I'm just quickly playing around with SGT assignment via the Cisco ISE.
The plan is quite simple. There's no SXP protocol at all in the network. I'm just having an access layer and assign a SGT within authorization. I needed to create a SXP dummy device in ISE, so that the SGT bindings are displayed (All SXP Mappings).
So, for IPv4 this works flawlessly... I see the IPv4 address of my authorized endpoint, along with the correct SGT.
What's the deal with IPv6? I don't see the IPv6 to SGT binding in the ISE? Is this supported?!
On the access switch, I can the the IPv6 address to SGT binding (show cts role-based sgt-map all detail). The IPv6 address is visible in the "show access session" output AND in the ISE endpoint details.
Is the ISE (2.4) able to publish IPv6 SXP binding?
I checked the ISE 2.6 release notes, which introduces tons of IPv6 features - but there's no SXP in the IPv6 release note section.
Just for the whole picture. I don't plan, that any device in the network is an SXP enabled device. A SGT is assigned in authorization and that's it. All I need is, that the mappings are published to a DC firewall to do CENTRAL filtering based on SGTs. I don't WANT the access switches to be SXP enabled devices, because it does not scale (max. 800). Honestly ... that's nothing :)
Hopefully the nasty bug CSCvr95284 is not hindering this plan ...
Everything could be so great if the products would work as expected ;)
I've never, yet, deployed TrustSec for IPv6, however this needs to work. ISE supports IPv6 to SGT mappings, and the SXP version also supports propagating the bindings (SXP version 2 added support for IPv6 binding propagation). Not sure that your DC firewall model and version is, but do you use pxGRID or not? Check this document for inter-operability:
Hi @Cristian Matei ,
I totally agree (this needs to work). I'm not at the point yet, to integrate a firewall. I even don't have a pxGrid node at the moment.
I just want to understand the whole thing first on a high level:
1.) Assign an SGT tag in authorization for an endpoint
2.) See that SGT on the access switch (2960-X) after authorization (show access session / show cts)
3.) See the SXP binding on the ISE
(There are no SXP peers at the moment / learning SXP from RADIUS is enabled in ISE).
So step 1-3 works flawlessly for IPv4
For IPv6, step 1 and 2 are ok ... so everything looks good on the switch side. However, no IPv6 bindings in ISE.
I wonder if I did something wrong here...
Sorry, I haven't not worked on this for a long time.
So: Static bindings are there
The upper binding (10.99.51.89) is a binding learned by RADIUS.
The switch knows all IPv6 addresses:
show access-session interface gi1/0/1 details Interface: GigabitEthernet1/0/1 IIF-ID: 0x1C8480AE MAC Address: 0050.56b3.2c43 IPv6 Address: fe80::9974:1e42:e398:ca5c 2001:db8:4ff:3323:9974:1e42:e398:ca5c 2001:db8:4ff:3323:5049:a94e:b64d:971d IPv4 Address: 10.99.51.89
and the context visibility details for the corresponding MAC shows the ipv6 addresses as well.
By the way: This is ISE 2.7 Patch 1, because I'm testing TEAP with Windows 10 2004 :)
Suggest take a look at the ISE logs
and Context visibility > Endpoints (Click on the endpoint you are referring to and check the attributes.).
Make sure ISE receives the endpoint ipv6 address.
Also on the switch side, IPDT should work for switch to associate session with IPv6.
The Context Visibility details show the ipv6 addresses.
On the switch side, the device tracking database (C9300 / 16.12.3) is fully populated with IPv4 and IPv6 entries.
Is there something missing on ISE? Or are the IPv6 bindings just not displayed in the web UI?
So I have a working scenario now... however, I need to configure my access switch as SXP speaker.
So the switch and the ISE build an SXP session.
I wanted to learn all that stuff via RADIUS without an SXP session (and for IPv4 it works).
The number of SXP peers does not scale very well (200 max. per SXP PSN).... if you have 200 sites you're done ...
Man ... this must work via RADIUS!
I guess I'm hitting the enhacement bug CSCvn10038 ("Support of adding IPv6 radius mappings into SXP IP SGT mapping table") here. Obviously, the population of IPv6 mapping via RADIUS is not supported.
Why do people always forget IPv6 ....