Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2211
Views
0
Helpful
4
Replies

SGT To IP Mapping

Oron Yaniv
Level 1
Level 1

‎11-27-2019 11:26 AM - edited ‎02-21-2020 11:12 AM

we are about to deploy ISE NAC at our campus.

as part of the design, i read about SGT Mapping.

 

can someone explain the SGT-To-IP Mapping? (how can it scale?)

can i map users (IP) to SGT?

 

from what i have read the use of SGT-To-IP Mapping is for few IP addresses and its cannot scale on a campus of thousands of users.

 

thanks,

Oron

 

0 Helpful
4 Replies 4

Colby LeMaire
VIP Alumni
VIP Alumni

‎11-27-2019 01:02 PM

Your question is very generic and broad.  Are you doing TrustSec on any devices in your infrastructure?  Or are you just doing normal 802.1x/MAB authentication?

With ISE, IP-SGT mappings are dynamic based on your ISE authentication/authorization policies and you can also create static IP-SGT mappings if needed.  The scalability of how many of those mappings a device can handle is platform/device specific.  The following URL has the scalability numbers to give you an idea:  https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-system-bulletin.pdf

For example, if you are doing SGT enforcement on an ASA 5555-X, then that ASA can handle up to 500K IP-SGT mappings.  A Firepower 4110 can handle up to 1M mappings.

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni

‎11-27-2019 03:25 PM

You sound fairly new to TrustSec and SGT's so I might suggest taking some time to go over a few of the Cisco Live sessions on the topic. You can find them streaming here;
https://www.ciscolive.com/global/on-demand-library.html?search=sgt#/

TrustSec/SGTs scale to environments with millions of endpoints. There are various components and design decisions that cannot scale to that extent, but an ideal TrustSec implementation is a finely tuned beast that can handle this. Having implemented TrustSec within single facilities with many tens of thousands of endpoints, I'm happy to say that the SGTs were not an issue.

0 Helpful

Oron Yaniv
Level 1
Level 1
In response to Damien Miller

‎11-28-2019 11:47 AM

is it possible to assign SGT to each user/device at the network?

if yes, does this method will scale on a campus whith 15K users?

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to Oron Yaniv

‎11-28-2019 12:40 PM

SGT's were designed to give role/group based access within a network. So the thought was you wouldn't assign one per user/endpoint, but rather use one sgt per device/endpoint role. Users and endpoints requiring similar access would receive the same SGT/policy. It sounds like you may be looking for is to segment users from each other? The stated limit with ISE 2.4+ is 10,000 unique SGT's, but in theory this would be a pain to manage. 

 

If you wanted to prevent user to user communication you could use a single SGT, define an SGACL that prevents them from talking to one another. It would act in a similar way to private vlans but be consistent on wired and wireless. 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents