topic Re: SGT tagging to inbound third party partner traffic on Firepower in Network Access Control

SGT tagging to inbound third party partner traffic on Firepower

BINU KR — Sun, 23 Jun 2024 02:13:57 GMT

In my case, the customer wants to tag the third party (parnters) traffic connected to the company. The third parties are connected via MPLS or Internet IPSec tunnels to a perimeter router and the traffic is then filtered on Firepower. At this point, the traffic must be tagged with SGT for later monitoring with SNA integration. The Cisco ISE is already in place assigning SGTs to the Enterprise devices and SNA is integrated with FMC. Is this a possible scenario and any references would be appreciated.

Re: SGT tagging to inbound third party partner traffic on Firepower

Damien Miller — Sun, 23 Jun 2024 02:54:14 GMT

I don't know if you can do this on a firepower. I like the use case though, I would feature request static sgt mappings for vpn tunnels if it doesn't exist.

One way I know that you could do this is to force the tunnel traffic to route through an ASR or switch on specific interfaces. On the router/switch interfaces you would assign a static sgt to the port of your choosing. This would tag all traffic on ingress from the third party tunnels.

Re: SGT tagging to inbound third party partner traffic on Firepower

BINU KR — Mon, 24 Jun 2024 05:18:52 GMT

Thanks Damien.