Solved: SGT tagging to inbound third party partner traffic on Firepower

BINU KR · ‎06-22-2024

In my case, the customer wants to tag the third party (parnters) traffic connected to the company. The third parties are connected via MPLS or Internet IPSec tunnels to a perimeter router and the traffic is then filtered on Firepower. At this point, the traffic must be tagged with SGT for later monitoring with SNA integration. The Cisco ISE is already in place assigning SGTs to the Enterprise devices and SNA is integrated with FMC. Is this a possible scenario and any references would be appreciated.

Damien Miller · ‎06-22-2024

I don't know if you can do this on a firepower. I like the use case though, I would feature request static sgt mappings for vpn tunnels if it doesn't exist.

One way I know that you could do this is to force the tunnel traffic to route through an ASR or switch on specific interfaces. On the router/switch interfaces you would assign a static sgt to the port of your choosing. This would tag all traffic on ingress from the third party tunnels.

View solution in original post

BINU KR · ‎06-23-2024

Thanks Damien.

View solution in original post

Damien Miller · ‎06-22-2024

I don't know if you can do this on a firepower. I like the use case though, I would feature request static sgt mappings for vpn tunnels if it doesn't exist.

One way I know that you could do this is to force the tunnel traffic to route through an ASR or switch on specific interfaces. On the router/switch interfaces you would assign a static sgt to the port of your choosing. This would tag all traffic on ingress from the third party tunnels.

BINU KR · ‎06-23-2024

Thanks Damien.