Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3198
Views
5
Helpful
3
Replies

SDA - Scalable Group Tag (SGT) allowed in two places - what is best practice?

Go to solution
Arne Bier
VIP
VIP

‎01-04-2021 01:21 PM

Hello

 

In an SDA deployment (using DNAC), when assigning an SGT (Scalable Group Tag) in ISE, one can select from the Authorization Policy drop-down list (shown below)

 

sgt1.png

 

 

or, specify it in the Authorization Result Profile - what is the difference?

 

sgt2.png

 

The endpoint VLAN ID can no longer be specified when selecting the Security Group in Authorization Profile - how then does one specify the VLAN ID (as per DNAC definition) ? In our case a VN (Virtual Network) is further subnetted, and hence there will be more than one IP subnet (VLAN) on the Edge Nodes for a VN.

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-04-2021 05:43 PM - edited ‎01-04-2021 05:44 PM

IMO from my experiences this is preference related.  I personally like seeing the SGT assigned in the authz policy.  A brief overview of the two options is either doing it all (assigning SGT, VN, IP Pool) via the authz profile that is then referenced in the authz policy result.  Or creating the authz profile, assigning the DNAC specified string as the vlan (this unique string can be extracted via DNAC and/or from a simple #show vlan on an edge node that is a member of your fabric), and then reference that authz profile under your authz results column.  One difference would be if you wanted to onboard a node without assigning an SGT then you would probably want to use option 2.  For more info take a peek at the following links:

https://community.cisco.com/t5/networking-documents/how-to-sda-host-onboarding-with-ise/ta-p/4012430

https://community.cisco.com/t5/cisco-digital-network/user-to-virtual-network-association/m-p/4054485

HTH!

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-04-2021 05:43 PM - edited ‎01-04-2021 05:44 PM

IMO from my experiences this is preference related.  I personally like seeing the SGT assigned in the authz policy.  A brief overview of the two options is either doing it all (assigning SGT, VN, IP Pool) via the authz profile that is then referenced in the authz policy result.  Or creating the authz profile, assigning the DNAC specified string as the vlan (this unique string can be extracted via DNAC and/or from a simple #show vlan on an edge node that is a member of your fabric), and then reference that authz profile under your authz results column.  One difference would be if you wanted to onboard a node without assigning an SGT then you would probably want to use option 2.  For more info take a peek at the following links:

https://community.cisco.com/t5/networking-documents/how-to-sda-host-onboarding-with-ise/ta-p/4012430

https://community.cisco.com/t5/cisco-digital-network/user-to-virtual-network-association/m-p/4054485

HTH!

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Mike.Cifelli

‎01-04-2021 05:58 PM

thanks @Mike.Cifelli - link #1 works for me. Let's see how we go

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-04-2021 05:57 PM

I prefer to use SGT on the Authz, and not the result. It's such a pain in the you know what having to drill in to the results to find the SGT that should be assigned. 

We need to feature request something like a hover over a result in the policy sets and see a list of config. 

Customers Also Viewed These Support Documents