Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
10
Helpful
1
Replies

How SGT policies are pushed from ISE to NADs?

Go to solution
REJR77
Level 1
Level 1

‎01-17-2023 08:32 AM

Hi,

I need to clarify somrthinh with SGT Policies.
We have a SD-Access network, with 4 ISE (2 PAN/MNT and 2 PSN) and DNAC.
SGT and Policies are configured in DNAC and then Pushed to ISE.

From what I can see the switches look to have the SGT policies but for some reason when we change a Policy the switches do not get it (until we wait for the refresh period ~1day) or if we initiate a refresh from the switch. Our PAN are on a dedicated network not accessible from the NADs

My questions are,

Is it the PAN which pushes the SGT Policies to NADs or the PSN?
Is it possible that the PSN pushes the changes? (or it mandatory to be the PAN?)

Regards

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-17-2023 02:39 PM

It depends on how you have it configured. As you already pointed out, the policy refresh doesn't happen automatically but rather on the refresh interval the switch is configured for. The default configuration on the NAD config is 1 day for each value, and the PAN being the provider of the information/policies. 
The "send from" field will list all nodes in your deployment, you would edit this to reflect the PSN you want providing the update notification on a per NAD basis. If you change the CoA source, then you need to ensure the switch is configured to accept a CoA for the new node. 
nad-config.png

If you wish to manually request devices update their policies after you have made a matrix/policy change, then you can do so from the dashboard notifications drop down. 

push.png

View solution in original post

1 Reply 1

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-17-2023 02:39 PM

It depends on how you have it configured. As you already pointed out, the policy refresh doesn't happen automatically but rather on the refresh interval the switch is configured for. The default configuration on the NAD config is 1 day for each value, and the PAN being the provider of the information/policies. 
The "send from" field will list all nodes in your deployment, you would edit this to reflect the PSN you want providing the update notification on a per NAD basis. If you change the CoA source, then you need to ensure the switch is configured to accept a CoA for the new node. 
nad-config.png

If you wish to manually request devices update their policies after you have made a matrix/policy change, then you can do so from the dashboard notifications drop down. 

push.png

Customers Also Viewed These Support Documents