Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1218
Views
0
Helpful
3
Replies

IP static SGT mapping

UNVC
Level 1
Level 1

‎07-19-2023 02:24 AM

Hi all,

I contact you regarding a basic question regarding SGT use case.
We have a network composed of:
- Core switch (Cisco) in our Cisco Fabric, that manage access to all other switches and servers
- Access switches (Cisco) in our Cisco Fabric too for end-users/systems
- Cisco ISE to manage 802.1x authentication, SGT, etc.
- Cisco DNA Center to manage the whole system

Currently SGT is used, configured and working, but we are using it by associating an SGT to a VLAN.
This is configured and pushed through our DNA Center.

What we want is to assign only one IP to a specific SGT.
The goal is to dedicate a SGT to a system (compose of one or more clients/servers) to control communication to-from this system to-from the other systems, and to avoid using global configuration, or using more VLAN segmentation (like dedicating a smaller VLAN to this system).

For this, I have used the IP SGT Static Mapping of Cisco ISE (so associated my required IP to the SGT I need, in the correct VN), and pushed this configuration to our network.
As all is managed by the Cisco ISE and DNA, I indeed can see the configuration in the running-config and in the result of "show cts role-based sgt-map all" (source = CLI).
But unfortunately, the rules I applied through the matrix for this SGT are not working (basically, I tested to block the communication from a management server to this specific IP using the default Deny_IP_Log), so the static mapping is not working.

Perhaps I missed a basic point of the configuration ?
Do I need to refresh something after pushing the configuration ?
Can you help me for this ?

Have a good day !

0 Helpful
3 Replies 3

Flavio Miranda
VIP
VIP

‎07-19-2023 04:47 AM

Hello @UNVC 

  I believe is possible to achieve what you intent but you need to put this device in a specific VN alone. By creating the SGT, the information we have to attach this SGT to the network is the VN, you can not add an IP address there.

FlavioMiranda_0-1689767095108.png

 

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎07-19-2023 03:41 PM

I could be wrong, but I don't believe it's possible to enforce static IP-SGT mappings within the VXLAN/LISP fabric used by SDA.
If the system is within the fabric, you would need to assign it an SGT based on either 802.1x or MAB-based authorization policy.
If the system is outside the fabric, you would need to propagate the IP-SGT mappings to either the border node or another external system (like a fusion router or firewall) using pxGrid or SXP and have that platform do the enforcement.
See the following example of doing that propagation and enforcement on the Border Node.
https://community.cisco.com/t5/security-knowledge-base/policy-enforcement-within-sda-border/ta-p/3646816#toc-hId--1069166528

Keep in mind that, with TrustSec, you should be performing enforcement as close to the destination as possible to scale the solution properly.

 

0 Helpful

MHM Cisco World
VIP
VIP

‎07-20-2023 04:16 PM

I will check. 

0 Helpful
Customers Also Viewed These Support Documents