08-17-2020 06:39 PM
Hello ISE and TrustSec experts,
Can you please provide explanations or better, point towards Cisco guide explaining numbering suffixes for SGT?
Why on most occasions SGT ends with -00 suffix, but not always?
For example, for default TrustSec_Devcies SGT #2 I have seen 2-17 and 2-77 and some other values.
Is this some kind of version? It does not make sense for locally defined SGT. Here is one example from old-but-gold Katherine McNamara blog - http://www.network-node.com/blog/2016/8/9/ise-21-switch-and-wireless-controller-trustsec-configuration I see the same with my 3850 devices
I have seen ACL versions (ISE increments ACL version by 10 on each push). But this is definitely not the case with SGT
Solved! Go to Solution.
08-17-2020 09:48 PM
08-17-2020 09:48 PM
08-18-2020 07:58 AM
Thank you very much for sharing the info and correct keywords. your help is much appreciated. I will try to research more on the subject. The quick google did not provide in-depth details, therefore I will try to explore the wisdom of crowds further,
I realize what and why Generation ID can be incremented when there is a change on ISE server.
But why and how does it get updated on the "Local Device SGT" ? Any suggestion on how the generation ID got incremented to 77? I can see ACL generation IDs are incrementing by 10, what about SGTs?
Below is a real example from the network:
MYBOX#show cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 2-77:Trustsec_Devices
Server List Info:
Installed list: CTSServerList1-0008, 2 server(s):
*Server: 10.nnnnnn
Status = ALIVE
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
*Server: 10.kkkkkk
Status = ALIVE
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Multicast Group SGT Table:
Security Group Name Table:
0-00:Unknown
2-00:Trustsec_Devices
MYBOX#show run | i cts
...
cts cache enable
cts authorization list trustsec
cts sgt 2
cts role-based enforcement
cts role-based enforcement vlan-list 1,2,3,4
cts sxp enable
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide