https://community.cisco.com/t5/network-access-control/sharing-ip-sgt-mappings-between-switches-with-inline-propagation/m-p/3682204#M25297 <P>Jonathan,</P> <P>&nbsp;</P> <P>thank you very much - this explains it!</P> <P>&nbsp;</P> <P>Roland</P> Mon, 06 Aug 2018 15:20:30 GMT rmueller@cisco.com 2018-08-06T15:20:30Z https://community.cisco.com/t5/network-access-control/sharing-ip-sgt-mappings-between-switches-with-inline-propagation/m-p/3680689#M25295 <P>Hi all,</P> <P>&nbsp;</P> <P>I have a maybe basic question about SGACL-enforcement locally on access switches:</P> <P>Let’s assume I have two access-switches within a L2-deployment (Access-Switch A and Access-Switch B).</P> <P>On Access-Switch A User_a is being authenticated, he get’s SGT 10. The switch downloads SGACL for SGT 10 from ISE, and the switch also has the SGT-to-ip mapping for User_a.</P> <P>On Access-Switch B User_b is being authenticated, he get’s SGT 20. The switch downloads SGACL for SGT 20 from ISE, and the switch also has the SGT-to-ip mapping for User_b.</P> <P>Propagation method is inline tagging.</P> <P>&nbsp;</P> <P>Now the SGACL denies communication between SGT 10 and SGT 20. If the packet now is sourced on access-switch A, how does access-switch A know about the SGT-to-ip mapping for User_b, which is stored locally on switch B?</P> <P>&nbsp;</P> <P>Thanks in advance.</P> <P>&nbsp;</P> <P>Roland</P> Fri, 03 Aug 2018 09:58:32 GMT https://community.cisco.com/t5/network-access-control/sharing-ip-sgt-mappings-between-switches-with-inline-propagation/m-p/3680689#M25295 rmueller@cisco.com 2018-08-03T09:58:32Z https://community.cisco.com/t5/network-access-control/sharing-ip-sgt-mappings-between-switches-with-inline-propagation/m-p/3680710#M25296 <P>Hi Roland,</P> <P>it doesn't know of the remote mapping.</P> <P>Remember that the technology is built for egress enforcement.</P> <P>So, traffic flows from A to B, the A side doesn't know of the B mapping so there can't be any enforcement on the A side for this flow. However, switch A inserts the source SGT into the L2 frame (inline propagation) for the packets sent to B. The B switch reads the source SGT off the wire, has the destination SGT and can enforce.</P> <P>So, egress enforcement on B.</P> <P>In the other direction it's the same - egress enforcement at A.</P> <P>If you want/need to do ingress enforcement then you have to propagate the destination mappings back to the source (using something like SXP) but that doesn't scale.</P> <P>Cheers, Jonothan.</P> Fri, 03 Aug 2018 10:33:27 GMT https://community.cisco.com/t5/network-access-control/sharing-ip-sgt-mappings-between-switches-with-inline-propagation/m-p/3680710#M25296 jeaves@cisco.com 2018-08-03T10:33:27Z https://community.cisco.com/t5/network-access-control/sharing-ip-sgt-mappings-between-switches-with-inline-propagation/m-p/3682204#M25297 <P>Jonathan,</P> <P>&nbsp;</P> <P>thank you very much - this explains it!</P> <P>&nbsp;</P> <P>Roland</P> Mon, 06 Aug 2018 15:20:30 GMT https://community.cisco.com/t5/network-access-control/sharing-ip-sgt-mappings-between-switches-with-inline-propagation/m-p/3682204#M25297 rmueller@cisco.com 2018-08-06T15:20:30Z