02-22-2024 05:42 AM
I'm trying to apply SGACLs to do micro-segmentation in SD-Access.
Right now I have 2 ports with statically assigned SGTs, one is "Employees" and one is "Guests", both in the same VN (subnet).
I have a Policy created in DNA-C that says SGT "Guests" to "Employees" should be denied and logged.
ISE learns this from the DNA Center (see attached), but I don't see anywhere to actually apply the ACL to the switches themselves.
What is the final step in the configuration for this? If I'm not doing dot1x, does ISE have no way to trigger the download of the ACL?
Thanks!
02-22-2024 06:28 AM
The Fabric Edge should automatically request any relevant SGACLs whenever a host is onboarded with SGTs or a static SGT port comes up. You shouldn't have to do anything to trigger this as the provisioning process will add the Fabric Edge as a CTS client.
You can verify this on the Fabric Edge with this command:
show cts role-based permissions
I hope that helps!
Roddie
02-22-2024 09:30 AM
@bmcgahan How did you define the ACL rules? I think they need to be defined as Subnet-SGT mappings for this scenario.
02-22-2024 03:10 PM - edited 02-22-2024 03:10 PM
Guessing based on experiences with other users: after changing Group-Based Policies don't forget to "deploy" from either from the Catalyst Center UI or ISE UI.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide