topic Re: Trustsec and static mappings in Software-Defined Access (SD-Access)

Trustsec and static mappings

KevinR99 — Fri, 01 Sep 2023 19:10:00 GMT

I'm testing Trustsec in my SD Access lab. I can assign 2 ports on edge switches to different groups then apply a policy that blocks pings and it works fine. I'm not authenticating the users so I statically assign an SGT via DNAC when I assign the ports to an address pool.

However, I'm also trying to test securing traffic to an external server that sits in my shared services area which is in the GRT. To get to the server I need to leave my SD Access vrf on a L3 handoff and go through a fusion device where I route leak. So I am trying to apply a policy on my Borders such that I statically designate an IP address to have SGT xx with the commands

cts role-based sgt-map 10.10.10.10 sgt 10

My ISE matrix then blocks my clients in SGT 5 pinging the server in SGT 10. I can see the policy getting to my borders with

show cts role-based permissions

However, the traffic to the external device isn't blocked.

Is it possible to do this and if so what am I missing?

What I want to do is apply an extranet policy to share the INFRA_VN with a customer VN. This works and the traffic doesn't need to go via the Fusion. However, that does not apply any security. It's an all or nothing in that when I designate my INFRA_VN as the provider and my customer VN as the subscriber the customer can get to anything in my INFRA_VN. I want to be able to filter traffic at the Border with an SGT policy. The alternative is I send the customer traffic out via a firewall and back in via the GRT which connects to the INFRA_VN. This works but is inefficient as the traffic hairpins out the fabric borders and back in again.

Thanks for any input, Kev.

Re: Trustsec and static mappings

jalejand — Fri, 01 Sep 2023 19:39:20 GMT

For non extranet scenario (Border enforcing traffic to an external destination) you must enable the following in the Border:

1) cts role-based enforcement

2) cts role-based enforcement vlan-list (L3 handoff VLAN)

3) cts role-based sgt-map vrf (the fabric client VRF) x.x.x.x sgt xxx (This is called static binding and is vrf aware, you can use SXP for dynamic mappings using ISE).

For extranet scenario:

change the vlan list to include the VLAN used in for the L3 handoff in the GRT.

Regards

Re: Trustsec and static mappings

KevinR99 — Sat, 02 Sep 2023 10:31:17 GMT

Excellent, worked a treat.

Thanks for the swift reply, much appreciated.

Kev.

Re: Trustsec and static mappings

KevinR99 — Sun, 03 Sep 2023 12:15:18 GMT

I had a look at the ISE I have in my SDA lab. I would prefer to use this to define and propagate my static mappings. However, when Iook in

Work centers - TrustSec - Components - IP SGT Static Mapping

there is a drop down against the IP address field as if ISE will populate IP addresses. So I can.t define my external fabric IP address.

Is there a licensing or other requirement on ISE to allow me to configure and deploy static SGT mappings ?

Thanks, Kev.

Re: Trustsec and static mappings

KevinR99 — Mon, 11 Sep 2023 10:58:35 GMT

See above

Re: Trustsec and static mappings

KevinR99 — Mon, 11 Sep 2023 10:58:05 GMT

I'm still unable to define static SGT mappings in ISE. My hope was that I could define them there and propagate them to my Borders so that they know what SGT I want external devices to be mapped to. Then I can use that mapping in the trustsec matrix.

When I go to Trustsec - IP SGT static mapping

it offers me a drop down box on the 1st line next to ip address. It's as if it needs to know about a device IP address before I can then statically assign an SGT. What I want to do is tell ISE the IP address and SGT such that it is propagated to my Border via SXP.

Kev.

Re: Trustsec and static mappings

Andrii Oliinyk — Mon, 11 Sep 2023 11:29:48 GMT

Isnt this available for u?

Re: Trustsec and static mappings

KevinR99 — Mon, 11 Sep 2023 18:04:10 GMT

It is available but the IP address field seems to expect values to be available in the drop down menu. When I type in an IP address it won’t accept it and it never allows me to press the save button.

Re: Trustsec and static mappings

Andrii Oliinyk — Mon, 11 Sep 2023 19:23:31 GMT

khm... i'll check it in the lab & feed back

Re: Trustsec and static mappings

Rob Ingram — Mon, 11 Sep 2023 19:57:14 GMT

@KevinR99 You manually add the IP address, there is no drop-down list of pre-populated IP addresses/networks. You can press the save button only once you've added at least the minimum values - IP address, SGT and Send to SXP Domain

Re: Trustsec and static mappings

Andrii Oliinyk — Tue, 12 Sep 2023 06:40:32 GMT

i can confirm: no issues with saving the configuration.

Re: Trustsec and static mappings

KevinR99 — Tue, 12 Sep 2023 08:07:41 GMT

What version of ISE are you using? Mine is 3.0.

There are drop down boxes next to my IP address and Virtual Networks fields but nothing available in them. When I try to type a value it clears as soon as I go to the next field and because I cannot fill in all the fields the save button is never active.

Re: Trustsec and static mappings

Andrii Oliinyk — Tue, 12 Sep 2023 09:11:56 GMT

my SW is 3.2, but i dont think u hit the bug with 3.0 . i also have dropdown but i ignore it & just typing necessary values in the editable area of d/b. u must have the same result as in above images.

Re: Trustsec and static mappings

KevinR99 — Wed, 13 Sep 2023 08:59:59 GMT

Working. When I saw the drop down box I assumed it would populate as I filled in addresses or when I completed an address and moved to the next field my address was accepted. However, as you say, ignore the drop down box but hit return after entering the address and it's accepted. I've then confirmed that the static mappings get propagated to my devices.

Thanks your your input.

Re: Trustsec and static mappings

racarvalho — Tue, 27 Aug 2024 15:46:11 GMT

Hi Jalejand,

I'm trying to enforce traffic to an external destination on the border with an extranet scenario on a Cat9500 with:

cts role-based enforcement
cts role-based enforcement vlan-list 1093 (l3 hanoff vlan of infra_vn)
cts sxp enable
cts sxp default password cisco
cts sxp connection peer <ISE-ADDR> source <Loopback0> password default mode local listener

The SXP connection is ON and "show cts role-based sgt-map" i can see all my static mappings from ISE.

I configured a policy with deny ip from an internal SGT to the static mapping. But "show cts role-based permissions" is empty.

Am i missing something for the extranet scenario?

SDA 2.3.5.5

ISE 3.2p6

IOS-XE 17.9.5

Cheers,