cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1941
Views
3
Helpful
14
Replies

Cisco SDA edge switch hooked to another switch

michael-w
Level 1
Level 1

In our SDA deployment we have a cisco 9300 fabric edge switch which is connected to a stratix 5700.  The stratix port is an access layer port and we have STP BPDU guard and filter disabled.  With the ISE policies configured on the port we see the MACs show up in ISE, but we cannot ping the devices hooked to the stratix or the stratix itself and they do not show in the arp table of the 9300.  Once the policies are disabled on the 9300 port then we are able to ping.  Is there a way to enforce SGT assignment in this design where end devices are behind another switch?

2 Accepted Solutions

Accepted Solutions

Torbjørn
VIP
VIP

SGACLs are evaluated on egress based on the tag set on ingress. In the setup you are describing there is no way to extend the policy enforcement to the stratix switch, but you should be able to set a static SGT on your edge node access port and use that for all devices attached to the stratix switch.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

View solution in original post

michael-w
Level 1
Level 1

I wanted to follow back up on this in case anyone else has this situation.  We were trying to minimize the configuration on the stratix side, but we changed the ports to trunks on our side and the stratix side.  We made the native vlan to match the vlan we were using for our VN and we were then able to apply SGTs based on the MACs of devices behind the stratix without applying policy manually at the port level.  We tested having 2 different SGTs applied to 2 different devices behind the stratix successfully.  Of course they can intercommunicate within the stratix but once it hits our edge switch port it applies separate SGT policies. 

View solution in original post

14 Replies 14

michael-w
Level 1
Level 1

Replied to wrong thread on this board, still need the above answered.

Torbjørn
VIP
VIP

SGACLs are evaluated on egress based on the tag set on ingress. In the setup you are describing there is no way to extend the policy enforcement to the stratix switch, but you should be able to set a static SGT on your edge node access port and use that for all devices attached to the stratix switch.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Is there a way to enforce this from ISE?  

In the configuration I described the policy will be enforced on the SDA edge node like any other traffic in the fabric. It will not require any additional configuration of ISE outside of what you do for the policy in the SDA fabric.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Thank you @Torbjørn what I should have said was, is there a way to push this configuration from ISE instead of manually doing it at the edge switch?

No this needs to be set on the switchport. Preferably configured as a static port under host onboarding in your fabric on Cat-C.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

it still should be possible, but i'm not sure DOT1X will work with this setup. but MAB must work with standard policy (i'd say it would be policy-map PMAP_DefaultWiredDot1xClosedAuth_MAB_1X instead of PMAP_DefaultWiredDot1xClosedAuth_1X_MAB).
u need MACs behind the port on the C9300 to be AuthZ'ed (with needed SGTs returned in AccessAccept) on the ISE in proper manner. If u do stuff properly connectivity has to be in place.

Thank you @flavio from reviewing your rockwell link provided, it appears that the 5800 is the only one supported.  We have a 5700 in place currently, we do have some 5200's but they were not slated to be used for this project.
From the doc you provided:
TrustSec is only supported on catalog numbers 1783-MMS10AR, 1783-MMS10EAR,
1783-MMX8EA, 1783-MMX8TA, 1783-MMX8SA

Those line up to the 5800's.

Indeed, I  missed that.

 

u didnt declare how your stratix is connected to C9300 EN. Assuming it's access (untagged) interface in arbitrary VLAN just follow what @Torbjørn told u: onboard the stratix as user endhost with static SGT. Otherwise if the interface is .1q trunk with multiple VLAN u still may create static IP- or VLAN-to-SGT entries on the EdgeNode with stratix attached. 
cheers  

Thanks, 9300 port is an access port same as the stratix port.

michael-w
Level 1
Level 1

I wanted to follow back up on this in case anyone else has this situation.  We were trying to minimize the configuration on the stratix side, but we changed the ports to trunks on our side and the stratix side.  We made the native vlan to match the vlan we were using for our VN and we were then able to apply SGTs based on the MACs of devices behind the stratix without applying policy manually at the port level.  We tested having 2 different SGTs applied to 2 different devices behind the stratix successfully.  Of course they can intercommunicate within the stratix but once it hits our edge switch port it applies separate SGT policies. 

could u pls clarify:
1) did u remove AAA from the port on EdgeNode? i'd assume u did as interface get transitioned to trunk.
2) do u assign SGTs on the stratix via AAA with ISE or ...?