https://community.cisco.com/t5/software-defined-access-sd-access/sda-policy-enforcement/m-p/4833039#M2326 <P>short addon to what Flavio said:</P> <P>there r 2 places u enforce policies in SDA: 1) SGT-aware Fusion FW - stateful filtering &amp; inspection; 2) FE-layer stateless filtering;</P> <P>in case 1)&nbsp; ensure that FW has proper IP-to-SGT mapping to support rules with both SRC&amp;DST defined as SGTs: with good design u will have SRC SGT embedded in L2-frame , but FW will need to lookup DST SGT for the DST IP of the packet. if FW has subscription to PxGrid on ISE, DST SGT can be obtained from DST endpoint session via PxGrid, otherwise u have to configure IP-to-SGT mappings &amp; propagate it to FW via SXP;</P> <P>in case 2) if u dont have SRC SGT in the VXLAN header (equivalent of Unknown SGT==0) u must have static IP-to-SGT mapping (SXP is a mean basically), or if u dont have DST endpoint assigned SGT locally (by ISE AuthZ during AAA), u have to use either method of IP-to-SGT mapping (like VLAN-to-SGT).</P> Thu, 11 May 2023 07:41:56 GMT Andrii Oliinyk 2023-05-11T07:41:56Z https://community.cisco.com/t5/software-defined-access-sd-access/sda-policy-enforcement/m-p/4832931#M2322 <P>Hello im still learning about SDA environment i have a question, so in our HQ we deploy SDA infrastructure with policy enforcement on firewall using SGT-IPBASE all the acl on firewall then we want to implement SDA too on our branch but there are no firewall over there, can we enforcement on fusion router ?and how ?</P> <P>thank you</P> Thu, 11 May 2023 01:27:21 GMT https://community.cisco.com/t5/software-defined-access-sd-access/sda-policy-enforcement/m-p/4832931#M2322 reylite 2023-05-11T01:27:21Z https://community.cisco.com/t5/software-defined-access-sd-access/sda-policy-enforcement/m-p/4832933#M2323 <P>Hello,</P> <P>&nbsp;There is no requirement for firewall when applying policy enforcement</P> <P>&nbsp;Actually the policy enforcement is done by ISE. You create on the DNAC, this is send to ISE via PX Grid and then applied to devices.</P> <P>&nbsp;Here is the steps.</P> <P><SPAN>1. Define SGTs and Policies on DNAC</SPAN><BR style="box-sizing: inherit; color: #1b1c1d; font-family: CiscoSans, sans-serif; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" /><SPAN>2. Deploy, so ISE will get configured by DNAC</SPAN><BR style="box-sizing: inherit; color: #1b1c1d; font-family: CiscoSans, sans-serif; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" /><SPAN>3. ISE will then inform the TrustSec Devices (Fusion/Border/Edges) about a policy change and they will download the new SGTs/Policies</SPAN><BR style="box-sizing: inherit; color: #1b1c1d; font-family: CiscoSans, sans-serif; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" /><BR style="box-sizing: inherit; color: #1b1c1d; font-family: CiscoSans, sans-serif; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" /><SPAN>If you want to use Static SGT Bindings for Subnets/IP Addresses in the background:</SPAN><BR style="box-sizing: inherit; color: #1b1c1d; font-family: CiscoSans, sans-serif; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" /><SPAN>1. Define SGT/Policy on DNAC</SPAN><BR style="box-sizing: inherit; color: #1b1c1d; font-family: CiscoSans, sans-serif; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" /><SPAN>2. Deploy</SPAN><BR style="box-sizing: inherit; color: #1b1c1d; font-family: CiscoSans, sans-serif; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" /><SPAN>3. Configure static IP-SGT Mapping on ISE</SPAN><BR style="box-sizing: inherit; color: #1b1c1d; font-family: CiscoSans, sans-serif; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" /><SPAN>4. TrustSec Devices will download the new SGT and your Devices configured for SXP will download the static IP-SGT Mappings</SPAN></P> Thu, 11 May 2023 01:46:31 GMT https://community.cisco.com/t5/software-defined-access-sd-access/sda-policy-enforcement/m-p/4832933#M2323 Flavio Miranda 2023-05-11T01:46:31Z https://community.cisco.com/t5/software-defined-access-sd-access/sda-policy-enforcement/m-p/4833039#M2326 <P>short addon to what Flavio said:</P> <P>there r 2 places u enforce policies in SDA: 1) SGT-aware Fusion FW - stateful filtering &amp; inspection; 2) FE-layer stateless filtering;</P> <P>in case 1)&nbsp; ensure that FW has proper IP-to-SGT mapping to support rules with both SRC&amp;DST defined as SGTs: with good design u will have SRC SGT embedded in L2-frame , but FW will need to lookup DST SGT for the DST IP of the packet. if FW has subscription to PxGrid on ISE, DST SGT can be obtained from DST endpoint session via PxGrid, otherwise u have to configure IP-to-SGT mappings &amp; propagate it to FW via SXP;</P> <P>in case 2) if u dont have SRC SGT in the VXLAN header (equivalent of Unknown SGT==0) u must have static IP-to-SGT mapping (SXP is a mean basically), or if u dont have DST endpoint assigned SGT locally (by ISE AuthZ during AAA), u have to use either method of IP-to-SGT mapping (like VLAN-to-SGT).</P> Thu, 11 May 2023 07:41:56 GMT https://community.cisco.com/t5/software-defined-access-sd-access/sda-policy-enforcement/m-p/4833039#M2326 Andrii Oliinyk 2023-05-11T07:41:56Z