Solved: Re: TrustSec Matrix population

Josh Morris · ‎02-20-2023

I am making the transition to SGT/SGACL for enforcement. When I create an SGT, it auto populates in the matrix. I have found this a bit difficult to work with because I am trying to slowly phase in. So I have the following questions.

If a tag is present in the source/destination but has no SGAL applied does that mean there is no enforcement or propagation to the switch? My default action is permit.
I found that if I look in the source tree section instead of the matrix that I can add or remove the entire line of the matrix instead of cell by cell. In order to keep the policy optimized, is this the right approach? Should I only have source/destinations that I actually need policy for?

Example: I will not have Byod policy yet, but I want the tag. So I started out going into each cell for BYOD and making sure there was no SGACL applied. But then I found that by going to the source tree that I could remove BYOD completely as a source. Which is the right option?

Rodrigo Diaz · ‎02-20-2023

hi @Josh Morris , answering your queries.

1.- If you don't have a SGACL assigned between tags X and Y , your assumption is correct , the default SGACL that you have configured in the matrix comes in that place ( in your scenario the default permit ) .

2,- Your approach is correct in both scenarios from matrix and from source tree you can configure the SGACL accordingly , while implementing this kind of enforcement a specific SGACL can be assigned from X to Y , and from Y to X , with the model you are using you need to only populate the tags you want to enforce .

Let me know if that helped you.

View solution in original post

Rodrigo Diaz · ‎02-20-2023

hi @Josh Morris , answering your queries.

1.- If you don't have a SGACL assigned between tags X and Y , your assumption is correct , the default SGACL that you have configured in the matrix comes in that place ( in your scenario the default permit ) .

2,- Your approach is correct in both scenarios from matrix and from source tree you can configure the SGACL accordingly , while implementing this kind of enforcement a specific SGACL can be assigned from X to Y , and from Y to X , with the model you are using you need to only populate the tags you want to enforce .

Let me know if that helped you.

Josh Morris · ‎02-20-2023

Thanks @Rodrigo Diaz , this is helpful.

I'm thinking more from a deployment perspective now, would it make the most sense for me to remove all previously configured policy (Done initially as I thought it made sense to have it there), and start only with the policy that I'm ready to deploy. Based on my original image, I am not ready to deploy the policy I originally created. So I'm thinking I'll remove it for now, let the traffic hit the default rule of PERMIT, then add policy as I'm ready for it to be active. I also understand that I can change these policies into MONITOR state, which would allow them to report statistics but not enforce traffic.

Rodrigo Diaz · ‎02-20-2023

That plan would work , if you enable the monitor mode for the SGACL , that will allow you to perform the testing you need without performing enforcement , but it will give you an idea if the counters for the rules you configure are receiving hits , please refer to this documentation that might help you https://community.cisco.com/t5/security-knowledge-base/trustsec-troubleshooting-guide/ta-p/3647576#toc-hId--1008668375