Buy or Renew
Buy or Renew
Register Here! - Join us 11/13 for the "Navigating DHCP Processes in SD-Access Network" Community Live event
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
544
Views
15
Helpful
3
Replies

FTD as fusion firewall with FMC ISE pxGrid

e-chuah
Level 1
Level 1

‎10-18-2022 06:43 AM

Hi,

With reference to slide 49 in BRKSEC2845 (see attached file)

If i use Cisco FTD as fusion firewall, and i want to use Src and Dst SGT in the fusion firewall for firewall access control rule.

Do i still need to configure inline SGT at the border ? If there is no need to configure inline tagging on the border node, I am curious how does it work? E.g, if the packet from Border node reaches the fusion firewall, there is no more SGT information in the packet, how does the firewall know which SGT firewall rule it should use (even though it learns the red and green SGT from pxGrid control plane).

Any help greatly appreciated.

Rgds

Eng Wee

Labels:
Preview file
167 KB
0 Helpful
3 Replies 3

jedolphi
Cisco Employee
Cisco Employee

‎10-18-2022 03:19 PM - edited ‎10-18-2022 03:20 PM

Hi Eng, if SGT was dynamically assigned by ISE then IP:SGT mapping is known and tracked in ISE. ISE will send IP:SGT mappings to FMC and FMC will send to FTD. This means if data plane SGT is not present in a packet then FTD can match a packet source IP address and dest IP address and derive the source SGT and dest SGT.

If the SGT was statically assigned then ISE does not know the IP:SGT mapping and cannot send to FMC and FTD. In this scenario the source SGT must be in data plane for FTD to match. If the dest SGT was statically assigned then there's no way FTD can know what destination SGT a packet is routing to.

 

 

PabMar
Cisco Employee
Cisco Employee

‎10-20-2022 06:20 AM

Hi Eng Wee,

I've labbed this in the past and it works. I've done inline tagging from the border to the FPR, I could see the SGT being carried on the wire, I could then create policies on FMC based on SGTs rather than IP Addresses.

On the border interface towards the FPR my config looked as follows:

interface <physical interfaces>

cts manual

propagate sgt

policy static sgt 2 trusted

exit

 

Hope that helps.

e-chuah
Level 1
Level 1

‎10-20-2022 08:22 AM

Hi Jedolphi,

Thanks you for your explanation and i think it makes sense.

If i have the follwoing scenario:

Host-A static map SGT=10, in VRF-A
Host-B static map SGT=20, in VRF-B

I will need to configure in-line tagging at link between border and FTD.
At FTD, i can use src and dst SGT to configure access control.

I will verify this in the lab.

Thanks

Eng Wee

 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card