Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2347
Views
10
Helpful
2
Replies

Trustsec SGT - Overlapping Addresses

Go to solution
Eoin.Quinn
Level 1
Level 1

‎02-22-2021 07:39 AM

Hi All

 

Would anyone be able to clarify how Trustsec policies handles overlapping addresses?

I'm looking at building out a policy in our environment but we have some things that might need to talk to devices on 1 or 2 internal subnets (eg. 10.1.1.0/24 and 10.1.2.0/24) and then shouldn't be able to talk to anything else internal (eg 10.0.0.0/24) but also needs to talk externally to a dynamic cloud service.

 

I was considering having 1 SGT permitted for the internal allowed, a second denied for private address ranges then permitting unknown.

 

Would this be the correct way to to approach this?

 

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-22-2021 09:26 AM

As far as IP-SGT overlapping goes, a more specific IP-SGT binding such as a /32 will match over a subnet IP-SGT mapping. 

ex. I can advertise out a /24 subnet mapping, but an endpoint within that subnet can be assigned a specific SGT from ISE during authentication. The /32 will apply assuming it is either carried inline or shared to the correct locations via SXP. 

However I think you are asking more about the creation of overlapping policy goals. Keep in mind that TrustSec on its own is not an IP aware technology, it is addressing agnostic in its enforcement. The only thing that matters is the SGT to SGT flow, what IP's those packets have is not considered in an SGACL. For this reason, you need a specific SGACL for each variation of access policy you wish to create, and as many SGTs to make it work. 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-22-2021 09:26 AM

As far as IP-SGT overlapping goes, a more specific IP-SGT binding such as a /32 will match over a subnet IP-SGT mapping. 

ex. I can advertise out a /24 subnet mapping, but an endpoint within that subnet can be assigned a specific SGT from ISE during authentication. The /32 will apply assuming it is either carried inline or shared to the correct locations via SXP. 

However I think you are asking more about the creation of overlapping policy goals. Keep in mind that TrustSec on its own is not an IP aware technology, it is addressing agnostic in its enforcement. The only thing that matters is the SGT to SGT flow, what IP's those packets have is not considered in an SGACL. For this reason, you need a specific SGACL for each variation of access policy you wish to create, and as many SGTs to make it work. 

0 Helpful

Go to solution
Eoin.Quinn
Level 1
Level 1
In response to Damien Miller

‎02-22-2021 12:07 PM

Thanks Damien

That's exactly what I was looking for. Thanks for your help!

Customers Also Viewed These Support Documents