topic Re: SGT to IP/subnet binding in Network Access Control

SGT to IP/subnet binding

dditconsultingbe — Fri, 22 Sep 2023 09:43:47 GMT

Hi all,

I try to understand a concept of the Cisco TrustSec system.
On a network, I always used (until now) the binding of SGT to VLAN: this work well.
For now, I want to go one step further and to statically bind some specific IP to an SGT.
For example: on the same VLAN, having multiple servers with different SGT to control access.
In all the case, as far as I know, IP-SGT binding is more priority than VLAN-SGT binding.

All my system is managed by (among others):
- Cisco Catalyst switches
- DNA Center
- Cisco ISE (in RO for SGT, all controlled by DNA)

I want to test the following communication:
- One server in a VLAN with static SGT mapping (SGT = 10) - IP range = 10.20.0.0/24
- One server in a VLAN without static SGT mapping (mapping is done after using ISE) - IP range = 10.20.1.0/24
- The SGT to test is SGT 23
- SGT 23 is not allow to communicate with SGT 10

Using ISE, I push the SGT-IP mapping on the required switch (so the destination switch, which is also the source switch, of the communication I test). The result command is simple: cts role-based sgt-map 10.20.1.0/24 sgt 23

When I check the result (show cts role-based sgt-map all), I can see:

Active IPv4-SGT Bindings Information
IP Address SGT Source
============================================
10.20.1.0/24 23 CLI

But when I test the communication (basically, a PING), the binding is not applied.
the system consider that the network 10.20.1.0/24 is Unknown (so SGT 0).

Can you help me understanding this, and explain me how to do this "basic" mapping ?

Thanks in advance for your help !

Re: SGT to IP/subnet binding

Rob Ingram — Fri, 22 Sep 2023 09:53:20 GMT

@dditconsultingbe you've pushed the static binding, but do you have the SGACL in place to permit/deny the required traffic?

https://community.cisco.com/t5/security-knowledge-base/policy-provisioning-and-operation-in-sda/ta-p/3712744

https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/dna-center/215516-trustsec-whitelist-model-with-sda.html

Re: SGT to IP/subnet binding

dditconsultingbe — Fri, 22 Sep 2023 10:10:24 GMT

Hi @Rob Ingram

Thanks for really quick answer !
Yes, indeed the matrix (contain my SGACL) is defined (con,figured from DNA Center and pushed to Cisco ISE, to allow my switches using it).
The default fallback is "Deny IP Log".
For some of my tags, I have a permit IP (generally, if managed above by a firewall, or for communication to network devices).
For some tags, I have specific ACLs.

In this case, there is no ACL associated to the SGT used (so 10 and 23), so should be the default "Deny IP Log".

I tested by enabling "Permit IP Log" on the rule from/to Unknown (0) to my second server (10) and I can see the traffic (with 0 not normal indeed).

Re: SGT to IP/subnet binding

dditconsultingbe — Sun, 22 Oct 2023 12:57:32 GMT

Does someone have any news on this ?