Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1220
Views
11
Helpful
6
Replies

dynamic (via AAA) & static SGT assignment on the port

Andrii Oliinyk
VIP
VIP

‎04-20-2023 03:11 AM - edited ‎04-22-2023 08:30 AM

Hi Gents

what take priority between 2 in subject when both static SGT (L2 port-2-sgt) & AAA configured on the port and onboarding endpoint receive different SGT within AAA session?

Thanks in advance

Labels:
6 Replies 6

Greg Gibbs
Cisco Employee
Cisco Employee

‎04-20-2023 08:20 PM

See the binding source priority list here:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/cts/b_169_cts_9300_cg/b_169_cts_9300_cg_chapter_01010.html#concept_fx4_nxl_2gb

Dynamic IP/SGT assignments that happen as a result of an ISE AuthZ Policy are mapped as a LOCAL source on the switch.
Static IP/SGT mappings that are pushed from ISE to a switch are mapped as a CLI source.

Andrii Oliinyk
VIP
VIP
In response to Greg Gibbs

‎04-20-2023 10:32 PM - edited ‎04-22-2023 08:15 AM

Hi Greg
there is even extended one Solved: TrustSec SGT Binding Priority - Cisco Community 

but can u please point me to where L2-port mapping & RADIUS-mapping are?

 1. VLAN—Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping configured.
2. CLI— Address bindings configured using the IP-SGT form of the cts role-based sgt-map global configuration command.
3. Layer 3 Interface—(L3IF) Bindings added due to FIB forwarding entries that have paths through one or more interfaces with consistent L3IF-SGT mapping or Identity Port Mapping on routed ports.
4. SXP—Bindings learned from SXP peers.
5. IP_ARP—Bindings learned when tagged ARP packets are received on a CTS capable link.
6. LOCAL—Bindings of authenticated hosts which are learned via EPM and device tracking. This type of binding also include individual hosts that are learned via ARP snooping on L2 [I]PM configured ports.
7. SGT CACHING — Bindings learned through the SGT Caching feature by gleaning the inline SGT in the packet.
8. INTERNAL—Bindings between locally configured IP addresses and the device own SGT.

Andrii Oliinyk
VIP
VIP
In response to Andrii Oliinyk

‎04-22-2023 08:33 AM

i tend to think that AAA-assigned SGT falls under 6. But where does static port-to-sgt belong to?

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Andrii Oliinyk

‎04-25-2023 03:14 PM

If you're talking about statically configuring a Port-SGT mapping using the 'cts manual' command, any IP/SGT binding learned ingress on that port would also be mapped as a LOCAL source.

Example:

interface GigabitEthernet1/0/22
cts manual 
 policy static sgt 5

There would be no prioritisation between a LOCAL mapped dynamic IP/SGT binding (ISE/AAA server) and a LOCAL mapped Port-SGT binding as mab/dot1x cannot be configured on a switchport that is configured for 'cts manual'. The switch will throw an error if you attempt to configure both.

Example:

sw5(config-if)#mab
Command rejected (GigabitEthernet1/0/22): Conflict with CTS.
CTS must be disabled first

Andrii Oliinyk
VIP
VIP
In response to Greg Gibbs

‎04-27-2023 11:29 AM - edited ‎04-27-2023 12:49 PM

tnx Greg

i've heard that IBNS2.0+3CPL changes this behaviour somehow... no idea how as had no chances to test

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Andrii Oliinyk

‎04-27-2023 06:22 PM

I'm not sure what change you would be referring to. The output I shared earlier was pulled from my Cat9300 that is configured using IBNS 2.0 (3CPL) framework. The configuration I use on the switch is very similar to what would be pushed by DNAC in an SDA environment.

Customers Also Viewed These Support Documents
Top