STD-022: Enterprise Network Operations

Operational standards for enterprise network infrastructure changes: ISE policy modifications, VLAN provisioning, trunk configuration, and 802.1X integration. Every network change follows STD-005 (Change Control) and STD-021 (CAB Process).

Applicability

This standard applies to work (enterprise) network changes. Home lab network changes follow STD-023 (Home Lab Infrastructure).

ISE Policy Change Process

Authorization Profile

Every new VLAN assignment or access policy requires an Authorization Profile in ISE.

Field Requirement

Field	Requirement
Profile Name	Descriptive, follows naming convention: `<BUILDING>-<PURPOSE>-<VLAN_NAME>`
Access Type	ACCESS_ACCEPT for permitted access
VLAN ID/Name	Must match the VLAN configured on switches exactly
DACL	Reference existing DACL where possible. New DACLs require separate review.
Description	Include CR reference and purpose

Profile Name

Descriptive, follows naming convention: <BUILDING>-<PURPOSE>-<VLAN_NAME>

Access Type

ACCESS_ACCEPT for permitted access

VLAN ID/Name

Must match the VLAN configured on switches exactly

DACL

Reference existing DACL where possible. New DACLs require separate review.

Description

Include CR reference and purpose

Navigation: Policy → Policy Elements → Results → Authorization → Authorization Profiles → Add

Authorization Rule

Field Requirement

Field	Requirement
Policy Set	Identify the correct policy set (e.g., Wired 802.1X Closed Mode, Wireless Staff)
Rule Name	Descriptive: `<PURPOSE>-<BUILDING>-<ACCESS_LEVEL>`
Condition(s)	Based on endpoint group, identity group, AD group, or device type. Document the match criteria.
Result — Profile	Reference the Authorization Profile created above
Rule Position	Document where the rule is inserted relative to existing rules. Order matters — first match wins.

Policy Set

Identify the correct policy set (e.g., Wired 802.1X Closed Mode, Wireless Staff)

Rule Name

Descriptive: <PURPOSE>-<BUILDING>-<ACCESS_LEVEL>

Condition(s)

Based on endpoint group, identity group, AD group, or device type. Document the match criteria.

Result — Profile

Reference the Authorization Profile created above

Rule Position

Document where the rule is inserted relative to existing rules. Order matters — first match wins.

Navigation: Policy → Policy Sets → [Policy Set Name] → Authorization Policy → Insert Rule

Verification

Every ISE policy change MUST be verified with RADIUS Live Logs:

Navigation: Operations → RADIUS → Live Logs
Filter by endpoint MAC or username
Confirm: correct AuthZ Profile assigned, correct VLAN, DACL applied
Document the Live Log entry in the CR

VLAN Provisioning Workflow

Step 1: VLAN Creation

VLAN name MUST be consistent across all switches in the building
VLAN ID MUST be confirmed as unused on all target switches before creation
Document the VLAN ID, name, subnet, and gateway

Step 2: Trunk Configuration

Explicitly add the new VLAN to trunk allowed lists — do not rely on allowed vlan all
Verify on every trunk link between access switches and distribution
Verify spanning-tree topology is stable for the new VLAN

Step 3: ISE Integration

Create Authorization Profile with VLAN assignment
Create Authorization Rule in the appropriate policy set
Test with a known endpoint before declaring the change complete

Verification Commands

! Verify VLAN exists
show vlan id <VLAN_ID>

! Verify trunk carries the VLAN
show interfaces trunk | include <VLAN_ID>

! Verify spanning-tree
show spanning-tree vlan <VLAN_ID>

! Verify endpoint authentication
show authentication sessions interface <INT> details

! Verify DACL applied
show ip access-lists

802.1X Closed Mode Requirements

All access ports in closed mode — no traffic without successful authentication
MAB fallback for non-supplicant devices (printers, IoT, medical devices)
VLAN assignment via ISE Authorization Profile — never static on the switch
Monitor mode permitted only during initial deployment phase

Personnel Roles for Network Changes

Role	Typical Assignments
Network Implementer	Switch configuration, trunk modifications, VLAN creation
NAC/ISE Implementer	Authorization profiles, policy set rules, RADIUS verification
Validator/Tester	Endpoint connection test, VLAN assignment confirmation, DACL verification
Change Owner	Submits iTrack record, coordinates schedule, owns post-implementation validation

Role

Typical Assignments

Network Implementer

Switch configuration, trunk modifications, VLAN creation

NAC/ISE Implementer

Authorization profiles, policy set rules, RADIUS verification

Validator/Tester

Endpoint connection test, VLAN assignment confirmation, DACL verification

Change Owner

Submits iTrack record, coordinates schedule, owns post-implementation validation

Multiple implementers are standard for network + ISE changes. Each person’s scope MUST be documented in the CR.

Cross-Reference

STD-005 (Change Control) — verify-change-verify for every command
STD-021 (CAB Process) — iTrack record and approval required
STD-011 (Incident Response) — failed network changes that impact connectivity trigger incident workflow
STD-013 (Case Studies Taxonomy) — CR- documents provide implementation details