ā11-25-2022 09:23 AM - edited ā11-25-2022 10:26 AM
Hi guys
I have some questions on trustsec
Can the tag be carried in IP packets or is via the L2 cmd field only?
if L3 what field is it?
why do we need SXP? Is it for sharing ip to sgt mappings? What happens if we donāt have it,,is that where inline tagging has to be used?
Where does the sxp map from ip to sgt come from normally, is it from ISE?
Where does the policy for the sgacl get pulled from, is it Cisco ISE?
Do all switches need to talk to Cisco use to pull the policy if so?
are these sgacls pulled when the switch is added to ise?
Does the policy look like an acl on the switch?
Can the sgacl be viewed from the switch ?
is there a limit on number of sgacl similar to acl limits due to the tcam space?
cheers
Solved! Go to Solution.
ā12-11-2022 03:18 PM
Please first review the ISE webinars on
ā12-13-2022 02:14 PM
As @hslai said, we covered a lot of these topics in this ISE Webinar. Jonathan also points you to the Cisco Segmentation Strategy document.
Speaker: Jonathan Eaves, Technical Marketing Engineer
01:20 Where to Start : Cisco Segmentation Strategy
03:35 Intent is Unclear with IP ACLs
04:45 Security Groups and Security Group Tags (SGTs)
05:37 Business Intent is clear with groups in the CLI
07:41 Classification | Propagation | Enforcement
10:51 Source and Destination Groups for Group-Based Policies
11:31 Use 802.1X or MAB to Dynamically Classify Endpoints with SGTs for Visibility
15:48 Visibility/Classification Scenario Demo Overview
16:48 - ISE Policy and Catalyst 9300 Initial State (CTS == Cisco TrustSec)
18:35 - Doctor Authentication on Gig1/0/2
19:24 - IP-to-SGT Mapping
19:35 - ISE LiveLogs
20:04 - ISE SXP Mapping Table
20:50 - Switch Configuration Reference
21:03 Switch Configuration for Enforcement :
cts credentials id {id} password {password}
show cts credentials
show cts pac
show cts environment-data
22:58 Dynamic Group Policy Download from ISE for Enforcement at Egress
26:03 Enforcement Demo
26:08 - ISE TrustSec Policy Matrix
show cts pac
show cts environment-data
show auth sessions
show auth session interface {interface} details
show cts role-based sgt-map all
show cts role-based permissions
27:33 - Enable Scanner
27:47 - ISE LiveLogs
show auth session mac {mac} details
show cts role sgt-map all
show cts role-based permissions
show cts role-based counters
30:01 - Change SGACL in ISE From permit ip
to deny ip
31:12 Enforcement on Multiple Platforms
34:07 Peer-to-Peer SXP (SGT-to-IP Exchange Protocol)
35:08 SXP from ISE
35:35 IP-to-SGT Propagation Options: SXP, pxGrid, Inline Tagging, WAN protocols, VXLAN
37:26 SXP Propagation and Enforcement: Doctors and Cameras
40:16 - Add Propagation from ISE to the Destination Switch
41:13 - Add SXP to Destination Switch
show cts sxp connections brief
cts sxp connection peer {ip} source {ip} password {password} mode local listener
show cts role-based sgt-map all
43:58 - Change and Deploy Updated Group Policy in ISE
44:29 Demo: Inline Tagging Propagation and Enforcement (manual/static configuration)
cts manual policy static sgt 2 trusted
47:35 - Monitor Capture:
monitor capture {name} interface {interface} both
monitor capture {name} match any
monitor capture {name} clear
monitor capture {name} start
monitor capture {name} stop
monitor capture {name} buffer | include ICMP
monitor capture {name} buffer detail | begin frame {#}
49:34 Best Practices for Enforcement Design:
Assets ~ Classification Mechanism ~ Enforcement Points ~ Propagation Methods
51:15 Cisco DNAC with AI Endpoint Analytics
52:54 ISE Resources and Related Documents
ā12-11-2022 03:18 PM
Please first review the ISE webinars on
ā12-13-2022 02:14 PM
As @hslai said, we covered a lot of these topics in this ISE Webinar. Jonathan also points you to the Cisco Segmentation Strategy document.
Speaker: Jonathan Eaves, Technical Marketing Engineer
01:20 Where to Start : Cisco Segmentation Strategy
03:35 Intent is Unclear with IP ACLs
04:45 Security Groups and Security Group Tags (SGTs)
05:37 Business Intent is clear with groups in the CLI
07:41 Classification | Propagation | Enforcement
10:51 Source and Destination Groups for Group-Based Policies
11:31 Use 802.1X or MAB to Dynamically Classify Endpoints with SGTs for Visibility
15:48 Visibility/Classification Scenario Demo Overview
16:48 - ISE Policy and Catalyst 9300 Initial State (CTS == Cisco TrustSec)
18:35 - Doctor Authentication on Gig1/0/2
19:24 - IP-to-SGT Mapping
19:35 - ISE LiveLogs
20:04 - ISE SXP Mapping Table
20:50 - Switch Configuration Reference
21:03 Switch Configuration for Enforcement :
cts credentials id {id} password {password}
show cts credentials
show cts pac
show cts environment-data
22:58 Dynamic Group Policy Download from ISE for Enforcement at Egress
26:03 Enforcement Demo
26:08 - ISE TrustSec Policy Matrix
show cts pac
show cts environment-data
show auth sessions
show auth session interface {interface} details
show cts role-based sgt-map all
show cts role-based permissions
27:33 - Enable Scanner
27:47 - ISE LiveLogs
show auth session mac {mac} details
show cts role sgt-map all
show cts role-based permissions
show cts role-based counters
30:01 - Change SGACL in ISE From permit ip
to deny ip
31:12 Enforcement on Multiple Platforms
34:07 Peer-to-Peer SXP (SGT-to-IP Exchange Protocol)
35:08 SXP from ISE
35:35 IP-to-SGT Propagation Options: SXP, pxGrid, Inline Tagging, WAN protocols, VXLAN
37:26 SXP Propagation and Enforcement: Doctors and Cameras
40:16 - Add Propagation from ISE to the Destination Switch
41:13 - Add SXP to Destination Switch
show cts sxp connections brief
cts sxp connection peer {ip} source {ip} password {password} mode local listener
show cts role-based sgt-map all
43:58 - Change and Deploy Updated Group Policy in ISE
44:29 Demo: Inline Tagging Propagation and Enforcement (manual/static configuration)
cts manual policy static sgt 2 trusted
47:35 - Monitor Capture:
monitor capture {name} interface {interface} both
monitor capture {name} match any
monitor capture {name} clear
monitor capture {name} start
monitor capture {name} stop
monitor capture {name} buffer | include ICMP
monitor capture {name} buffer detail | begin frame {#}
49:34 Best Practices for Enforcement Design:
Assets ~ Classification Mechanism ~ Enforcement Points ~ Propagation Methods
51:15 Cisco DNAC with AI Endpoint Analytics
52:54 ISE Resources and Related Documents
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide