11-27-2019 11:26 AM - edited 02-21-2020 11:12 AM
we are about to deploy ISE NAC at our campus.
as part of the design, i read about SGT Mapping.
can someone explain the SGT-To-IP Mapping? (how can it scale?)
can i map users (IP) to SGT?
from what i have read the use of SGT-To-IP Mapping is for few IP addresses and its cannot scale on a campus of thousands of users.
thanks,
Oron
11-27-2019 01:02 PM
Your question is very generic and broad. Are you doing TrustSec on any devices in your infrastructure? Or are you just doing normal 802.1x/MAB authentication?
With ISE, IP-SGT mappings are dynamic based on your ISE authentication/authorization policies and you can also create static IP-SGT mappings if needed. The scalability of how many of those mappings a device can handle is platform/device specific. The following URL has the scalability numbers to give you an idea: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-system-bulletin.pdf
For example, if you are doing SGT enforcement on an ASA 5555-X, then that ASA can handle up to 500K IP-SGT mappings. A Firepower 4110 can handle up to 1M mappings.
11-27-2019 03:25 PM
11-28-2019 11:47 AM
is it possible to assign SGT to each user/device at the network?
if yes, does this method will scale on a campus whith 15K users?
11-28-2019 12:40 PM
SGT's were designed to give role/group based access within a network. So the thought was you wouldn't assign one per user/endpoint, but rather use one sgt per device/endpoint role. Users and endpoints requiring similar access would receive the same SGT/policy. It sounds like you may be looking for is to segment users from each other? The stated limit with ISE 2.4+ is 10,000 unique SGT's, but in theory this would be a pain to manage.
If you wanted to prevent user to user communication you could use a single SGT, define an SGACL that prevents them from talking to one another. It would act in a similar way to private vlans but be consistent on wired and wireless.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: