Solved: Trustsec SGT suffixes e.g. ID 2-## - what is the number after minus in "show cts environment-data"

SergGu · ‎08-17-2020

Hello ISE and TrustSec experts,

Can you please provide explanations or better, point towards Cisco guide explaining numbering suffixes for SGT?

Why on most occasions SGT ends with -00 suffix, but not always?

For example, for default TrustSec_Devcies SGT #2 I have seen 2-17 and 2-77 and some other values.

Is this some kind of version? It does not make sense for locally defined SGT. Here is one example from old-but-gold Katherine McNamara blog - http://www.network-node.com/blog/2016/8/9/ise-21-switch-and-wireless-controller-trustsec-configuration I see the same with my 3850 devices

I have seen ACL versions (ISE increments ACL version by 10 on each push). But this is definitely not the case with SGT

Damien Miller · ‎08-17-2020

The suffix after the SGT is the "generation ID" of the SGT as determined by ISE. On the network device it is displayed in hex, but ISE keeps track of these in decimal. You can see it listed if you go edit an SGT. You often see zero's in examples because screenshots are taken in new environments that often don't have operational changes. ISE will change the generation ID of a SGT when an SGACL contents are modified. This process is to assist the network device, if an update is received via push from ISE or via pull during environment refresh, it compares the generation IDs and from that is able to determine if it also needs to request/pull an updated SGACL.

View solution in original post

Damien Miller · ‎08-17-2020

The suffix after the SGT is the "generation ID" of the SGT as determined by ISE. On the network device it is displayed in hex, but ISE keeps track of these in decimal. You can see it listed if you go edit an SGT. You often see zero's in examples because screenshots are taken in new environments that often don't have operational changes. ISE will change the generation ID of a SGT when an SGACL contents are modified. This process is to assist the network device, if an update is received via push from ISE or via pull during environment refresh, it compares the generation IDs and from that is able to determine if it also needs to request/pull an updated SGACL.

SergGu · ‎08-18-2020

Thank you very much for sharing the info and correct keywords. your help is much appreciated. I will try to research more on the subject. The quick google did not provide in-depth details, therefore I will try to explore the wisdom of crowds further,

I realize what and why Generation ID can be incremented when there is a change on ISE server.

But why and how does it get updated on the "Local Device SGT" ? Any suggestion on how the generation ID got incremented to 77? I can see ACL generation IDs are incrementing by 10, what about SGTs?

Below is a real example from the network:

MYBOX#show cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 2-77:Trustsec_Devices
Server List Info:
Installed list: CTSServerList1-0008, 2 server(s):
*Server: 10.nnnnnn
Status = ALIVE
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
*Server: 10.kkkkkk
Status = ALIVE
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Multicast Group SGT Table:
Security Group Name Table:
0-00:Unknown
2-00:Trustsec_Devices

MYBOX#show run | i cts
...

cts cache enable
cts authorization list trustsec
cts sgt 2
cts role-based enforcement
cts role-based enforcement vlan-list 1,2,3,4
cts sxp enable