Re: dynamic (via AAA) & static SGT assignment on the port

andy!doesnt!like!uucp · ‎04-20-2023

Hi Gents

what take priority between 2 in subject when both static SGT (L2 port-2-sgt) & AAA configured on the port and onboarding endpoint receive different SGT within AAA session?

Thanks in advance

Greg Gibbs · ‎04-20-2023

See the binding source priority list here:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/cts/b_169_cts_9300_cg/b_169_cts_9300_cg_chapter_01010.html#concept_fx4_nxl_2gb

Dynamic IP/SGT assignments that happen as a result of an ISE AuthZ Policy are mapped as a LOCAL source on the switch.
Static IP/SGT mappings that are pushed from ISE to a switch are mapped as a CLI source.

andy!doesnt!like!uucp · ‎04-20-2023

Hi Greg

there is even extended one Solved: TrustSec SGT Binding Priority - Cisco Community

but can u please point me to where L2-port mapping & RADIUS-mapping are?

1. VLAN—Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping configured.

2. CLI— Address bindings configured using the IP-SGT form of the cts role-based sgt-map global configuration command.

3. Layer 3 Interface—(L3IF) Bindings added due to FIB forwarding entries that have paths through one or more interfaces with consistent L3IF-SGT mapping or Identity Port Mapping on routed ports.

4. SXP—Bindings learned from SXP peers.

5. IP_ARP—Bindings learned when tagged ARP packets are received on a CTS capable link.

6. LOCAL—Bindings of authenticated hosts which are learned via EPM and device tracking. This type of binding also include individual hosts that are learned via ARP snooping on L2 [I]PM configured ports.

7. SGT CACHING — Bindings learned through the SGT Caching feature by gleaning the inline SGT in the packet.

8. INTERNAL—Bindings between locally configured IP addresses and the device own SGT.

andy!doesnt!like!uucp · ‎04-22-2023

i tend to think that AAA-assigned SGT falls under 6. But where does static port-to-sgt belong to?

Greg Gibbs · ‎04-25-2023

If you're talking about statically configuring a Port-SGT mapping using the 'cts manual' command, any IP/SGT binding learned ingress on that port would also be mapped as a LOCAL source.

Example:

interface GigabitEthernet1/0/22
cts manual 
 policy static sgt 5

There would be no prioritisation between a LOCAL mapped dynamic IP/SGT binding (ISE/AAA server) and a LOCAL mapped Port-SGT binding as mab/dot1x cannot be configured on a switchport that is configured for 'cts manual'. The switch will throw an error if you attempt to configure both.

Example:

sw5(config-if)#mab
Command rejected (GigabitEthernet1/0/22): Conflict with CTS.
CTS must be disabled first

andy!doesnt!like!uucp · ‎04-27-2023

tnx Greg

i've heard that IBNS2.0+3CPL changes this behaviour somehow... no idea how as had no chances to test

Greg Gibbs · ‎04-27-2023

I'm not sure what change you would be referring to. The output I shared earlier was pulled from my Cat9300 that is configured using IBNS 2.0 (3CPL) framework. The configuration I use on the switch is very similar to what would be pushed by DNAC in an SDA environment.