topic Re: Trustsec Enforcement in Software-Defined Access (SD-Access)

Trustsec Enforcement

Inq_J — Thu, 23 Apr 2026 14:22:07 GMT

Hello all:

Looking for some assistance with trustsec enforcement within a Cisco SDA fabric, and the best place for policy enforcement for devices external to my SDA fabric.

I have configured Group Based access control setup in catalyst center. Trustsec matrix is pushed to ISE via PXGRID. I currently have 5 VNs (VRF's). Anything in software defined works fine from a allow/deny/sgacl perspective. My question, is it possible to have SGT mappings for devices in my datacenter (external to SDA border), mapped into fabric edge nodes? I know I can configure/map SGT mappings and push them to a device from ISE, but I end up seeing those mappings in the GRT/VRF/VN so systems that authenticate into a specific VN will never hit anything but "unknown" from the policy map perspective. See role-based counters below (0 to 0 = unknown) which is where all my counters are incrementing.

show cts role-based counters:
Role-based IPv4 counters
From To SW-Denied HW-Denied SW-Permitt HW-Permitt SW-Monitor HW-Monitor
* * 0 0 0 4758 0 0
0 0 0 0 42354155 149440605 0 0
2 0 0 0 0 0 0 0
3 0 0 0 0 81 0 0
4 0 0 0 0 0 0 0
5 0 0 0 0 0 0 0
6 0 0 0 0 0 0 0
7 0 0 0 0 0 0 0
8 0 0 0 0 0 0 0
9 0 0 0 0 0 0 0
10 0 0 0 0 0 0 0
11 0 0 0 0 0 0 0
12 0 0 0 0 0 0 0
13 0 0 0 0 0 0 0
14 0 0 0 0 0 0 0
15 0 0 0 0 0 0 0
16 0 0 0 0 0 0 0
17 0 0 0 0 0 0 0
18 0 0 0 0 0 0 0
19 0 0 0 0 23379 0 0
Any help is appreciated.

Thanks!

Re: Trustsec Enforcement

Andrii Oliinyk — Thu, 23 Apr 2026 15:38:25 GMT

Hej
basically, u dont need to have IP-to-SGT mappings on the ENs. Only tables ENs need are SGACLs (those are delivered to ENs from ISE). from other hand, IP-to-SGT mappings are needed on the BNs to insert SRC SGT to VXLAN headers of the packets destined to ENs & also to enforce CTS RBAC policies on egrress from Fabric site. SXP is used for this with speakers on SXP reflectors or directly on ISE (not scalable). Effectively, if u can see IP-to-SGT mappings for external prefixes/hosts on BNs enforcement must work as defined on CatC or ISE. check if u didnt miss anything in this simplified process.

Re: Trustsec Enforcement

Inq_J — Fri, 24 Apr 2026 12:04:19 GMT

Our environment (simplified) looks like Edge nodes ---> Intermediate Nodes (Underlay/routing) ----> External border nodes ----> Fusion Routers ------> Core:

We're not doing any BGP route leaking at our fusions, we opted to hairpin inter-VN traffic at our core switch. Please define IP-to-SGT mappings are needed on border nodes (which border, external border nodes, or fusion routers). My goal was to try to not have to allow traffic to "unknown" for many of my fabric networks. We have closed networks that we don't allow out to the internet, and it would be nice to be able to remove the "unknown" SGT, but because from the fabric edge, IP-SGT mappings aren't learned , I have to allow traffic to "unknown", and handle policy enforcement elsewhere.

Re: Trustsec Enforcement

Andrii Oliinyk — Fri, 24 Apr 2026 13:24:56 GMT

look, u better incorporate learning of SGT-to-IP mapping on the BNs. with this u'll achieve 2 goals: allow BN to enforce GBAC policies on egress from Fabric site & provision VXLAN packets with target SGTs when those are sent to ENs. u also can do it on FNs or even Cores if u propagate SGTs downward to BNs & in reverse direction. But this is more complicated as u need to manually configure interlinks to carry CMD information along the packets flows & ensure all nodes (BN, FN, Core) handover SGTs from ingress to egress. Unless your CatC-ISE integration not migrated to CatC's "master" role, u define mappings on CatC & they will be propagated to ISE. From the ISE they can be delivered in either SXP or over the REST to BNs.
Last but not least, whitelisting GBAC enforcement will block all Unknown (effectively SGT=0|Absent) IPs. U must be extremely precaution in doing this. I was witness to cases when customer disrupted critical applications by blocking Unknow participants of flows.

Re: Trustsec Enforcement

Inq_J — Fri, 24 Apr 2026 14:53:02 GMT

Thank you, much appreciated. Will look at implementing at my external border nodes.

Re: Trustsec Enforcement

Andrii Oliinyk — Fri, 24 Apr 2026 19:08:06 GMT

@ your service) as a quick followup: i dont remember that CatC provided any workflows for SXP|OtREST mappings distribution. Most likely u'll need to do it with day-N templates for BNs.