How do you apply an SGACL to an SD-Access port?

bmcgahan · ‎02-22-2024

I'm trying to apply SGACLs to do micro-segmentation in SD-Access.

Right now I have 2 ports with statically assigned SGTs, one is "Employees" and one is "Guests", both in the same VN (subnet).

I have a Policy created in DNA-C that says SGT "Guests" to "Employees" should be denied and logged.

ISE learns this from the DNA Center (see attached), but I don't see anywhere to actually apply the ACL to the switches themselves.

What is the final step in the configuration for this? If I'm not doing dot1x, does ISE have no way to trigger the download of the ACL?

Thanks!

Roddie Hasan · ‎02-22-2024

The Fabric Edge should automatically request any relevant SGACLs whenever a host is onboarded with SGTs or a static SGT port comes up. You shouldn't have to do anything to trigger this as the provisioning process will add the Fabric Edge as a CTS client.

You can verify this on the Fabric Edge with this command:

show cts role-based permissions

I hope that helps!

Roddie

Preston Chilcote · ‎02-22-2024

@bmcgahan How did you define the ACL rules? I think they need to be defined as Subnet-SGT mappings for this scenario.

jedolphi · ‎02-22-2024

Guessing based on experiences with other users: after changing Group-Based Policies don't forget to "deploy" from either from the Catalyst Center UI or ISE UI.