cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1902
Views
10
Helpful
4
Replies

Pushing IP-SGT mappings to Cisco switch

snatara2
Cisco Employee
Cisco Employee

I am working on ISE 2.2 version . When I tried creating IP-SGT Mapping in ISE I am able to do . However there relies an option to "Deploy to Devices". In this option I am not able to see my network device which I have configured under "network device". Because of this when I try deploying that entry it shows error as "Device not found" . Can you please help me in resolving this issue.

1 Accepted Solution

Accepted Solutions

hariholla
Cisco Employee
Cisco Employee

The IP-SGT bindings from ISE can be pushed to the network via 2 methods:

1) CLI configuration

2) ISE SXP

You seem to be using method-1, which requires you to define the network device’s SSH login credentials so that ISE can configure it for static IP-to-SGT bindings.

Here’s how you do it:

Under ‘Advanced TrustSec Settings’ within the Network Device configuration in ISE, specify the SSH login details:

Screen Shot 2017-04-26 at 9.44.33 AM.png

Then under TrustSec Work center > Components, you should be able to see this network device to push the static IP-to-SGT binding.

Screen Shot 2017-04-26 at 9.45.08 AM.png

View solution in original post

4 Replies 4

vrostowsky
Level 5
Level 5

Srinivasan

Please read the document to ensure you have the correct configuration for Trustsec operation.  Also, ensure you have the devices added with the trustsec settings enabled under network devices.  One last thing is check the device compatibility guide for feature support for ISE 2.2

Cisco TrustSec Switch Configuration Guide - Understanding Cisco TrustSec [Cisco Catalyst 6500 Series Switches] - Cisco

Cisco Identity Services Engine Network Component Compatibility, Release 2.2 - Cisco

HTH-

Vince

hariholla
Cisco Employee
Cisco Employee

The IP-SGT bindings from ISE can be pushed to the network via 2 methods:

1) CLI configuration

2) ISE SXP

You seem to be using method-1, which requires you to define the network device’s SSH login credentials so that ISE can configure it for static IP-to-SGT bindings.

Here’s how you do it:

Under ‘Advanced TrustSec Settings’ within the Network Device configuration in ISE, specify the SSH login details:

Screen Shot 2017-04-26 at 9.44.33 AM.png

Then under TrustSec Work center > Components, you should be able to see this network device to push the static IP-to-SGT binding.

Screen Shot 2017-04-26 at 9.45.08 AM.png

Hi Team/Hariprasad,

Thank you for the suggestion.

By following the below steps I am able to find the device in ISE and tried deploying the IP-SGT binding. It got deployed to the device globally.

However my requirement is that, the binding should get deployed to the device for a VRF “sgt”.

In device I have configured VRF “sgt” . In ISE side I have configured the below.

In ISE I have given deployed via as a “sgt” but still it is coming globally. Any suggestion to make it deployed to vrf “sgt”.

Regards,

Srinivasan.N

Craig Hyps
Level 10
Level 10

Srinivasan, rather than a greeting, please post new questions with a relevant topic name such as "Pushing IP-SGT mappings to Cisco switch" or similar so that TMEs and anyone reviewing post have some indication of question topic.  It also facilitates searches and question management.

Regards,

Craig