Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
633
Views
0
Helpful
3
Replies

TrustSec, SGACL 3750-X

alexandremoreau
Level 1
Level 1

‎06-06-2016 05:41 AM - edited ‎03-10-2019 11:50 PM

Hello,

I'm currently setting up a lab / PoC environment for one of my customer around TrustSec and SGACL.

The topology is pretty simple as the lab is composed of an access switch (2960-X) and a distribution switch (3750-X), connected to the customer's LAN.

The versions running on both devices are the following:

 - C2960-X: 15.2(2) E2

 - C3750-X: 15.2(4)E1

The aim of the PoC is also quite basic, as I want to restrict access from the PoC environment to the corporate network, by using SGT and SGACL filtering on the PoC distribution switch.

According to my investigation, the 3750-X is aware of the Tags assigned to the Guest PC (dynamically via an ISE policy) and to a server in the customer's Datacenter (statically assigned via mapping in the ISE console). It is also aware of the SGACL accordingly to the TrustSec policy matrix configured in the ISE console.

Despite of that, no traffic seems to be blocked by my policies, as I can still launch an RDP session from my Guest PC to my corporate server.

Could anybody have a look to my configs and outputs, and maybe give me some inputs to identify if I missed something into the configuration, of even in the way it should work ?

Thanks and Regards.

A.

Labels:
Preview file
8 KB
Preview file
25 KB
Preview file
9 KB
0 Helpful
3 Replies 3

aevans
Level 1
Level 1

‎11-24-2016 01:50 PM

Hi,

Did you manage to get this resolved? I am having a similar issue in my lab where the SGACLS seem to be ignored within the matrix but the default rule is being hit. I know this to be true as I have configured an SGACL to deny ICMP and permit the rest of the traffic. I have tested by changing this rule multiple times.

It looks to me like my tags are not being honoured within my network but I'm not sure why.

Cheers

Ant

0 Helpful

alexandremoreau
Level 1
Level 1
In response to aevans

‎11-28-2016 02:55 AM

Hi,

Unfortunately, I have no feedback yet that might help.

However, I am still in touch with Cisco TAC in parallel, so I hope I'll be able to get back to you with some answers.

Regards

0 Helpful

Chillard
Level 1
Level 1
In response to alexandremoreau

‎06-27-2018 08:55 PM

Its been a while but did you ever get this fixed ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents