cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1401
Views
15
Helpful
8
Replies

ISE multitenancy for SXP VPN domains - limitation ?

Michal Garcarz
Cisco Employee
Cisco Employee

Hello Team,

ISE authorizing multiple types of sessions, having in Live Sessions username+IP+SGT:

Screen Shot 2018-08-29 at 14.12.08.pngAt the same time ISE is SXP speaker, where we do have multiple CSR routers - each belongs to a different SXP domain (multi-tenant). I do have also some static mappings, for example for the following SXP domain:

Screen Shot 2018-08-29 at 14.15.24.png

Also i have both enabled:

Screen Shot 2018-08-29 at 14.11.58.png

Now my problem is that in the SXP domain1 where i have my CSR1 i can see sxp mappings but only those static mappings which are for that VPN domain:

vCSR#show cts role-based sgt-map all
Active IPv4-SGT Bindings Information

IP Address              SGT     Source
============================================
1.1.1.1                 15      SXP
1.2.3.4                 18      SXP
6.6.6.6                 15      SXP

But i do not see any dynamic mappings ISE is having (Live Sessions) because i do believe they are in global VPN domain. It that correct ?

My only doubt here is: should not i see all the mapping here ?:

Screen Shot 2018-08-29 at 14.21.40.png

Why only static mappings displayed here ?

 

ISE 2.3 patch 3.

 

Question: is there any solution which would allow me to define something like authz rule:

If i have dot1x session from Switch1 please publish IP-SGT mapping to SXP Domain1

If i have dot1x session from Switch2 please publish IP-SGT mapping to SXP Domain2

I could use API to do it manually, but it's extra complexity and risk :(

 

Thanks,

Michal

2 Accepted Solutions

Accepted Solutions

jeaves@cisco.com
Cisco Employee
Cisco Employee

Hi,

if you navigate to TrustSec>SXP>All SXP Mappings, to the right of the Refresh button you'll see 'Add SXP Domain Filter'.

Click that and you'll see a pop-up with the following text:

"Session mappings learnt from network devices (not ISE locally) will be send to the default SXP Domain only. Create a filter for mappings to send to different SXP domains
"
 
This is how you place dynamic mappings into different domains, as you have rightly said, by default they are all placed in the default domain.
 
Hopefully this fixes your problem.
Best regards, Jonothan.

View solution in original post

Hi,

do you have any Listening SXP connections on ISE?

If not, please add a dummy one (sourced from some random non-used IP address).

Then report back on the SXP table contents.

View solution in original post

8 Replies 8

hslai
Cisco Employee
Cisco Employee

I've seen those learned by session before so not sure why yours have only static. I forwarded your post to the team who may help you better.

jeaves@cisco.com
Cisco Employee
Cisco Employee

Hi,

if you navigate to TrustSec>SXP>All SXP Mappings, to the right of the Refresh button you'll see 'Add SXP Domain Filter'.

Click that and you'll see a pop-up with the following text:

"Session mappings learnt from network devices (not ISE locally) will be send to the default SXP Domain only. Create a filter for mappings to send to different SXP domains
"
 
This is how you place dynamic mappings into different domains, as you have rightly said, by default they are all placed in the default domain.
 
Hopefully this fixes your problem.
Best regards, Jonothan.

Hi Jonothan,

Thanks for your help here. It works, but only for dot1x sessions, not for WMI sessions.

In Live Sessions i do have few sessions (dot1x and WMI) with IP+Username (last two are WMI):

Screen Shot 2018-08-30 at 11.18.10.png

 

First i have created filter only for 192.168.1.0/24 which are WMI sessions and nothing happened. Then i have created another filter also for 192.168.2.0/24 (dot1x sessions):

Screen Shot 2018-08-30 at 11.19.21.png

And after that i have started to see 192.168.2.0/24 sessions only:

Screen Shot 2018-08-30 at 11.19.31.pngThen those mappings are correctly sent to SXP domain: sxpcustomer1 devices.

I have also made one small test and reconfigured both filters to put in default domain and then dynamic mappings disappeared.

So it looks like:

1. in "All SXP mappings" tab we do not display dynamic mappings which are in default SXP domain. Why ?

2. But a way more serious problem for me is why WMI mappings are not taken into consideration at all and never appear in any SXP domain ? (and are never transferred to devices in any SXP domain). At the same time i can see those WMI sessions received via rest API.

 

ISE 2.3p3.

 

Thanks,

Michal

Hi,

do you have any Listening SXP connections on ISE?

If not, please add a dummy one (sourced from some random non-used IP address).

Then report back on the SXP table contents.

Hi Jonothan,

Indeed after adding dummy speaker on ISE i started to see sessions in default SXP domain. Is this a bug ?

Anyway my smaller problem #1 is solved this way.

 

What about bigger problem #2 ? Why WMI sessions are not processed at all (not visible in SXP Mappings and not sent to any devices).

 

Thanks,

Michal

I assume you mean dummy receiver (peer a speaker).

It's not a bug as such, it's always been that way (I'm sure developers would call it 'as per design').

I'm looking into WMI.

 

Yep, correct, i have added (just in case) both dummy speaker and listener - and that solved a problem. If that is a "Feature" i am not able to understand it ;) Also it should be documented IMHO ;)

 

Anyway WMI topic is really important here. I have seen it in the past, now it becomes important.

 

Thanks,

Michal

Thanks Jonothan, after conversation i can confirm everything is working completely correctly.

I am having WMI sessions completely passively, no authz on ISE, so no SGT associated, that is why we can not have any IP-SGT mapping (that would be possible with Easy Access or any kind of authorization) !

 

Thanks !