Solved: Re: SXP Mappings / IP to MAC - ISE

GRANT3779 · ‎07-15-2021

Hi Folks,

When an SGT is pushed down from ISE to a NAD via Radius as part of a device/user authorisation, will that same NAD send back some information on the IP to MAC binding based on its device tracking information? Just looking to clarify how ISE procures this information once an endpoint authorises itself.

Rob Ingram · ‎07-15-2021

Hi @GRANT3779

ISE will have learnt the IP/MAC binding information, which was collected via dhcp snooping/device tracking and sent to ISE via a radius accounting packet. This is received before ISE authorises the user/endpoint, before ISE assigns the SGT to the session and therefore before the NAD receives the SGT via CoA.

View solution in original post

Rob Ingram · ‎07-15-2021

Hi @GRANT3779

ISE will have learnt the IP/MAC binding information, which was collected via dhcp snooping/device tracking and sent to ISE via a radius accounting packet. This is received before ISE authorises the user/endpoint, before ISE assigns the SGT to the session and therefore before the NAD receives the SGT via CoA.

GRANT3779 · ‎07-16-2021

Thanks Rob, that makes sense. Slightly veering off topic, quick one

Does ISE then automatically add those IP to SGT mappings to its "All SXP Mappings Database" after it authorises an endpoint/user or does that Database only get entries put in if the switch local to those bindings actually sends them to ISE via SXP?

Hopefully makes sense

Cheers

Rob Ingram · ‎07-16-2021

Hi @GRANT3779

Yes, ISE will create the binding and then adds to it's mapping database.

The switch (access layer switch) would not send those bindings to ISE via SXP.

Optionally, ISE would use SXP to send the bindings to another switch, such as a distribution layer switch that acts as an enforcement point, assuming inline tagging could or was not used.

The access layer switch will usually only know about the SGTs for the endpoints connected to itself.