Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
5
Helpful
4
Replies

IP-SGT Mapping Deployed from ISE - config saving

Go to solution
Adrian Lazar
Level 1
Level 1

‎08-28-2019 11:18 PM

Hi all,

 

We are using ISE to deploy IP-SGT mappings to several switches and we just observed that after the deployment the switch config is not saved automatically (by ISE). Obviously if the config is not saved manually and a power outage occurs then the new mappings are lost.

Any feedback will be welcomed, we are interested to see if this is as designed or maybe a bug so we will open a TAC case.

 

Thanks,

Adrian

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎08-29-2019 06:42 AM

My guess is that it is by design.  IP-SGT mappings change over time and ISE regularly communicates with the switches using SXP to ensure the mappings are there, updated, or removed as necessary.  If the switch were to restart, it would re-establish the SXP connection with ISE and the mappings would be pushed down again.

 

Someone could be in the middle of making other changes on the switch and I don't necessarily think it would be good for ISE to save the configuration which would include other changes outside of IP-SGT mappings.

View solution in original post

4 Replies 4

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎08-29-2019 06:42 AM

My guess is that it is by design.  IP-SGT mappings change over time and ISE regularly communicates with the switches using SXP to ensure the mappings are there, updated, or removed as necessary.  If the switch were to restart, it would re-establish the SXP connection with ISE and the mappings would be pushed down again.

 

Someone could be in the middle of making other changes on the switch and I don't necessarily think it would be good for ISE to save the configuration which would include other changes outside of IP-SGT mappings.

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎08-30-2019 03:47 AM

I think it is intentionally not done since saving the changes on the switch does not save just the changes made by ISE but by everyone. You don’t want to end up in a situation where a network device administrator is in the middle of testing something and ISE pushed down the mappings and saved the changes.
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Surendra

‎08-30-2019 05:27 AM

Adding to the above comments. You can configure the CTS environment data downloads, etc. in ISE for individual NADs under the advanced trustsec configuration. CTS pacs are lost upon reboot as well, but stored in ISE. So once the NAD is up it will have a cts provisioning job where it reaches back out to ISE. Based on conversations with Cisco I believe it is road-mapped to eventually have NADs keep their PACs upon reboot.
0 Helpful

Go to solution
Michal Olsovsky
Level 1
Level 1

‎08-30-2019 04:39 AM

In my opinion when ISE is the pushing static IP-SGT mappings it acts like a kind of automation tool that the engineer is using in a controlled way as he needs to trigger the deployment manually using the deploy button so no unexpected saves can happen. It doesn't make a lot of sense to connect to each and every affected device separately and save the config manually when the automation is used, if not doing it automatically then at least letting the user decide if the save should be done.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents