Solved: Re: Which SGT should I use for Internet access?

rezaalikhani · ‎02-22-2024

Hi all;

Based on the following discussion, we can assign 0.0.0.0/0 to SGT Unknown (0/0000) for Internet traffic (any traffic that does not have any explicit assignment):

https://community.cisco.com/t5/network-access-control/using-sgt-which-sgt-should-i-use-for-internet-access/m-p/4852576#M582168

But after clicking on the Save button above:

As you can see above, immediately the SXP connection drops. But, the weird thing is that ISE does not have any refresh for the connection:

After I remove the IP SGT Mapping from ISE, everything works as expected before this SGT addition.

I am using ISE 3.2 with Patch 5 and the TrustSec device is CSR1000v 17.03.05

Any ideas?

Thanks

rezaalikhani · ‎02-24-2024

The inner operation of Default Route SGT is discussed in the "Advanced Security GroupTags (SGT)" Cisco Live 2020:

As observed above, the decision not to propagate the Default Route SGT is by design, and the SXP connection disruption with ISE resolved automatically when I rebooted ISE!

Another lesson learned is that the only supported method for configuring Default Route SGT is through static configuration on the edge device.

View solution in original post

andrewswanson · ‎02-22-2024

That community thread was dealing with an Edge ASA, not an internal router/switch

I'm assuming that your CSR1000v doesn't have an SGT assignment (show cts role-based sgt-map all) for the ISE IP address. In that case, if the CSR1000v learns the 0.0.0.0/0 unknown SGT from ISE via SXP, then the CSR1000v will enforce your SGACL policy for unknown traffic on the traffic destined to ISE (as its SGT isn't known on the CSR1000v)

hth
Andy

rezaalikhani · ‎02-22-2024

Thanks for your reply;

That community thread was dealing with an Edge ASA, not an internal router/switch

Yes, I know. Suppose i want t restrict the Internet traffic at the edge of the network using that CSR1000v router. Although as you suggested, I deployed that specific SGT to my ASAv with some interesting results:

1. Like the CSR1000v, the ASAv does not show the Unknown TAG.

2. Unlike CSR1000v, it does not drop the SXP connection.

In that case, if the CSR1000v learns the 0.0.0.0/0 unknown SGT from ISE via SXP, then the CSR1000v will enforce your SGACL policy for unknown traffic on the traffic destined to ISE (as its SGT isn't known on the CSR1000v)

I have not deployed SGACL yet and it applies with its default condition as Permit anything.

What do you think?

andrewswanson · ‎02-22-2024

It could be worth configuring an explicit permit any to unknown in ISE to see if the SXP connection from CSR still drops when it has a SGACL explicitly permitting the traffic.

hth

Andy

rezaalikhani · ‎02-22-2024

Thanks for for reply;

I did your recommendation but with the same result. Another concern is that, ASA downloads all the mappings except the Unknown map with related 0.0.0.0/0 subnet...

Any ideas?

rezaalikhani · ‎02-24-2024

The inner operation of Default Route SGT is discussed in the "Advanced Security GroupTags (SGT)" Cisco Live 2020:

As observed above, the decision not to propagate the Default Route SGT is by design, and the SXP connection disruption with ISE resolved automatically when I rebooted ISE!

Another lesson learned is that the only supported method for configuring Default Route SGT is through static configuration on the edge device.