topic Pushing IP-SGT mappings to Cisco switch in Network Access Control

Pushing IP-SGT mappings to Cisco switch

snatara2 — Thu, 27 Apr 2017 12:31:02 GMT

Thank you for the suggestion given previously.

By following the below suggestion, given to add device steps I am able to find the device in ISE and tried deploying the IP-SGT binding. It got deployed to the device globally.

However my requirement is that, the binding should get deployed to the device for a VRF “sgt”.

In device I have configured VRF “sgt” . In ISE side I have configured the below.

In ISE I have given deployed via as a “sgt” but still it is coming globally. Any suggestion to make it deployed to vrf “sgt”.

Hi

reply from Hariprasad Holla in Technology > Security Community > Policy and Access > Identity Services Engine (ISE) - View the full discussion

The IP-SGT bindings from ISE can be pushed to the network via 2 methods:

1) CLI configuration

2) ISE SXP

You seem to be using method-1, which requires you to define the network device’s SSH login credentials so that ISE can configure it for static IP-to-SGT bindings.

Here’s how you do it:

Under ‘Advanced TrustSec Settings’ within the Network Device configuration in ISE, specify the SSH login details:

https://communities.cisco.com/servlet/JiveServlet/downloadImage/2-252925-106739/385-190/Screen+Shot+2017-04-26+at+9.44.33+AM.png

Then under TrustSec Work center > Components, you should be able to see this network device to push the static IP-to-SGT binding.

https://communities.cisco.com/servlet/JiveServlet/downloadImage/2-252925-106740/1245-900/Screen+Shot+2017-04-26+at+9.45.08+AM.png

Reply to this message by replying to this email, or go to the message on Cisco Communities

Start a new discussion in Technology > Security Community > Policy and Access > Identity Services Engine (ISE) by email or at Cisco Communities

Re: Hi Team

hariholla — Fri, 28 Apr 2017 06:21:31 GMT

Hi Srinivasan,

The 'SGT Mapping groups' on ISE is not same as the VRFs within the network. I believe, the IP-to-SGT mapping from ISE is pushed down to the network for the IPs available on the global route table. kthumula, Could you confirm ?

Cheers!

-Hari

Re: Hi Team

snatara2 — Fri, 28 Apr 2017 08:25:16 GMT

Hi Hari,

I have 10.10.10.2 under VRF “sgt”, in routing table. And I have created the IP-SGT binding in ISE and deploying it to device still it is coming to globally. Please find the details below.

Sup6t-snv#sh run int t3/3

Building configuration...

Current configuration : 96 bytes

interface TenGigabitEthernet3/3

vrf forwarding sgt

ip address 10.10.10.2 255.255.255.0

end

Sup6t-snv#sh ip route vrf sgt

Routing Table: sgt

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

a - application route

+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.10.10.0/24 is directly connected, TenGigabitEthernet3/3

L 10.10.10.2/32 is directly connected, TenGigabitEthernet3/3

Sup6t-snv#sh cts role-based sgt-map all

Active IPv4-SGT Bindings Information

IP Address SGT Source

============================================

10.10.10.2 5 CLI

IP-SGT Active Bindings Summary

============================================

Total number of CLI bindings = 1

Total number of active bindings = 1

However the SGT downloaded for the device is getting added for this IP under VRF.

Sup6t-snv#sh cts role-based sgt-map vrf sgt all

%IPv6 protocol is not enabled in VRF sgt

Active IPv4-SGT Bindings Information

IP Address SGT Source

============================================

10.10.10.2 8 INTERNAL

IP-SGT Active Bindings Summary

============================================

Total number of INTERNAL bindings = 1

Total number of active bindings = 1

We have given “sgt” as Deploy via and it has been created as an SXP Domain. Do we need to do anything related to that in ISE?

Regards,

Srinivasan.N

Re: Hi Team

kthumula — Fri, 28 Apr 2017 14:01:22 GMT

The mappings pushed from ISE would be deployed to the global. To have VRF-aware SGT, ISE (radius config) need to be part of that VRF.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-sy/sec-cts-15-sy-book/sec-cts-vrf-sgt.pdf

An SXP Domain in ISE provides a means to logically group network devices to which SXP mappings should be exchanged. These “Domains” are optional and if none are defined the system default domain named “default” is used. This allows for granular control of where specific SXP mappings will be advertised. Similar to the one (sgt) which you created above in ISE.

Re: Hi Team

Cyptic man — Wed, 19 May 2021 19:31:35 GMT

Hi!

How would the VRF-aware SGT radius configuration solve this issue and how is this meant to work with SD-access?

Even if i configure my radius server to a separate VRF the static SGT-map configuration pushed is still without the vrf parameter.
Is there any such parameter within ISE today to define the VRF for the mappings?