Buy or Renew
Buy or Renew
Register Here! - Join us 11/13 for the "Navigating DHCP Processes in SD-Access Network" Community Live event
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
526
Views
0
Helpful
4
Replies

Integrating CC 2.3.5.x with ISE 3.2+ and dynamic SGT assignment

andreas.mang
Level 1
Level 1

‎11-18-2024 04:57 AM

So we currently run CC 2.3.5.6 with a fully integrated ISE 3.0 and we use policy set for Wired+Wireless Authentication and have 3 VNs in SDA with multiple hierarchical L2 VN/AnyCast Gateways and associated IP Pools in CC. 

Simply put: depending on MAC Address, authentication etc, we put various end-user devices in different 'Vlans' so to speak in SDA. 

We do this by means of Authorization Profiles in ISE. These are then referenced in the policy set. 

Because we have a fully integrated solution with pxGrid of CC + ISE, ISE obviously learns the VN, L2VNs, IP Pools, SGTs etc from CC.

The Authorization Profile in ISE has a reference under 'Common Tasks' called 'Security Group', also having mandatory fields for Virtual Network, Type as well as Subnet/IP Address Pool Name. These are all learned via pxGrid. So if I add any in CC I can see them here and pick them. 

So far so good. But we just learned from Cisco that starting in ISE 3.2+ , This will no longer be possible. Instead of selecting VN, Anycast gw + Pool, the only option to do what we do now is by a) assigning an SGT to a L2 VN in CC and b) assigning an SG directly in the policy set under authorization. (there is a column for that now under policy-set-> Authorization Policy). 

The only problem is that in the past, Cisco has suggested grouping multiple L2 VNs/Any cast GWs in CC into a single SGT to make downstream use of SGTs easier. That means there is no 1-1 connection between a single SGT and a single L2VN/IP Pool any more.

How can ISE/CC differentiate that with the change in config OR do I need to build new SGTs to no longer have any 1-n SGT/L2VN Ratio? 

And can anyone point me to any documentation that explains this change of ISE 3.2+ ? 

 

Thanks..much appreciated

Labels:
0 Helpful
4 Replies 4

Andrii Oliinyk
VIP
VIP

‎11-18-2024 06:53 AM

interesting statements...
ISE 3.2 p7:

andydoesntlikeuucp_0-1731941597145.png

 

0 Helpful

andreas.mang
Level 1
Level 1
In response to Andrii Oliinyk

‎11-20-2024 11:53 PM - edited ‎11-21-2024 03:55 AM

That is very interesting indeed. I checked on our lab ISE on 3.3x yesterday after I had posted this and noticed the fields are there. The only one that had disappeared is the voice/Data Type. (since 3.0) So maybe Cisco wasn't being completely honest. 

We also investigated and found out the SGT alone may not be the only thing we need to configure. We need to set a custom Radius Attribute Tunnel-Private-Group-ID and reference the actual L2VN/Anycast Net, then it works for LAN-Based. On Wireless we are using a different custom attribute. I just with there was documentation for this? 

0 Helpful

jedolphi
Cisco Employee
Cisco Employee

‎11-21-2024 04:47 AM - edited ‎11-21-2024 04:48 AM

Instead of selecting VN, Anycast gw + Pool, the only option to do what we do now is...

This change was made because there there is no actual real relationship between SGT and VN / ACGW. In reality any SGT can be used in any L3VN (or L2VN) and any VLAN. We also removed the SGT-to-VN mapping from CatC, again because in reality there is no relationship between SGT and L3VN, any SGT can be assigned to any endpoint in any L3VN or L2VN. In other words this change makes the behaviour more intuitive and nearer to how networks work in the real world. Hope that makes sense. Best regards, Jerome

 

 

 

0 Helpful

andreas.mang
Level 1
Level 1
In response to jedolphi

‎11-21-2024 05:37 AM

Thank you very much for the answer. I did find some reference that the mapping were going to removed in the CC 2.3.5.7 documentation. Is this interaction between ISE and CC documented anywhere? As in ISE 3.2+ ? 

Regards,

Andreas

0 Helpful
Top