08-17-2020 06:39 PM
Hello ISE and TrustSec experts,
Can you please provide explanations or better, point towards Cisco guide explaining numbering suffixes for SGT?
Why on most occasions SGT ends with -00 suffix, but not always?
For example, for default TrustSec_Devcies SGT #2 I have seen 2-17 and 2-77 and some other values.
Is this some kind of version? It does not make sense for locally defined SGT. Here is one example from old-but-gold Katherine McNamara blog - http://www.network-node.com/blog/2016/8/9/ise-21-switch-and-wireless-controller-trustsec-configuration I see the same with my 3850 devices
I have seen ACL versions (ISE increments ACL version by 10 on each push). But this is definitely not the case with SGT
Solved! Go to Solution.
08-17-2020 09:48 PM
08-17-2020 09:48 PM
08-18-2020 07:58 AM
Thank you very much for sharing the info and correct keywords. your help is much appreciated. I will try to research more on the subject. The quick google did not provide in-depth details, therefore I will try to explore the wisdom of crowds further,
I realize what and why Generation ID can be incremented when there is a change on ISE server.
But why and how does it get updated on the "Local Device SGT" ? Any suggestion on how the generation ID got incremented to 77? I can see ACL generation IDs are incrementing by 10, what about SGTs?
Below is a real example from the network:
MYBOX#show cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 2-77:Trustsec_Devices
Server List Info:
Installed list: CTSServerList1-0008, 2 server(s):
*Server: 10.nnnnnn
Status = ALIVE
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
*Server: 10.kkkkkk
Status = ALIVE
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Multicast Group SGT Table:
Security Group Name Table:
0-00:Unknown
2-00:Trustsec_Devices
MYBOX#show run | i cts
...
cts cache enable
cts authorization list trustsec
cts sgt 2
cts role-based enforcement
cts role-based enforcement vlan-list 1,2,3,4
cts sxp enable
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: