Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2798
Views
0
Helpful
6
Replies

ISE -SXP domain construct is not allowing Duplicated IP-SGT mappings

Go to solution
grusu
Cisco Employee
Cisco Employee

‎07-05-2018 01:17 AM - edited ‎03-11-2019 01:44 AM

Team , I need some help with SXP config in ISE . We need to duplicate IP-SGT bindings in different VN/VRF's at the borders and we created these via DNAC . In ISE we created different SXP domains one for each VRF at the Borders . However when we map in ISE the IP-SGT bindings to domains first OK while for second we get :

Any feedback or

help highly appreciated

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
grusu
Cisco Employee
Cisco Employee
In response to hslai

‎07-05-2018 07:12 AM

Thank you for reply and looking forward for any feedback .Meanwhile the solution we adopted was to push same IP_SGT binding into multiple domains ....that somehow achieve the same.

Cheers ,

View solution in original post

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to grusu

‎09-07-2018 07:42 PM

This is tracked by CSCuz00603

View solution in original post

0 Helpful
6 Replies 6

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-05-2018 06:48 AM

This seems a known issue. I will confirm it with the teams.

0 Helpful

Go to solution
grusu
Cisco Employee
Cisco Employee
In response to hslai

‎07-05-2018 07:12 AM

Thank you for reply and looking forward for any feedback .Meanwhile the solution we adopted was to push same IP_SGT binding into multiple domains ....that somehow achieve the same.

Cheers ,

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to grusu

‎07-05-2018 08:41 AM

Great. I am guessing you meant like this:

Screen Shot 2018-07-05 at 8.40.11 AM.png

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to grusu

‎09-07-2018 07:42 PM

This is tracked by CSCuz00603

0 Helpful

Go to solution
Michal Garcarz
Cisco Employee
Cisco Employee
In response to hslai

‎09-08-2018 03:03 AM

Hi Hsing, Krish

Thanks for this link, have not found it before.

Unfortunately my scenario is a bit different then DNA scenario - i can not send the same mapping to two different SXP domains.

That is very interesting that is allowed, while adding "conflicting" mapping not.

I do have a TAC case 685182901 opened and would like to get clarification on our strategy.

If we allow to send the same mapping to multiple SXP domains, why we can not add later the same mapping ? All of them are "duplicated/conflicting". Right ?

It looks like pretty inconsistent approach. Limiting us unnecessarily. Could we have this validation disabled to allow to add duplicated/conflicting mappings ? Do you see any potential risk here ?

 

Thanks,

Michal

 

 

Michal

0 Helpful

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee
In response to Michal Garcarz

‎09-10-2018 04:47 AM

Agreed, this is all allowed on the switch infrastructure, it's just an ISE implementation anomaly.

You can of course just edit the one mapping entry in ISE and enter more SXP domain destinations.

A fix for individual entries needs to be tracked under CSCuz00603 (multiple exceptions in log with unified ip-sgt functional).

0 Helpful
Customers Also Viewed These Support Documents