01-04-2021 01:21 PM
Hello
In an SDA deployment (using DNAC), when assigning an SGT (Scalable Group Tag) in ISE, one can select from the Authorization Policy drop-down list (shown below)
or, specify it in the Authorization Result Profile - what is the difference?
The endpoint VLAN ID can no longer be specified when selecting the Security Group in Authorization Profile - how then does one specify the VLAN ID (as per DNAC definition) ? In our case a VN (Virtual Network) is further subnetted, and hence there will be more than one IP subnet (VLAN) on the Edge Nodes for a VN.
Solved! Go to Solution.
01-04-2021 05:43 PM - edited 01-04-2021 05:44 PM
IMO from my experiences this is preference related. I personally like seeing the SGT assigned in the authz policy. A brief overview of the two options is either doing it all (assigning SGT, VN, IP Pool) via the authz profile that is then referenced in the authz policy result. Or creating the authz profile, assigning the DNAC specified string as the vlan (this unique string can be extracted via DNAC and/or from a simple #show vlan on an edge node that is a member of your fabric), and then reference that authz profile under your authz results column. One difference would be if you wanted to onboard a node without assigning an SGT then you would probably want to use option 2. For more info take a peek at the following links:
https://community.cisco.com/t5/networking-documents/how-to-sda-host-onboarding-with-ise/ta-p/4012430
https://community.cisco.com/t5/cisco-digital-network/user-to-virtual-network-association/m-p/4054485
HTH!
01-04-2021 05:43 PM - edited 01-04-2021 05:44 PM
IMO from my experiences this is preference related. I personally like seeing the SGT assigned in the authz policy. A brief overview of the two options is either doing it all (assigning SGT, VN, IP Pool) via the authz profile that is then referenced in the authz policy result. Or creating the authz profile, assigning the DNAC specified string as the vlan (this unique string can be extracted via DNAC and/or from a simple #show vlan on an edge node that is a member of your fabric), and then reference that authz profile under your authz results column. One difference would be if you wanted to onboard a node without assigning an SGT then you would probably want to use option 2. For more info take a peek at the following links:
https://community.cisco.com/t5/networking-documents/how-to-sda-host-onboarding-with-ise/ta-p/4012430
https://community.cisco.com/t5/cisco-digital-network/user-to-virtual-network-association/m-p/4054485
HTH!
01-04-2021 05:58 PM
thanks @Mike.Cifelli - link #1 works for me. Let's see how we go
01-04-2021 05:57 PM
I prefer to use SGT on the Authz, and not the result. It's such a pain in the you know what having to drill in to the results to find the SGT that should be assigned.
We need to feature request something like a hover over a result in the policy sets and see a list of config.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide