

2c. ISE Verification

! Verify authorization profile exists
ISE GUI: Policy -> Policy Elements -> Results -> Authorization -> Authorization Profiles
Filter: <AUTHZ_PROFILE_NAME>

! Verify authorization rule is active
ISE GUI: Policy -> Policy Sets -> Wired 802.1X Closed Mode -> Authorization Policy
Confirm rule order and conditions

! Verify RADIUS Live Logs after test
ISE GUI: Operations -> RADIUS -> Live Logs
Filter by endpoint MAC or username
Confirm: AuthZ Profile = <AUTHZ_PROFILE_NAME>, VLAN = <VLAN_ID>

Phase 3: Validation (David Ntashamaje)

3a. Endpoint Authentication Test

Test Expected Result

Connect research endpoint to SRT switch port

802.1X authentication initiates

Verify RADIUS Live Logs on ISE

AuthZ Profile = <AUTHZ_PROFILE_NAME>

Verify VLAN assignment on switch

show authentication sessions interface <INT> details shows VLAN <VLAN_ID>

Verify IP address in correct subnet

Endpoint receives DHCP from <SUBNET> scope

Verify network reachability

Endpoint can reach required research resources

Verify DACL applied

show ip access-lists on switch confirms DACL download

3b. Switch-Side Validation Commands

! Verify endpoint authenticated and assigned to correct VLAN
show authentication sessions interface <INT> details

! Verify VLAN is active on the port
show vlan id <VLAN_ID>

! Verify DACL applied
show ip access-lists

! Verify trunk carries the VLAN
show interfaces trunk | include <VLAN_ID>