cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2367
Views
0
Helpful
2
Replies

Trustsec dynamic SGT mapping without device tracking

Is101008
Level 4
Level 4

Hi

 

i try to enable trustsec on the switchports of a C1100 series router. Everything is working if i assign a static SGT mapping to a client IP. If i want to assign SGT tags dynamically via MAB i can see in the authentication session that the SGT is assigned but since the C1100 has no "ip device tracking" support the sgt mapping table shows no entry for the client IP.

 

Is ip device tracking always mandatory to make that work ? Would dhcp snooping alone be sufficient to get the mapping entry ?

2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni
If you want to dynamically assign the SGTs you will need to run both dhcp snooping and device-tracking. Upon successful authc/authz endpoints will be associated with an SGT on your access/edge devices via dhcp snooping and device-tracking. Good luck & HTH!

DHCP Snooping is not a requirement for TrustSec, it's just recommended. This is because device sensor/profiling is important when deploying ISE and other non TrustSec NAD security features can leverage it. Even then, DHCP snooping is still optional for profiling since you can obtain the same information using ip helpers. If you don't need snooping for other on NAD security features, you can skip it.

I hopped on a c1100, it doesn't support device sensor, or IPDT, but it does appear to support TrustSec transit and enforcement functionality. A bit of a let down considering it would be a reasonable good remote platform. It's not listed in the TrustSec capability matrix 6.5, not sure if it was just an oversight or intentional.