11-27-2019 11:26 AM - edited 02-21-2020 11:12 AM
we are about to deploy ISE NAC at our campus.
as part of the design, i read about SGT Mapping.
can someone explain the SGT-To-IP Mapping? (how can it scale?)
can i map users (IP) to SGT?
from what i have read the use of SGT-To-IP Mapping is for few IP addresses and its cannot scale on a campus of thousands of users.
thanks,
Oron
11-27-2019 01:02 PM
Your question is very generic and broad. Are you doing TrustSec on any devices in your infrastructure? Or are you just doing normal 802.1x/MAB authentication?
With ISE, IP-SGT mappings are dynamic based on your ISE authentication/authorization policies and you can also create static IP-SGT mappings if needed. The scalability of how many of those mappings a device can handle is platform/device specific. The following URL has the scalability numbers to give you an idea: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-system-bulletin.pdf
For example, if you are doing SGT enforcement on an ASA 5555-X, then that ASA can handle up to 500K IP-SGT mappings. A Firepower 4110 can handle up to 1M mappings.
11-27-2019 03:25 PM
11-28-2019 11:47 AM
is it possible to assign SGT to each user/device at the network?
if yes, does this method will scale on a campus whith 15K users?
11-28-2019 12:40 PM
SGT's were designed to give role/group based access within a network. So the thought was you wouldn't assign one per user/endpoint, but rather use one sgt per device/endpoint role. Users and endpoints requiring similar access would receive the same SGT/policy. It sounds like you may be looking for is to segment users from each other? The stated limit with ISE 2.4+ is 10,000 unique SGT's, but in theory this would be a pain to manage.
If you wanted to prevent user to user communication you could use a single SGT, define an SGACL that prevents them from talking to one another. It would act in a similar way to private vlans but be consistent on wired and wireless.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide