topic ISE | SXP | Nexus 7000 SGT-MAP query in Network Access Control

ISE | SXP | Nexus 7000 SGT-MAP query

Gagandeep Singh — Mon, 11 Mar 2019 08:09:48 GMT

I have a customer who has a concern :

How do we get the static IP-SGT mappings defined in ISE to propagate to the VLAN-level on the Nexus 7K's?? This needs to be automated in a similar manner like it propagates to the default VRF on the Nexus 7K's.

Troubleshooting done :

ISE is speaker and all other devices in enterprise are listeners.

Current setup, ISE push IP-SGT mappings at VRF level onto Nexus. Client is connected behind an access port VLAN due which not working properly.

Started troubleshooting on the N7K where traffic from AC client 10.xx.xx.29 9xx4 trying to reach 10.xx.xx.7 2xxx1

Enforcement not happening correctly as <9xx4,2xxx1> should deny as per SGACL matrix on ISE.

NX-DC# show logging ip access-list cache detail | i 10.xx.xx.29

9xx4 10.xx.xx.29 10.xx.xx.243 0 0 Ethernet2/xx (1)IC

MP (0 )OFF ---- ----- Permit -----

----- ----- 3

65519 10.xx.xx.7 10.xx.xx.29 0 0 port-channel256 (1

)ICMP (0 )OFF ---- ----- Deny -----

----- ----- 2

9xx4 10.xx.xx.29 10.xx.xx.7 0 0 Ethernet2/xx (1)IC

MP (0 )OFF ---- ----- Permit -----

----- ----- 5

We found that sgt-map pushed for VRF:1. However, the end client is behind access port VLAN 10.

The issue is DGT: 0, so <9xx4, 0> will get hit instead of <9xx4, 2xxx1>.

NX-DC# sh system internal forwarding ipv4 route 10.xx.xx.7 de

slot 1

=======

slot 2

=======

RPF Flags legend:

S - Directly attached route (S_Star)

V - RPF valid

M - SMAC IP check enabled

G - SGT valid

E - RPF External table valid

10.xx.xx.7/32 , Vlan10

Dev: 0 , Idx: 0xb266 , RPF Flags: VS , DGT: 0 , VPN: 1

Also noticed that the IP-SGT configuration for 10.xx.xx.7 2xxx1 is under VRF:1, however the enforcement needs to happen on VLAN 10 so the same IP-SGT needs to be configured under VLAN 10

The moment I configured sgt-map for destination IP under vlan 10. Enforcement applied correctly. Traffic got denied.

NX-DC# sh cts role-based sgt-map | in 10.xx.xx.7

10.xx.xx.7                              2xxx1(BAS_CCTV_Servers)            vlan:

10   CLI Configured

10.xx.xx.7                              2xxx1(BAS_CCTV_Servers)            vrf:1

     CLI Configured

Any help would be appreciated.

Regards

Gagan

Re: ISE | SXP | Nexus 7000 SGT-MAP query

hslai — Wed, 15 Nov 2017 02:14:00 GMT

Moving to TrustSec space.

Re: ISE | SXP | Nexus 7000 SGT-MAP query

Config T — Tue, 28 Nov 2017 22:09:11 GMT

The IP-SGT mapping propagated from ISE to the N7K vrf should bind, as long as the N7K isn't learning a conflicging mapping from a higher priority source. As long as the device has the correct IP-SGT mapping, the egress policies associated with those mappings should apply.

From your problem description, I believe you're saying 10.x.x.29 should have SGT-9xx4 and 10.x.x.7 should have SGT-2xxx1 and the egress policy should deny it, but it does not appear to enforce correctly until you manually add a VLAN mapping on the N7K?

While the problem is occurring, have you verified that the enforcement device has the correct IP-SGT mappings for the source and destination? Can you provide output from "sh cts ro sgt-m | i 10.x.x.7" and "sh cts ro sgt-m | i 10.x.x.29" from the enforcement device?

Also, can you verify that egress policy is correct in both directions on the enforcement device? Please provide output from the N7K of the following two commands: "sh cts ro poli from 9xx4 to 2xxx1" and "sh cts ro poli from 2xxx1 to 9xx4".