Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Trustsec dynamic SGT mapping without device tracking



i try to enable trustsec on the switchports of a C1100 series router. Everything is working if i assign a static SGT mapping to a client IP. If i want to assign SGT tags dynamically via MAB i can see in the authentication session that the SGT is assigned but since the C1100 has no "ip device tracking" support the sgt mapping table shows no entry for the client IP.


Is ip device tracking always mandatory to make that work ? Would dhcp snooping alone be sufficient to get the mapping entry ?

Everyone's tags (1)
VIP Collaborator

Re: Trustsec dynamic SGT mapping without device tracking

If you want to dynamically assign the SGTs you will need to run both dhcp snooping and device-tracking. Upon successful authc/authz endpoints will be associated with an SGT on your access/edge devices via dhcp snooping and device-tracking. Good luck & HTH!

VIP Advisor

Re: Trustsec dynamic SGT mapping without device tracking

DHCP Snooping is not a requirement for TrustSec, it's just recommended. This is because device sensor/profiling is important when deploying ISE and other non TrustSec NAD security features can leverage it. Even then, DHCP snooping is still optional for profiling since you can obtain the same information using ip helpers. If you don't need snooping for other on NAD security features, you can skip it.

I hopped on a c1100, it doesn't support device sensor, or IPDT, but it does appear to support TrustSec transit and enforcement functionality. A bit of a let down considering it would be a reasonable good remote platform. It's not listed in the TrustSec capability matrix 6.5, not sure if it was just an oversight or intentional.