https://community.cisco.com/t5/network-access-control/sda-scalable-group-tag-sgt-allowed-in-two-places-what-is-best/m-p/4266777#M564554 <P>IMO from my experiences this is preference related.&nbsp; I personally like seeing the SGT assigned in the authz policy.&nbsp; A brief overview of the two options is either doing it all (assigning SGT, VN, IP Pool) via the authz profile that is then referenced in the authz policy result.&nbsp; Or creating the authz profile, assigning the DNAC specified string as the vlan (this unique string can be extracted via DNAC and/or from a simple #show vlan on an edge node that is a member of your fabric), and then reference that authz profile under your authz results column.&nbsp; One difference would be if you wanted to onboard a node without assigning an SGT then you would probably want to use option 2.&nbsp; For more info take a peek at the following links:</P> <P><A href="https://community.cisco.com/t5/networking-documents/how-to-sda-host-onboarding-with-ise/ta-p/4012430" target="_blank" rel="noopener">https://community.cisco.com/t5/networking-documents/how-to-sda-host-onboarding-with-ise/ta-p/4012430</A></P> <P><A href="https://community.cisco.com/t5/cisco-digital-network/user-to-virtual-network-association/m-p/4054485" target="_blank" rel="noopener">https://community.cisco.com/t5/cisco-digital-network/user-to-virtual-network-association/m-p/4054485</A></P> <P>HTH!</P> <P>&nbsp;</P> Tue, 05 Jan 2021 01:44:28 GMT Mike.Cifelli 2021-01-05T01:44:28Z https://community.cisco.com/t5/network-access-control/sda-scalable-group-tag-sgt-allowed-in-two-places-what-is-best/m-p/4266686#M564551 <P>Hello</P> <P>&nbsp;</P> <P>In an SDA deployment (using DNAC), when assigning an SGT (Scalable Group Tag) in ISE, one can select from the Authorization Policy drop-down list (shown below)</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sgt1.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/100837i29126DD1ED77B41D/image-size/large?v=v2&amp;px=999" role="button" title="sgt1.png" alt="sgt1.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>or, specify it in the Authorization Result Profile - what is the difference?</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sgt2.png" style="width: 848px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/100838iA2BA7DBFAFB00CD2/image-size/large?v=v2&amp;px=999" role="button" title="sgt2.png" alt="sgt2.png" /></span></P> <P>&nbsp;</P> <P>The endpoint VLAN ID can no longer be specified when selecting the Security Group in Authorization Profile - how then does one specify the VLAN ID (as per DNAC definition) ? In our case a VN (Virtual Network) is further subnetted, and hence there will be more than one IP subnet (VLAN) on the Edge Nodes for a VN.</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 04 Jan 2021 21:21:03 GMT https://community.cisco.com/t5/network-access-control/sda-scalable-group-tag-sgt-allowed-in-two-places-what-is-best/m-p/4266686#M564551 Arne Bier 2021-01-04T21:21:03Z https://community.cisco.com/t5/network-access-control/sda-scalable-group-tag-sgt-allowed-in-two-places-what-is-best/m-p/4266777#M564554 <P>IMO from my experiences this is preference related.&nbsp; I personally like seeing the SGT assigned in the authz policy.&nbsp; A brief overview of the two options is either doing it all (assigning SGT, VN, IP Pool) via the authz profile that is then referenced in the authz policy result.&nbsp; Or creating the authz profile, assigning the DNAC specified string as the vlan (this unique string can be extracted via DNAC and/or from a simple #show vlan on an edge node that is a member of your fabric), and then reference that authz profile under your authz results column.&nbsp; One difference would be if you wanted to onboard a node without assigning an SGT then you would probably want to use option 2.&nbsp; For more info take a peek at the following links:</P> <P><A href="https://community.cisco.com/t5/networking-documents/how-to-sda-host-onboarding-with-ise/ta-p/4012430" target="_blank" rel="noopener">https://community.cisco.com/t5/networking-documents/how-to-sda-host-onboarding-with-ise/ta-p/4012430</A></P> <P><A href="https://community.cisco.com/t5/cisco-digital-network/user-to-virtual-network-association/m-p/4054485" target="_blank" rel="noopener">https://community.cisco.com/t5/cisco-digital-network/user-to-virtual-network-association/m-p/4054485</A></P> <P>HTH!</P> <P>&nbsp;</P> Tue, 05 Jan 2021 01:44:28 GMT https://community.cisco.com/t5/network-access-control/sda-scalable-group-tag-sgt-allowed-in-two-places-what-is-best/m-p/4266777#M564554 Mike.Cifelli 2021-01-05T01:44:28Z https://community.cisco.com/t5/network-access-control/sda-scalable-group-tag-sgt-allowed-in-two-places-what-is-best/m-p/4266780#M564555 <P>I prefer to use SGT on the Authz, and not the result. It's such a pain in the you know what having to drill in to the results to find the SGT that should be assigned.&nbsp;<BR /><BR />We need to feature request something like a hover over a result in the policy sets and see a list of config.&nbsp;</P> Tue, 05 Jan 2021 01:57:32 GMT https://community.cisco.com/t5/network-access-control/sda-scalable-group-tag-sgt-allowed-in-two-places-what-is-best/m-p/4266780#M564555 Damien Miller 2021-01-05T01:57:32Z https://community.cisco.com/t5/network-access-control/sda-scalable-group-tag-sgt-allowed-in-two-places-what-is-best/m-p/4266781#M564556 <P>thanks&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/833210">@Mike.Cifelli</a>&nbsp;- link #1 works for me. Let's see how we go</P> Tue, 05 Jan 2021 01:58:30 GMT https://community.cisco.com/t5/network-access-control/sda-scalable-group-tag-sgt-allowed-in-two-places-what-is-best/m-p/4266781#M564556 Arne Bier 2021-01-05T01:58:30Z