cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

387
Views
5
Helpful
4
Replies
Adrian Lazar
Beginner

IP-SGT Mapping Deployed from ISE - config saving

Hi all,

 

We are using ISE to deploy IP-SGT mappings to several switches and we just observed that after the deployment the switch config is not saved automatically (by ISE). Obviously if the config is not saved manually and a power outage occurs then the new mappings are lost.

Any feedback will be welcomed, we are interested to see if this is as designed or maybe a bug so we will open a TAC case.

 

Thanks,

Adrian

1 ACCEPTED SOLUTION

Accepted Solutions
Colby LeMaire
VIP Collaborator

My guess is that it is by design.  IP-SGT mappings change over time and ISE regularly communicates with the switches using SXP to ensure the mappings are there, updated, or removed as necessary.  If the switch were to restart, it would re-establish the SXP connection with ISE and the mappings would be pushed down again.

 

Someone could be in the middle of making other changes on the switch and I don't necessarily think it would be good for ISE to save the configuration which would include other changes outside of IP-SGT mappings.

View solution in original post

4 REPLIES 4
Colby LeMaire
VIP Collaborator

My guess is that it is by design.  IP-SGT mappings change over time and ISE regularly communicates with the switches using SXP to ensure the mappings are there, updated, or removed as necessary.  If the switch were to restart, it would re-establish the SXP connection with ISE and the mappings would be pushed down again.

 

Someone could be in the middle of making other changes on the switch and I don't necessarily think it would be good for ISE to save the configuration which would include other changes outside of IP-SGT mappings.

View solution in original post

Surendra
Cisco Employee

I think it is intentionally not done since saving the changes on the switch does not save just the changes made by ISE but by everyone. You don’t want to end up in a situation where a network device administrator is in the middle of testing something and ISE pushed down the mappings and saved the changes.

Adding to the above comments. You can configure the CTS environment data downloads, etc. in ISE for individual NADs under the advanced trustsec configuration. CTS pacs are lost upon reboot as well, but stored in ISE. So once the NAD is up it will have a cts provisioning job where it reaches back out to ISE. Based on conversations with Cisco I believe it is road-mapped to eventually have NADs keep their PACs upon reboot.
Michal Olsovsky
Beginner

In my opinion when ISE is the pushing static IP-SGT mappings it acts like a kind of automation tool that the engineer is using in a controlled way as he needs to trigger the deployment manually using the deploy button so no unexpected saves can happen. It doesn't make a lot of sense to connect to each and every affected device separately and save the config manually when the automation is used, if not doing it automatically then at least letting the user decide if the save should be done.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (36%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel