cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1029
Views
5
Helpful
2
Replies

Sharing IP-SGT-Mappings between Switches with inline propagation

rmueller@cisco.com
Cisco Employee
Cisco Employee

Hi all,

 

I have a maybe basic question about SGACL-enforcement locally on access switches:

Let’s assume I have two access-switches within a L2-deployment (Access-Switch A and Access-Switch B).

On Access-Switch A User_a is being authenticated, he get’s SGT 10. The switch downloads SGACL for SGT 10 from ISE, and the switch also has the SGT-to-ip mapping for User_a.

On Access-Switch B User_b is being authenticated, he get’s SGT 20. The switch downloads SGACL for SGT 20 from ISE, and the switch also has the SGT-to-ip mapping for User_b.

Propagation method is inline tagging.

 

Now the SGACL denies communication between SGT 10 and SGT 20. If the packet now is sourced on access-switch A, how does access-switch A know about the SGT-to-ip mapping for User_b, which is stored locally on switch B?

 

Thanks in advance.

 

Roland

1 Accepted Solution

Accepted Solutions

jeaves@cisco.com
Cisco Employee
Cisco Employee

Hi Roland,

it doesn't know of the remote mapping.

Remember that the technology is built for egress enforcement.

So, traffic flows from A to B, the A side doesn't know of the B mapping so there can't be any enforcement on the A side for this flow. However, switch A inserts the source SGT into the L2 frame (inline propagation) for the packets sent to B. The B switch reads the source SGT off the wire, has the destination SGT and can enforce.

So, egress enforcement on B.

In the other direction it's the same - egress enforcement at A.

If you want/need to do ingress enforcement then you have to propagate the destination mappings back to the source (using something like SXP) but that doesn't scale.

Cheers, Jonothan.

View solution in original post

2 Replies 2

jeaves@cisco.com
Cisco Employee
Cisco Employee

Hi Roland,

it doesn't know of the remote mapping.

Remember that the technology is built for egress enforcement.

So, traffic flows from A to B, the A side doesn't know of the B mapping so there can't be any enforcement on the A side for this flow. However, switch A inserts the source SGT into the L2 frame (inline propagation) for the packets sent to B. The B switch reads the source SGT off the wire, has the destination SGT and can enforce.

So, egress enforcement on B.

In the other direction it's the same - egress enforcement at A.

If you want/need to do ingress enforcement then you have to propagate the destination mappings back to the source (using something like SXP) but that doesn't scale.

Cheers, Jonothan.

Jonathan,

 

thank you very much - this explains it!

 

Roland