Solved: Re: Using SGT, which SGT should I use for Internet access

rezaalikhani · ‎06-11-2023

Hi all;

Suppose I want to enforce Internet access on ASA based on TrustSec SGTs. In this scenario, which SGT IP mapping I have to create so creating ASA access control list based on that to manage Internet access?

Thanks

thomas · ‎06-20-2023

Classify most things on the network then you can use Unknown/0 for things unknown I.e. internet.

You could explicitly map all internet prefixes to an SGT (subnets to SGT), arduous but do-able.

The best option is to statically map 0.0.0.0/0 to an SGT on your default GWs to the internet. This provides a default route SGT I.e. internet: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-12/configuration_guide/cts/b_1612_cts_9200_cg/configuring_sgt_mapping.html#id_121354

View solution in original post

MHM Cisco World · ‎06-11-2023

You run lab and share result here am I right'

I see in you lab there is v FW in your lab.

rezaalikhani · ‎06-11-2023

Yes, you are right.

thomas · ‎06-20-2023

Classify most things on the network then you can use Unknown/0 for things unknown I.e. internet.

You could explicitly map all internet prefixes to an SGT (subnets to SGT), arduous but do-able.

The best option is to statically map 0.0.0.0/0 to an SGT on your default GWs to the internet. This provides a default route SGT I.e. internet: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-12/configuration_guide/cts/b_1612_cts_9200_cg/configuring_sgt_mapping.html#id_121354

rezaalikhani · ‎06-20-2023

Thanks, very helpful...