cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
673
Views
8
Helpful
6
Replies

IP-SGT map acquiring in SDA

Hi there

please correct me if i'm wrong: the only way to remotely populate TrustSec-capable device with IP-SGT-mappings is via SXP.

thanks

1 Accepted Solution

Accepted Solutions

jeaves@cisco.com
Cisco Employee
Cisco Employee

The initial part of your paragraph above is discussing adding Subnet or IP:SGT mappings in ISE and deploying them using SSH to log into the NAD(s) and deploy the mappings. So, this was using SSH rather than SXP. This is statically configuring the classification info into the NAD(s).
If using ISE authz instead, the mapping will be dynamically returned via RADIUS authz-accept. If indeed you use both methods together, the dynamic mapping from ISE takes precedence.
Hopefully the link to my whitepaper satisfies your bolded query in your previous reply i.e. provide a good source to study the topic.

View solution in original post

6 Replies 6

jedolphi
Cisco Employee
Cisco Employee

Correct. Less pragmatic but technically possible, it could also be done on the CLI, manually entering IP/subnet to SGT mapping.

Hi,

u know, actually it's not. i've been thinking about topic till today 2AM when i recalled that i had did it using pure CTX config on NADs&ISE & leveraging ISE's "IP-SGT-mapping Deploy" to single or set of NADs in TrustSec workcenter. At that moment i've found myself unclear about underlay transport between ISE & NAD. Unfortunately i didnt pay enough attention to it in the past & didnt collect captures to unhide CTS control plane magic. What i remember is extensive RADIUS communications between NADs & ISE relevant to CTS only hinting me now that IP-SGT-mapping is carried using RADIUS. Will appreciate good sources to study independently is this correct or not.  

p.s. u r right static mapping via CLI can also be considered as "remote" approach if implemented using DNAC network templates :0).  

jeaves@cisco.com
Cisco Employee
Cisco Employee

Perhaps give my whitepaper a read and come back if there are further questions: https://community.cisco.com/t5/security-knowledge-base/segmentation-strategy/ta-p/3757424
A viewable IP:SGT mapping is control-plane context. You can add static mappings in ISE (IP:SGT / Subnet:SGT). Endpoints dynamically authenticating with ISE will also generate IP:SGTs on ISE and sent to the NADs via RADIUS authz accept. ISE can share this control-plane context via SXP or pxGrid.
What you mentioned about RADIUS between NAD and ISE is assigning an SGT to an endpoint via RADIUS authz, this is classifying the endpoint IP to an SGT. So, thats classification in the CTS technology. Propagation is another pillar in the CTS technology where we can use SXP and pxGrid in control plane or inline tagging/CMD, GRE, IPSec, DMVPN, GETvpn, VXLAN.. in data plane.
Anyway, give my whitepaper a read.

Hi Jonathan

i cannot give u stuff i myself ask for (pls notice bolded query in my previous reply :0) . but what i was pretty sure in  is that i've experimented with IP-SGT mapping w/o SXP in the greenfield CTS site & have been populating CTS-configured C9300 NADs with subnet IP-SGT mappings from ISE's GUI by deploying modified CTS environment via Deploy. It was separate test from host-SGT assignment via AuthZ i finished project with. again - no SXP, no policy enforcements on NADs etc - just pure authorization of NADs for CTS against ISE.

With your reply i started to be sceptic about my memory consistency. Unfortunately i have no means to verify it with live test atm.

jeaves@cisco.com
Cisco Employee
Cisco Employee

The initial part of your paragraph above is discussing adding Subnet or IP:SGT mappings in ISE and deploying them using SSH to log into the NAD(s) and deploy the mappings. So, this was using SSH rather than SXP. This is statically configuring the classification info into the NAD(s).
If using ISE authz instead, the mapping will be dynamically returned via RADIUS authz-accept. If indeed you use both methods together, the dynamic mapping from ISE takes precedence.
Hopefully the link to my whitepaper satisfies your bolded query in your previous reply i.e. provide a good source to study the topic.

Hi Jonathan

thanks for your reply. It might be that i've configured some temporary SSH credentials for my CTS-site & thus made IP-SGT deployment to site's NADs to work but just have forgotten this detail. I tend to stay with your statements here.

Can u please help me with ISE as only SXP source w/o reflector & SXP scalability of reflectors (such as ASR1K)?

Thank u in advance

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco