if we need to apply policy between users at fabric and data center servers and need to enforce this policy at fusion router or fusion switch so we will do inline tagging between border and fusion to make fusion learn source SGT and do static ip-to-sgt mapping at ISE and use SXP to transfer the servers SGT from ISE to fusion,so the question is the policy itself will be written at the DNAC or at ISE or we should write it manually at the fusion router/switch and if the fusion is firewall so what should be the case.
Solved! Go to Solution.
I do not recommend writing TrustSec SGACL policy manually on the fusion router or anywhere for that matter. If DNAC and ISE are integrated, write the policy in DNAC and it will be pushed to ISE. The fusion router will download the SGACLs from ISE where the TrustSec policy is held.
Thanks Damien for your reply but the fusion is not part of the fabric so we should add the fusion to ISE to be able to download the policy from ISE is that right?
One option will be to just copy and paste the Fabric Switches AAA Config / CTS Config + one additionals Command in Enabled Mode to generate the PAC:
switch# cts credentials id <same ID as in ISE> password <key-1>
But I think I got every additional CTS config in here:
!--- Additional AAA/Radius Config ---! aaa group server radius <your-network-radius-group> server name <radius-server1> ip radius source-interface <interface> ! aaa authorization network <your-cts-list> group <your-network-radius-group> ! cts authorization list <your-cts-list> ! radius server <radius-server1> address ipv4 <ip> auth-port 1812 acct-port 1813 timeout 4 retransmit 3 pac key <key-1> ! !--- Generate PAC Key ---!
end cts credentials id <same ID as in ISE> password <key-1>
3. Configure the SXP Peering between Fusion and ISE for every VRF/VN so you will be ablte to make static IP-SGT Bindings
Config on Device (you also have to Configure ISE for that):
!--- SXP Peering with Cisco ISE ---! cts sxp enable cts sxp default password <password> cts sxp connection peer <ise-psn-ip> [ source src-ipv4-addr ] password [ default | none ] mode local listener [ vrf vrf-name ]
4. Set up Inline Tagging between Border and Fusion
5. If your CTS Environment works enable CTS Enforcement:
!--- Enable the SGT Enforcement / will be enabled on every L3 Interface by default---! cts role-based enforcement cts role-based enforcement vlan-list <vlans>
Many thanks Benjamin this is helpful for me and now we can write the policy itself at DNAC then DNAC push it to ISE then the fusion router will download the policy from ISE,so this work flow is right please confirm.