Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


SGTs per IP

Hi All,


I am new to TrustSec and i'm trying to determine if enforcing the following policy with SGTs is the best method.


From our CCTV network, we need to permit access to host on port 8443, and to host on port 2222, and then deny traffic to all other networks. Devices on the CCTV network have been classified and assigned an SGT of 'CCTV' using ISE. Hosts and, have been assigned to two different SGTs (CCTV_Server1, CCTV_Server2). The required security group ACLs and policies have been configured to permit the above access. CCTV to SGT 'unknown' is then used to block all other traffic.


This works ok and fulfils the requirements, however, I have to put the hosts into two separate SGTs to keep access to ports 8443 and 2222 strictly to the required host. 


Is there a better way of doing this as assigning SGTs on a per host/IP basis doesn't seem very scalable. Are SGTs intended for this purpose or is using a standard ACL better?


Thank you





Everyone's tags (2)
VIP Advisor

Re: SGTs per IP

It's fine to do this so long as you consider SGT scale in your environment. Hardware platforms have a total number of unique endpoint SGT's that they can handle at a given time, and ISE has a 10k limit that I wouldn't want to get anywhere near. Managing to SGACL policy matrix at that size would be brutal.

If these are static IP endpoints and it's a one off thing, a standard ACL would still probably be my choice.

Re: SGTs per IP

Hi Damien,


Thanks for the response, that makes sense.


I'm also trying to work out if it is possible to block traffic to all private/RFC1918 networks using SGTs. For example, I also have a policy that should allow https to all external/unknown destinations, but block to internal networks. Is it possible/common to map, and to an SGT, for example, Private_Networks?