cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

412
Views
0
Helpful
4
Replies
Highlighted
Beginner

SGT To IP Mapping

we are about to deploy ISE NAC at our campus.

as part of the design, i read about SGT Mapping.

 

can someone explain the SGT-To-IP Mapping? (how can it scale?)

can i map users (IP) to SGT?

 

from what i have read the use of SGT-To-IP Mapping is for few IP addresses and its cannot scale on a campus of thousands of users.

 

thanks,

Oron

 

4 REPLIES 4
Highlighted
Rising star

Re: SGT To IP Mapping

Your question is very generic and broad.  Are you doing TrustSec on any devices in your infrastructure?  Or are you just doing normal 802.1x/MAB authentication?

With ISE, IP-SGT mappings are dynamic based on your ISE authentication/authorization policies and you can also create static IP-SGT mappings if needed.  The scalability of how many of those mappings a device can handle is platform/device specific.  The following URL has the scalability numbers to give you an idea:  https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-system-bulletin.pdf

For example, if you are doing SGT enforcement on an ASA 5555-X, then that ASA can handle up to 500K IP-SGT mappings.  A Firepower 4110 can handle up to 1M mappings.

Highlighted
VIP Advisor

Re: SGT To IP Mapping

You sound fairly new to TrustSec and SGT's so I might suggest taking some time to go over a few of the Cisco Live sessions on the topic. You can find them streaming here;
https://www.ciscolive.com/global/on-demand-library.html?search=sgt#/

TrustSec/SGTs scale to environments with millions of endpoints. There are various components and design decisions that cannot scale to that extent, but an ideal TrustSec implementation is a finely tuned beast that can handle this. Having implemented TrustSec within single facilities with many tens of thousands of endpoints, I'm happy to say that the SGTs were not an issue.

Highlighted
Beginner

Re: SGT To IP Mapping

is it possible to assign SGT to each user/device at the network?

if yes, does this method will scale on a campus whith 15K users?

Highlighted
VIP Advisor

Re: SGT To IP Mapping

SGT's were designed to give role/group based access within a network. So the thought was you wouldn't assign one per user/endpoint, but rather use one sgt per device/endpoint role. Users and endpoints requiring similar access would receive the same SGT/policy. It sounds like you may be looking for is to segment users from each other? The stated limit with ISE 2.4+ is 10,000 unique SGT's, but in theory this would be a pain to manage. 

 

If you wanted to prevent user to user communication you could use a single SGT, define an SGACL that prevents them from talking to one another. It would act in a similar way to private vlans but be consistent on wired and wireless.