topic Re: Cisco SDA edge switch hooked to another switch in Software-Defined Access (SD-Access)

Cisco SDA edge switch hooked to another switch

michael-w — Mon, 16 Dec 2024 19:29:13 GMT

In our SDA deployment we have a cisco 9300 fabric edge switch which is connected to a stratix 5700. The stratix port is an access layer port and we have STP BPDU guard and filter disabled. With the ISE policies configured on the port we see the MACs show up in ISE, but we cannot ping the devices hooked to the stratix or the stratix itself and they do not show in the arp table of the 9300. Once the policies are disabled on the 9300 port then we are able to ping. Is there a way to enforce SGT assignment in this design where end devices are behind another switch?

Re: Cisco SDA edge switch hooked to another switch

michael-w — Mon, 16 Dec 2024 19:33:18 GMT

Replied to wrong thread on this board, still need the above answered.

Re: Cisco SDA edge switch hooked to another switch

Torbjørn — Mon, 16 Dec 2024 19:43:18 GMT

SGACLs are evaluated on egress based on the tag set on ingress. In the setup you are describing there is no way to extend the policy enforcement to the stratix switch, but you should be able to set a static SGT on your edge node access port and use that for all devices attached to the stratix switch.

Re: Cisco SDA edge switch hooked to another switch

michael-w — Mon, 16 Dec 2024 19:54:39 GMT

Is there a way to enforce this from ISE?

Re: Cisco SDA edge switch hooked to another switch

Flavio Miranda — Mon, 16 Dec 2024 20:30:56 GMT

@michael-w

It seems Stratix switch support "Security Group Tag Exchange Protocol (SXP)". Have you tried to add this device on ISE and apply SGT on it?

https://literature.rockwellautomation.com/idc/groups/literature/documents/um/1783-um012_-en-p.pdf

https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/5-1/Network_Security/DIG/CPwE-5-1-NetworkSecurity-DIG.pdf

Re: Cisco SDA edge switch hooked to another switch

michael-w — Mon, 16 Dec 2024 20:38:18 GMT

Thank you @flavio from reviewing your rockwell link provided, it appears that the 5800 is the only one supported. We have a 5700 in place currently, we do have some 5200's but they were not slated to be used for this project.
From the doc you provided:
TrustSec is only supported on catalog numbers 1783-MMS10AR, 1783-MMS10EAR,
1783-MMX8EA, 1783-MMX8TA, 1783-MMX8SA

Those line up to the 5800's.

Re: Cisco SDA edge switch hooked to another switch

Flavio Miranda — Mon, 16 Dec 2024 20:41:48 GMT

Indeed, I missed that.

Re: Cisco SDA edge switch hooked to another switch

Torbjørn — Mon, 16 Dec 2024 22:05:01 GMT

In the configuration I described the policy will be enforced on the SDA edge node like any other traffic in the fabric. It will not require any additional configuration of ISE outside of what you do for the policy in the SDA fabric.

Re: Cisco SDA edge switch hooked to another switch

Andrii Oliinyk — Tue, 17 Dec 2024 05:49:40 GMT

u didnt declare how your stratix is connected to C9300 EN. Assuming it's access (untagged) interface in arbitrary VLAN just follow what @Torbjørn told u: onboard the stratix as user endhost with static SGT. Otherwise if the interface is .1q trunk with multiple VLAN u still may create static IP- or VLAN-to-SGT entries on the EdgeNode with stratix attached.
cheers

Re: Cisco SDA edge switch hooked to another switch

michael-w — Tue, 17 Dec 2024 12:36:44 GMT

Thanks, 9300 port is an access port same as the stratix port.

Re: Cisco SDA edge switch hooked to another switch

michael-w — Tue, 17 Dec 2024 12:38:50 GMT

Thank you @Torbjørn what I should have said was, is there a way to push this configuration from ISE instead of manually doing it at the edge switch?

Re: Cisco SDA edge switch hooked to another switch

Torbjørn — Tue, 17 Dec 2024 13:18:46 GMT

No this needs to be set on the switchport. Preferably configured as a static port under host onboarding in your fabric on Cat-C.

Re: Cisco SDA edge switch hooked to another switch

Andrii Oliinyk — Tue, 17 Dec 2024 13:20:21 GMT

it still should be possible, but i'm not sure DOT1X will work with this setup. but MAB must work with standard policy (i'd say it would be policy-map PMAP_DefaultWiredDot1xClosedAuth_MAB_1X instead of PMAP_DefaultWiredDot1xClosedAuth_1X_MAB).
u need MACs behind the port on the C9300 to be AuthZ'ed (with needed SGTs returned in AccessAccept) on the ISE in proper manner. If u do stuff properly connectivity has to be in place.

Re: Cisco SDA edge switch hooked to another switch

michael-w — Thu, 19 Dec 2024 13:04:41 GMT

I wanted to follow back up on this in case anyone else has this situation. We were trying to minimize the configuration on the stratix side, but we changed the ports to trunks on our side and the stratix side. We made the native vlan to match the vlan we were using for our VN and we were then able to apply SGTs based on the MACs of devices behind the stratix without applying policy manually at the port level. We tested having 2 different SGTs applied to 2 different devices behind the stratix successfully. Of course they can intercommunicate within the stratix but once it hits our edge switch port it applies separate SGT policies.

Re: Cisco SDA edge switch hooked to another switch

Andrii Oliinyk — Thu, 19 Dec 2024 14:26:02 GMT

could u pls clarify:
1) did u remove AAA from the port on EdgeNode? i'd assume u did as interface get transitioned to trunk.
2) do u assign SGTs on the stratix via AAA with ISE or ...?