06-15-2022 01:57 PM
Hello, community
I'm having a hard time finding an answer to the following...
With 2.1 DNA Center got the ability to create SGT, as well as policies with contracts between SGTs, what I do not understand now is what is the role of Cisco ISE now, apart from 802.1x and auto-assignment of SGT to the endpoint ( not doing that, will be a manual assignment on a switch port)?
Does the DNA center now capable of pushing SGT policies to the NEtwork Devices w/o ISE ( Switches)?
Thank you all in advance for your responses.
Solved! Go to Solution.
06-16-2022 08:35 PM - edited 06-16-2022 08:36 PM
Hi Max, DNA Center contains a UI for creating and managing for Group-Based Policy, but the actual policy is stored in ISE. Switches download the policy (SGACLs) from ISE before they can enforce the policy. The means that even if ports have no authentication ISE is still required for policy download. Best regards, Jerome
06-15-2022 02:53 PM
Hi
Works like this. You create the SGT, Scalable groups and Access Contract on the DNAC but through API (PXGRID), DNAC sends this information to ISE and ISE is responsible for control everything.
06-16-2022 10:55 AM
Thanks, Flavio.
The main question is does DNAC or ISE push SGT Access-Lists to the switch?
06-16-2022 12:09 AM
Now and in the Future - ISE (identity plays a major role in the network) - even if you push SGT and configure SGT, what part it was verified if you do not have any Identity engine in place.
DNAC is just an orchestration tool, ISE Play a big role in the network. So if this is a big network, consider that ISE Integration with DNAC will have more advantages.
06-16-2022 10:58 AM
Thanks, Balaji
There is no 802.1x, the port on a switch will get its SGT assignment from DNA-C (manually), so I do not understand what ISE will verify there...
06-16-2022 08:35 PM - edited 06-16-2022 08:36 PM
Hi Max, DNA Center contains a UI for creating and managing for Group-Based Policy, but the actual policy is stored in ISE. Switches download the policy (SGACLs) from ISE before they can enforce the policy. The means that even if ports have no authentication ISE is still required for policy download. Best regards, Jerome
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide