cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
672
Views
10
Helpful
5
Replies
Mohamed Haleem
Beginner

SDA Fusion Router Policy Enforcement

if we need to apply policy between users at fabric and data center servers and need to enforce this policy at fusion router or fusion switch so we will do inline tagging between border and fusion to make fusion learn source SGT and do static ip-to-sgt mapping at ISE and use SXP to transfer the servers SGT from ISE to fusion,so the question is the policy itself will be written at the DNAC or at ISE or we should write it manually at the fusion router/switch and if the fusion is firewall so what should be the case.

1 ACCEPTED SOLUTION

Accepted Solutions

Yes that right.
1. Define SGTs and Policies on DNAC
2. Deploy, so ISE will get configured by DNAC
3. ISE will then inform the TrustSec Devices (Fusion/Border/Edges) about a policy change and they will download the new SGTs/Policies

If you want to use Static SGT Bindings for Subnets/IP Addresses in the background:
1. Define SGT/Policy on DNAC
2. Deploy
3. Configure static IP-SGT Mapping on ISE
4. TrustSec Devices will download the new SGT and your Devices configured for SXP will download the static IP-SGT Mappings


.:|:..:|:.Please rate helpful posts.:|:..:|:.

View solution in original post

5 REPLIES 5
Damien Miller
VIP Advisor

I do not recommend writing TrustSec SGACL policy manually on the fusion router or anywhere for that matter. If DNAC and ISE are integrated, write the policy in DNAC and it will be pushed to ISE. The fusion router will download the SGACLs from ISE where the TrustSec policy is held. 

Thanks Damien for your reply but the fusion is not part of the fabric so we should add the fusion to ISE to be able to download the policy from ISE is that right?

Hi,

 

  1. add the Fusion Router/Switch as NAD in ISE and make sure to set the TrustSec Parameters (ID+Password)
  2. Configure the Device for TrustSec:

Helpful guide:

One option will be to just copy and paste the Fabric Switches AAA Config / CTS Config + one additionals Command in Enabled Mode to generate the PAC:

switch# cts credentials id <same ID as in ISE> password <key-1>

But I think I got every additional CTS config in here:

!--- Additional AAA/Radius Config ---!
aaa group server radius <your-network-radius-group>
 server name <radius-server1>
 ip radius source-interface <interface>
!
aaa authorization network <your-cts-list> group <your-network-radius-group>
!
cts authorization list <your-cts-list>
!
radius server <radius-server1>
 address ipv4 <ip> auth-port 1812 acct-port 1813
 timeout 4
 retransmit 3
 pac key <key-1>
!
!--- Generate PAC Key ---!
end cts credentials id <same ID as in ISE> password <key-1>

 3. Configure the SXP Peering between Fusion and ISE for every VRF/VN so you will be ablte to make static IP-SGT Bindings

Config on Device (you also have to Configure ISE for that):

 

!--- SXP Peering with Cisco ISE ---!
cts sxp enable
cts sxp default password <password>
cts sxp connection peer <ise-psn-ip> [ source src-ipv4-addr ] password [ default | none ] mode local listener [ vrf vrf-name ]

 

4. Set up Inline Tagging between Border and Fusion

5. If your CTS Environment works enable CTS Enforcement:

 

!--- Enable the SGT Enforcement / will be enabled on every L3 Interface by default---!
cts role-based enforcement
cts role-based enforcement vlan-list <vlans>

 

 


.:|:..:|:.Please rate helpful posts.:|:..:|:.

Many thanks Benjamin this is helpful for me and now we can write the policy itself at DNAC then DNAC push it to ISE then the fusion router will download the policy from ISE,so this work flow is right please confirm.

Yes that right.
1. Define SGTs and Policies on DNAC
2. Deploy, so ISE will get configured by DNAC
3. ISE will then inform the TrustSec Devices (Fusion/Border/Edges) about a policy change and they will download the new SGTs/Policies

If you want to use Static SGT Bindings for Subnets/IP Addresses in the background:
1. Define SGT/Policy on DNAC
2. Deploy
3. Configure static IP-SGT Mapping on ISE
4. TrustSec Devices will download the new SGT and your Devices configured for SXP will download the static IP-SGT Mappings


.:|:..:|:.Please rate helpful posts.:|:..:|:.

View solution in original post