01-17-2023 08:32 AM
Hi,
I need to clarify somrthinh with SGT Policies.
We have a SD-Access network, with 4 ISE (2 PAN/MNT and 2 PSN) and DNAC.
SGT and Policies are configured in DNAC and then Pushed to ISE.
From what I can see the switches look to have the SGT policies but for some reason when we change a Policy the switches do not get it (until we wait for the refresh period ~1day) or if we initiate a refresh from the switch. Our PAN are on a dedicated network not accessible from the NADs
My questions are,
Is it the PAN which pushes the SGT Policies to NADs or the PSN?
Is it possible that the PSN pushes the changes? (or it mandatory to be the PAN?)
Regards
Solved! Go to Solution.
01-17-2023 02:39 PM
It depends on how you have it configured. As you already pointed out, the policy refresh doesn't happen automatically but rather on the refresh interval the switch is configured for. The default configuration on the NAD config is 1 day for each value, and the PAN being the provider of the information/policies.
The "send from" field will list all nodes in your deployment, you would edit this to reflect the PSN you want providing the update notification on a per NAD basis. If you change the CoA source, then you need to ensure the switch is configured to accept a CoA for the new node.
If you wish to manually request devices update their policies after you have made a matrix/policy change, then you can do so from the dashboard notifications drop down.
01-17-2023 02:39 PM
It depends on how you have it configured. As you already pointed out, the policy refresh doesn't happen automatically but rather on the refresh interval the switch is configured for. The default configuration on the NAD config is 1 day for each value, and the PAN being the provider of the information/policies.
The "send from" field will list all nodes in your deployment, you would edit this to reflect the PSN you want providing the update notification on a per NAD basis. If you change the CoA source, then you need to ensure the switch is configured to accept a CoA for the new node.
If you wish to manually request devices update their policies after you have made a matrix/policy change, then you can do so from the dashboard notifications drop down.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide