12-16-2024 11:29 AM
In our SDA deployment we have a cisco 9300 fabric edge switch which is connected to a stratix 5700. The stratix port is an access layer port and we have STP BPDU guard and filter disabled. With the ISE policies configured on the port we see the MACs show up in ISE, but we cannot ping the devices hooked to the stratix or the stratix itself and they do not show in the arp table of the 9300. Once the policies are disabled on the 9300 port then we are able to ping. Is there a way to enforce SGT assignment in this design where end devices are behind another switch?
Solved! Go to Solution.
12-16-2024 11:43 AM
SGACLs are evaluated on egress based on the tag set on ingress. In the setup you are describing there is no way to extend the policy enforcement to the stratix switch, but you should be able to set a static SGT on your edge node access port and use that for all devices attached to the stratix switch.
12-19-2024 05:04 AM
I wanted to follow back up on this in case anyone else has this situation. We were trying to minimize the configuration on the stratix side, but we changed the ports to trunks on our side and the stratix side. We made the native vlan to match the vlan we were using for our VN and we were then able to apply SGTs based on the MACs of devices behind the stratix without applying policy manually at the port level. We tested having 2 different SGTs applied to 2 different devices behind the stratix successfully. Of course they can intercommunicate within the stratix but once it hits our edge switch port it applies separate SGT policies.
12-16-2024 11:30 AM - edited 12-16-2024 11:33 AM
Replied to wrong thread on this board, still need the above answered.
12-16-2024 11:43 AM
SGACLs are evaluated on egress based on the tag set on ingress. In the setup you are describing there is no way to extend the policy enforcement to the stratix switch, but you should be able to set a static SGT on your edge node access port and use that for all devices attached to the stratix switch.
12-16-2024 11:54 AM
Is there a way to enforce this from ISE?
12-16-2024 02:05 PM
In the configuration I described the policy will be enforced on the SDA edge node like any other traffic in the fabric. It will not require any additional configuration of ISE outside of what you do for the policy in the SDA fabric.
12-17-2024 04:38 AM
Thank you @Torbjørn what I should have said was, is there a way to push this configuration from ISE instead of manually doing it at the edge switch?
12-17-2024 05:18 AM
No this needs to be set on the switchport. Preferably configured as a static port under host onboarding in your fabric on Cat-C.
12-17-2024 05:20 AM
it still should be possible, but i'm not sure DOT1X will work with this setup. but MAB must work with standard policy (i'd say it would be policy-map PMAP_DefaultWiredDot1xClosedAuth_MAB_1X instead of PMAP_DefaultWiredDot1xClosedAuth_1X_MAB).
u need MACs behind the port on the C9300 to be AuthZ'ed (with needed SGTs returned in AccessAccept) on the ISE in proper manner. If u do stuff properly connectivity has to be in place.
12-16-2024 12:30 PM
It seems Stratix switch support "Security Group Tag Exchange Protocol (SXP)". Have you tried to add this device on ISE and apply SGT on it?
https://literature.rockwellautomation.com/idc/groups/literature/documents/um/1783-um012_-en-p.pdf
12-16-2024 12:38 PM
Thank you @flavio from reviewing your rockwell link provided, it appears that the 5800 is the only one supported. We have a 5700 in place currently, we do have some 5200's but they were not slated to be used for this project.
From the doc you provided:
TrustSec is only supported on catalog numbers 1783-MMS10AR, 1783-MMS10EAR,
1783-MMX8EA, 1783-MMX8TA, 1783-MMX8SA
Those line up to the 5800's.
12-16-2024 12:41 PM
Indeed, I missed that.
12-16-2024 09:49 PM
u didnt declare how your stratix is connected to C9300 EN. Assuming it's access (untagged) interface in arbitrary VLAN just follow what @Torbjørn told u: onboard the stratix as user endhost with static SGT. Otherwise if the interface is .1q trunk with multiple VLAN u still may create static IP- or VLAN-to-SGT entries on the EdgeNode with stratix attached.
cheers
12-17-2024 04:36 AM
Thanks, 9300 port is an access port same as the stratix port.
12-19-2024 05:04 AM
I wanted to follow back up on this in case anyone else has this situation. We were trying to minimize the configuration on the stratix side, but we changed the ports to trunks on our side and the stratix side. We made the native vlan to match the vlan we were using for our VN and we were then able to apply SGTs based on the MACs of devices behind the stratix without applying policy manually at the port level. We tested having 2 different SGTs applied to 2 different devices behind the stratix successfully. Of course they can intercommunicate within the stratix but once it hits our edge switch port it applies separate SGT policies.
12-19-2024 06:26 AM
could u pls clarify:
1) did u remove AAA from the port on EdgeNode? i'd assume u did as interface get transitioned to trunk.
2) do u assign SGTs on the stratix via AAA with ISE or ...?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide