Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
613
Views
2
Helpful
2
Replies

SDA policy enforcement

reylite
Level 1
Level 1

‎05-10-2023 06:27 PM

Hello im still learning about SDA environment i have a question, so in our HQ we deploy SDA infrastructure with policy enforcement on firewall using SGT-IPBASE all the acl on firewall then we want to implement SDA too on our branch but there are no firewall over there, can we enforcement on fusion router ?and how ?

thank you

Labels:
0 Helpful
2 Replies 2

Flavio Miranda
VIP
VIP

‎05-10-2023 06:46 PM

Hello,

 There is no requirement for firewall when applying policy enforcement

 Actually the policy enforcement is done by ISE. You create on the DNAC, this is send to ISE via PX Grid and then applied to devices.

 Here is the steps.

1. Define SGTs and Policies on DNAC
2. Deploy, so ISE will get configured by DNAC
3. ISE will then inform the TrustSec Devices (Fusion/Border/Edges) about a policy change and they will download the new SGTs/Policies

If you want to use Static SGT Bindings for Subnets/IP Addresses in the background:
1. Define SGT/Policy on DNAC
2. Deploy
3. Configure static IP-SGT Mapping on ISE
4. TrustSec Devices will download the new SGT and your Devices configured for SXP will download the static IP-SGT Mappings

0 Helpful

andy!doesnt!like!uucp
Spotlight
Spotlight

‎05-11-2023 12:39 AM - edited ‎05-11-2023 12:41 AM

short addon to what Flavio said:

there r 2 places u enforce policies in SDA: 1) SGT-aware Fusion FW - stateful filtering & inspection; 2) FE-layer stateless filtering;

in case 1)  ensure that FW has proper IP-to-SGT mapping to support rules with both SRC&DST defined as SGTs: with good design u will have SRC SGT embedded in L2-frame , but FW will need to lookup DST SGT for the DST IP of the packet. if FW has subscription to PxGrid on ISE, DST SGT can be obtained from DST endpoint session via PxGrid, otherwise u have to configure IP-to-SGT mappings & propagate it to FW via SXP;

in case 2) if u dont have SRC SGT in the VXLAN header (equivalent of Unknown SGT==0) u must have static IP-to-SGT mapping (SXP is a mean basically), or if u dont have DST endpoint assigned SGT locally (by ISE AuthZ during AAA), u have to use either method of IP-to-SGT mapping (like VLAN-to-SGT).

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card