Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1243
Views
0
Helpful
5
Replies

ISE SXP domains: can not have overlapping IPs ?

Go to solution
Michal Garcarz
Cisco Employee
Cisco Employee

‎09-07-2018 01:45 AM - edited ‎09-07-2018 01:46 AM

Hello Team,

I have SXP domain customer1 with mapping for ip 8.8.8.32.

And i can not add static mapping for the same ip for different SXP domain:

Screen Shot 2018-09-07 at 10.42.34.png

 

I would call it a bug - not a feature (since we have VPN domains for SXP for such a separation - right ?).

Could you please confirm ?

Do we have the same problem for dynamic mappings ? (received from network devices which belong to different SXP domains)

Thanks,

Michal

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
kvenkata1
Cisco Employee
Cisco Employee
In response to Michal Garcarz

‎09-07-2018 02:56 PM

Hi Michael,

I won't take this as a implicit feature as you mention. Unless the specific use case is tested & validated (& documented) it can't be declared as supported. Since I don't see it documented, I would say it is not supported.

 

Please feel free to reach out to the Segmentation PM team to further the discussion.

 

- Krish

View solution in original post

0 Helpful

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee
In response to kvenkata1

‎09-10-2018 04:48 AM

Agreed, this is all allowed on the switch infrastructure, it's just an ISE implementation anomaly.

You can of course just edit the one mapping entry in ISE and enter more SXP domain destinations.

A fix for individual entries needs to be tracked under CSCuz00603 (multiple exceptions in log with unified ip-sgt functional).

View solution in original post

0 Helpful
5 Replies 5

Go to solution
kvenkata1
Cisco Employee
Cisco Employee

‎09-07-2018 01:29 PM

I don't see any reference where we claim overlapping IP support in ISE SXP. The only reference I could find is in VRF aware SXP in IOS.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/sec-usr-cts-xe-3s-book/cts-sxp-ipv4.html#GUID-FB372893-786F-495B-912B-172DF3AE1972

 

- Krish

 

0 Helpful

Go to solution
Michal Garcarz
Cisco Employee
Cisco Employee
In response to kvenkata1

‎09-07-2018 01:40 PM - edited ‎09-07-2018 01:43 PM

Hi Krish,

Thanks for the help.

VRF for SXP is nice - but a bit different.

We do not mention explicitly that we do support overlapping IPs - but that might be the perception - because of support for multiple SXP VPN domains (and domain filters).

Why do we support SXP VPN domains + filters if those are not really separated/independent ?

 

Thanks,

 

0 Helpful

Go to solution
kvenkata1
Cisco Employee
Cisco Employee
In response to Michal Garcarz

‎09-07-2018 02:56 PM

Hi Michael,

I won't take this as a implicit feature as you mention. Unless the specific use case is tested & validated (& documented) it can't be declared as supported. Since I don't see it documented, I would say it is not supported.

 

Please feel free to reach out to the Segmentation PM team to further the discussion.

 

- Krish

0 Helpful

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee
In response to kvenkata1

‎09-10-2018 04:48 AM

Agreed, this is all allowed on the switch infrastructure, it's just an ISE implementation anomaly.

You can of course just edit the one mapping entry in ISE and enter more SXP domain destinations.

A fix for individual entries needs to be tracked under CSCuz00603 (multiple exceptions in log with unified ip-sgt functional).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents