06-22-2024 07:13 PM
In my case, the customer wants to tag the third party (parnters) traffic connected to the company. The third parties are connected via MPLS or Internet IPSec tunnels to a perimeter router and the traffic is then filtered on Firepower. At this point, the traffic must be tagged with SGT for later monitoring with SNA integration. The Cisco ISE is already in place assigning SGTs to the Enterprise devices and SNA is integrated with FMC. Is this a possible scenario and any references would be appreciated.
Solved! Go to Solution.
06-22-2024 07:54 PM
I don't know if you can do this on a firepower. I like the use case though, I would feature request static sgt mappings for vpn tunnels if it doesn't exist.
One way I know that you could do this is to force the tunnel traffic to route through an ASR or switch on specific interfaces. On the router/switch interfaces you would assign a static sgt to the port of your choosing. This would tag all traffic on ingress from the third party tunnels.
06-23-2024 10:18 PM
Thanks Damien.
06-22-2024 07:54 PM
I don't know if you can do this on a firepower. I like the use case though, I would feature request static sgt mappings for vpn tunnels if it doesn't exist.
One way I know that you could do this is to force the tunnel traffic to route through an ASR or switch on specific interfaces. On the router/switch interfaces you would assign a static sgt to the port of your choosing. This would tag all traffic on ingress from the third party tunnels.
06-23-2024 10:18 PM
Thanks Damien.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide