Solved: Re: ISE multitenancy for SXP VPN domains - limitation ?

Michal Garcarz · ‎08-29-2018

Hello Team,

ISE authorizing multiple types of sessions, having in Live Sessions username+IP+SGT:

At the same time ISE is SXP speaker, where we do have multiple CSR routers - each belongs to a different SXP domain (multi-tenant). I do have also some static mappings, for example for the following SXP domain:

Also i have both enabled:

Now my problem is that in the SXP domain1 where i have my CSR1 i can see sxp mappings but only those static mappings which are for that VPN domain:

vCSR#show cts role-based sgt-map all
Active IPv4-SGT Bindings Information

IP Address              SGT     Source
============================================
1.1.1.1                 15      SXP
1.2.3.4                 18      SXP
6.6.6.6                 15      SXP

But i do not see any dynamic mappings ISE is having (Live Sessions) because i do believe they are in global VPN domain. It that correct ?

My only doubt here is: should not i see all the mapping here ?:

Why only static mappings displayed here ?

ISE 2.3 patch 3.

Question: is there any solution which would allow me to define something like authz rule:

If i have dot1x session from Switch1 please publish IP-SGT mapping to SXP Domain1

If i have dot1x session from Switch2 please publish IP-SGT mapping to SXP Domain2

I could use API to do it manually, but it's extra complexity and risk :(

Thanks,

Michal

jeaves@cisco.com · ‎08-30-2018

Hi,

if you navigate to TrustSec>SXP>All SXP Mappings, to the right of the Refresh button you'll see 'Add SXP Domain Filter'.

Click that and you'll see a pop-up with the following text:

"Session mappings learnt from network devices (not ISE locally) will be send to the default SXP Domain only. Create a filter for mappings to send to different SXP domains

View solution in original post

jeaves@cisco.com · ‎08-30-2018

Hi,

do you have any Listening SXP connections on ISE?

If not, please add a dummy one (sourced from some random non-used IP address).

Then report back on the SXP table contents.

View solution in original post

hslai · ‎08-29-2018

I've seen those learned by session before so not sure why yours have only static. I forwarded your post to the team who may help you better.

jeaves@cisco.com · ‎08-30-2018

Hi,

if you navigate to TrustSec>SXP>All SXP Mappings, to the right of the Refresh button you'll see 'Add SXP Domain Filter'.

Click that and you'll see a pop-up with the following text:

"Session mappings learnt from network devices (not ISE locally) will be send to the default SXP Domain only. Create a filter for mappings to send to different SXP domains

Michal Garcarz · ‎08-30-2018

Hi Jonothan,

Thanks for your help here. It works, but only for dot1x sessions, not for WMI sessions.

In Live Sessions i do have few sessions (dot1x and WMI) with IP+Username (last two are WMI):

First i have created filter only for 192.168.1.0/24 which are WMI sessions and nothing happened. Then i have created another filter also for 192.168.2.0/24 (dot1x sessions):

And after that i have started to see 192.168.2.0/24 sessions only:

Then those mappings are correctly sent to SXP domain: sxpcustomer1 devices.

I have also made one small test and reconfigured both filters to put in default domain and then dynamic mappings disappeared.

So it looks like:

1. in "All SXP mappings" tab we do not display dynamic mappings which are in default SXP domain. Why ?

2. But a way more serious problem for me is why WMI mappings are not taken into consideration at all and never appear in any SXP domain ? (and are never transferred to devices in any SXP domain). At the same time i can see those WMI sessions received via rest API.

ISE 2.3p3.

Thanks,

Michal

jeaves@cisco.com · ‎08-30-2018

Hi,

do you have any Listening SXP connections on ISE?

If not, please add a dummy one (sourced from some random non-used IP address).

Then report back on the SXP table contents.

Michal Garcarz · ‎08-30-2018

Hi Jonothan,

Indeed after adding dummy speaker on ISE i started to see sessions in default SXP domain. Is this a bug ?

Anyway my smaller problem #1 is solved this way.

What about bigger problem #2 ? Why WMI sessions are not processed at all (not visible in SXP Mappings and not sent to any devices).

Thanks,

Michal

jeaves@cisco.com · ‎08-30-2018

I assume you mean dummy receiver (peer a speaker).

It's not a bug as such, it's always been that way (I'm sure developers would call it 'as per design').

I'm looking into WMI.

Michal Garcarz · ‎08-30-2018

Yep, correct, i have added (just in case) both dummy speaker and listener - and that solved a problem. If that is a "Feature" i am not able to understand it ;) Also it should be documented IMHO ;)

Anyway WMI topic is really important here. I have seen it in the past, now it becomes important.

Thanks,

Michal

Michal Garcarz · ‎08-30-2018

Thanks Jonothan, after conversation i can confirm everything is working completely correctly.

I am having WMI sessions completely passively, no authz on ISE, so no SGT associated, that is why we can not have any IP-SGT mapping (that would be possible with Easy Access or any kind of authorization) !

Thanks !