08-03-2018 02:58 AM
Hi all,
I have a maybe basic question about SGACL-enforcement locally on access switches:
Let’s assume I have two access-switches within a L2-deployment (Access-Switch A and Access-Switch B).
On Access-Switch A User_a is being authenticated, he get’s SGT 10. The switch downloads SGACL for SGT 10 from ISE, and the switch also has the SGT-to-ip mapping for User_a.
On Access-Switch B User_b is being authenticated, he get’s SGT 20. The switch downloads SGACL for SGT 20 from ISE, and the switch also has the SGT-to-ip mapping for User_b.
Propagation method is inline tagging.
Now the SGACL denies communication between SGT 10 and SGT 20. If the packet now is sourced on access-switch A, how does access-switch A know about the SGT-to-ip mapping for User_b, which is stored locally on switch B?
Thanks in advance.
Roland
Solved! Go to Solution.
08-03-2018 03:33 AM
Hi Roland,
it doesn't know of the remote mapping.
Remember that the technology is built for egress enforcement.
So, traffic flows from A to B, the A side doesn't know of the B mapping so there can't be any enforcement on the A side for this flow. However, switch A inserts the source SGT into the L2 frame (inline propagation) for the packets sent to B. The B switch reads the source SGT off the wire, has the destination SGT and can enforce.
So, egress enforcement on B.
In the other direction it's the same - egress enforcement at A.
If you want/need to do ingress enforcement then you have to propagate the destination mappings back to the source (using something like SXP) but that doesn't scale.
Cheers, Jonothan.
08-03-2018 03:33 AM
Hi Roland,
it doesn't know of the remote mapping.
Remember that the technology is built for egress enforcement.
So, traffic flows from A to B, the A side doesn't know of the B mapping so there can't be any enforcement on the A side for this flow. However, switch A inserts the source SGT into the L2 frame (inline propagation) for the packets sent to B. The B switch reads the source SGT off the wire, has the destination SGT and can enforce.
So, egress enforcement on B.
In the other direction it's the same - egress enforcement at A.
If you want/need to do ingress enforcement then you have to propagate the destination mappings back to the source (using something like SXP) but that doesn't scale.
Cheers, Jonothan.
08-06-2018 08:20 AM
Jonathan,
thank you very much - this explains it!
Roland
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide