topic Re: Update Static SGT Mappings via REST in Network Access Control

Update Static SGT Mappings via REST

paul — Thu, 08 Nov 2018 22:03:50 GMT

Does anyone of the correct JSON body required to update a static SGT mapping via REST. Here is what I am trying:

I am doing a JSON PUT to my admin node:

https://10.0.128.237:9060/ers/config/sgmapping/17a7afe2-b3e5-459c-8090-587ed1fb3381

The body I am trying to use is:

{
"SGMapping" : {
    "sgt" : "2cd52dd0-85ea-11e8-9fa1-024294424ec9",
    "deployTo" : "ALL",
    "deployType" : "ALL",
    "hostName" : "1.1.1.1"
}
}

The hostName field I think is causing me the issue. I am not sure why I would need to specify the IP or hostname since I am reference the object ID in the URL.

Any thoughts would be appreciated.

Re: Update Static SGT Mappings via REST

paul — Thu, 08 Nov 2018 22:38:17 GMT

Okay I figured the first part out. I can get it to update or create:

{
"SGMapping" : {
    "sgt" : "2cd52dd0-85ea-11e8-9fa1-024294424ec9",
    "deployTo" : "ALL",
    "deployType" : "ALL",
    "hostIp" : "3.3.3.3"
}
}

Now the only thing I need to figure out is how to set the SXP domain. For static entries I put in the GUI I have the option to set the SXP domain. When I update or add via REST I don't see that option.

Here is what the mappings look like when I add/update via REST.

3.3.3.3 doesn't have Deploy Via set so it won't get pushed out. Is that a oversight in the REST API?

Re: Update Static SGT Mappings via REST

paul — Thu, 08 Nov 2018 22:50:49 GMT

Okay in playing with this more I found that if I use SGT groups and assign the new device to the group everything works because the groups have the domain set:

{
"SGMapping" : {
"mappingGroup" : "d9e414a0-f365-4969-9a03-843debea756d",
"hostIp" : "3.3.3.3/32"
}
}

My guess is that the SXP domain was an oversight in the SGT REST API. If you can't set the SXP domain there is no point in adding/modifying IP to SGT mapping via REST. For now, unless I hear otherwise, I will have to create an SGT Group for every SGT tag I create.

Re: Update Static SGT Mappings via REST

Surendra — Fri, 09 Nov 2018 09:25:29 GMT

I believe you can set it under SXP Local Bindings instead of SGT Mappings as below where sxpVpn is the SXP Domain name.

Method:

POST

URI:

https://<> Address>:9060/ers/config/sxplocalbindings

HTTP 'Content-Type' Header:

application/xml | application/json

HTTP 'Accept' Header:

application/xml | application/json

HTTP 'ERS-Media-Type' Header (Not Mandatory):

sxp.sxplocalbindings.1.0

HTTP 'X-CSRF-TOKEN' Header (Required Only if Enabled from GUI):

The Token value from the GET X-CSRF-TOKEN fetch request

Bulk Support:

Operation 'Create' can be used within Bulk Request.

Request Content:
XML

SXP Local Binding Name(Optional)
ipAddressOrHost
sgt_id
Sxp Vpn Name

JSON
{
"ERSSxpLocalBindings" : {
"description" : "Description(Optional)",
"bindingName" : "SXP Local Binding Name(Optional)",
"ipAddressOrHost" : "ipAddressOrHost",
"sxpVpn" : "Sxp Vpn Name",
"sgt" : "sgt_id"
}
}

Re: Update Static SGT Mappings via REST

Surendra — Fri, 09 Nov 2018 09:31:23 GMT

I believe you can set it using SXP Local Bindings section (Refer ERS API documentation in ISE) instead of IP SGT Mappings as below where sxpVpn is the SXP Domain name.

Re: Update Static SGT Mappings via REST

paul — Fri, 09 Nov 2018 13:30:29 GMT

That looks like it will work, but I may just still with the group mapping. Adding in the SXP binding adds 2-3 more calls vs. just assigning it to a Group mapping.

Thanks.

Re: Update Static SGT Mappings via REST

mtrinell — Fri, 24 Apr 2020 07:38:21 GMT

Hello, I'm having the same issue.
Using sxplocalbindings endpoint doesn't solve the issue because
- field "Deploy To" will not be set
- the new entry won't correctly propagate to sgmappings endpoint, thus impossible to update Deploy To.

It looks like this is a serious bug.
Using ISE 2.6