topic Re: IP static SGT mapping in Network Access Control

IP static SGT mapping

UNVC — Wed, 19 Jul 2023 09:24:53 GMT

Hi all,

I contact you regarding a basic question regarding SGT use case.
We have a network composed of:
- Core switch (Cisco) in our Cisco Fabric, that manage access to all other switches and servers
- Access switches (Cisco) in our Cisco Fabric too for end-users/systems
- Cisco ISE to manage 802.1x authentication, SGT, etc.
- Cisco DNA Center to manage the whole system

Currently SGT is used, configured and working, but we are using it by associating an SGT to a VLAN.
This is configured and pushed through our DNA Center.

What we want is to assign only one IP to a specific SGT.
The goal is to dedicate a SGT to a system (compose of one or more clients/servers) to control communication to-from this system to-from the other systems, and to avoid using global configuration, or using more VLAN segmentation (like dedicating a smaller VLAN to this system).

For this, I have used the IP SGT Static Mapping of Cisco ISE (so associated my required IP to the SGT I need, in the correct VN), and pushed this configuration to our network.
As all is managed by the Cisco ISE and DNA, I indeed can see the configuration in the running-config and in the result of "show cts role-based sgt-map all" (source = CLI).
But unfortunately, the rules I applied through the matrix for this SGT are not working (basically, I tested to block the communication from a management server to this specific IP using the default Deny_IP_Log), so the static mapping is not working.

Perhaps I missed a basic point of the configuration ?
Do I need to refresh something after pushing the configuration ?
Can you help me for this ?

Have a good day !

Re: IP static SGT mapping

Flavio Miranda — Wed, 19 Jul 2023 11:47:06 GMT

Hello @UNVC

I believe is possible to achieve what you intent but you need to put this device in a specific VN alone. By creating the SGT, the information we have to attach this SGT to the network is the VN, you can not add an IP address there.

Re: IP static SGT mapping

Greg Gibbs — Wed, 19 Jul 2023 22:41:19 GMT

I could be wrong, but I don't believe it's possible to enforce static IP-SGT mappings within the VXLAN/LISP fabric used by SDA.
If the system is within the fabric, you would need to assign it an SGT based on either 802.1x or MAB-based authorization policy.
If the system is outside the fabric, you would need to propagate the IP-SGT mappings to either the border node or another external system (like a fusion router or firewall) using pxGrid or SXP and have that platform do the enforcement.
See the following example of doing that propagation and enforcement on the Border Node.
https://community.cisco.com/t5/security-knowledge-base/policy-enforcement-within-sda-border/ta-p/3646816#toc-hId--1069166528

Keep in mind that, with TrustSec, you should be performing enforcement as close to the destination as possible to scale the solution properly.

Re: IP static SGT mapping

MHM Cisco World — Thu, 20 Jul 2023 23:16:19 GMT

I will check.