cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
536
Views
5
Helpful
3
Replies
GRANT3779
Frequent Contributor

SXP Mappings / IP to MAC - ISE

Hi Folks,

 

When an SGT is pushed down from ISE to a NAD via Radius as part of a device/user authorisation, will that same NAD send back some information on the IP to MAC binding based on its device tracking information? Just looking to clarify how ISE procures this information once an endpoint authorises itself.

1 ACCEPTED SOLUTION

Accepted Solutions
Rob Ingram
VIP Mentor

Hi @GRANT3779 

ISE will have learnt the IP/MAC binding information, which was collected via dhcp snooping/device tracking and sent to ISE via a radius accounting packet. This is received before ISE authorises the user/endpoint, before ISE assigns the SGT to the session and therefore before the NAD receives the SGT via CoA.

View solution in original post

3 REPLIES 3
Rob Ingram
VIP Mentor

Hi @GRANT3779 

ISE will have learnt the IP/MAC binding information, which was collected via dhcp snooping/device tracking and sent to ISE via a radius accounting packet. This is received before ISE authorises the user/endpoint, before ISE assigns the SGT to the session and therefore before the NAD receives the SGT via CoA.

View solution in original post

GRANT3779
Frequent Contributor

Thanks Rob, that makes sense. Slightly veering off topic, quick one

 

Does ISE then automatically add those IP to SGT mappings to its "All SXP Mappings Database" after it authorises an endpoint/user or does that Database only get entries put in if the switch local to those bindings actually sends them to ISE via SXP?

Hopefully makes sense

 

Cheers

Hi @GRANT3779 

Yes, ISE will create the binding and then adds to it's mapping database.

The switch (access layer switch) would not send those bindings to ISE via SXP. 

 

Optionally, ISE would use SXP to send the bindings to another switch, such as a distribution layer switch that acts as an enforcement point, assuming inline tagging could or was not used.

 

The access layer switch will usually only know about the SGTs for the endpoints connected to itself.