Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
0
Helpful
3
Replies

SGT to IP/subnet binding

dditconsultingbe
Level 1
Level 1

‎09-22-2023 02:43 AM

Hi all,

I try to understand a concept of the Cisco TrustSec system.
On a network, I always used (until now) the binding of SGT to VLAN: this work well.
For now, I want to go one step further and to statically bind some specific IP to an SGT.
For example: on the same VLAN, having multiple servers with different SGT to control access.
In all the case, as far as I know, IP-SGT binding is more priority than VLAN-SGT binding.

All my system is managed by (among others):
- Cisco Catalyst switches
- DNA Center
- Cisco ISE (in RO for SGT, all controlled by DNA)

I want to test the following communication:
- One server in a VLAN with static SGT mapping (SGT = 10) - IP range = 10.20.0.0/24
- One server in a VLAN without static SGT mapping (mapping is done after using ISE) - IP range = 10.20.1.0/24
- The SGT to test is SGT 23
- SGT 23 is not allow to communicate with SGT 10

Using ISE, I push the SGT-IP mapping on the required switch (so the destination switch, which is also the source switch, of the communication I test). The result command is simple: cts role-based sgt-map 10.20.1.0/24 sgt 23

When I check the result (show cts role-based sgt-map all), I can see:

Active IPv4-SGT Bindings Information
IP Address SGT Source
============================================
10.20.1.0/24 23 CLI

But when I test the communication (basically, a PING), the binding is not applied.
the system consider that the network 10.20.1.0/24 is Unknown (so SGT 0).

Can you help me understanding this, and explain me how to do this "basic" mapping ?

Thanks in advance for your help !

0 Helpful
3 Replies 3

dditconsultingbe
Level 1
Level 1
In response to Rob Ingram

‎09-22-2023 03:10 AM

Hi @Rob Ingram 

Thanks for really quick answer !
Yes, indeed the matrix (contain my SGACL) is defined (con,figured from DNA Center and pushed to Cisco ISE, to allow my switches using it).
The default fallback is "Deny IP Log".
For some of my tags, I have a permit IP (generally, if managed above by a firewall, or for communication to network devices).
For some tags, I have specific ACLs.

In this case, there is no ACL associated to the SGT used (so 10 and 23), so should be the default "Deny IP Log".

I tested by enabling "Permit IP Log" on the rule from/to Unknown (0) to my second server (10) and I can see the traffic (with 0 not normal indeed).

0 Helpful

dditconsultingbe
Level 1
Level 1

‎10-22-2023 05:57 AM

Does someone have any news on this ?

0 Helpful
Customers Also Viewed These Support Documents