Buy or Renew
Buy or Renew
Register Here! - Join us 11/13 for the "Navigating DHCP Processes in SD-Access Network" Community Live event
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1206
Views
35
Helpful
5
Replies

SGT assignment and mapping of non-IP endpoints

Go to solution
JAN DEVOS
Level 1
Level 1

‎03-03-2022 09:17 AM

Hello, 

In my understanding, ISE 'downloads' the IP-to-SGT mappings of the endpoints connected to the switch.  This allows policy verification and permit/deny decision by the switch.  Although rules and policies are configured between SGT's, the permit/deny decision still results from lookup of source/dest IP of the endpoints belonging to source/dest SGT.  I'm wondering how this works / can work for non IP devices, existing e.g. within IEC 61850 communication in energy stations.  These communications are purely L2 multicast. 

Thank you on beforehand!

Labels:
3 Accepted Solutions

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP
In response to JAN DEVOS

‎03-05-2022 02:48 PM

Hi

 From what I have experience, not exactly.  When you give an endpoint a SGT, you are makring him so that you can recognize and filter but you need to create your matrix. So, you are responsible to allow or deny who is going to talk with who.  But, keep in mind that this is about device to device communication within the fabric. If this devices were called from outside fabric, you need to have a firewall to protect it.

View solution in original post

Go to solution
jedolphi
Cisco Employee
Cisco Employee
In response to JAN DEVOS

‎03-06-2022 03:07 PM

Hi Jan, initially the question was about "non IP devices". If the device does not have an IP address then there is nothing more to discuss: TrustSec does not work for devices that do not have an IP address. Regards, Jerome

View solution in original post

Go to solution
JAN DEVOS
Level 1
Level 1
In response to jedolphi

‎03-07-2022 08:59 AM

Jerome, that's a clear answer ...  Even if profiling of a non-IP device would succeed, if there is no IP address to bind the SGT with, no SGT will be assigned, and my above story of SGT-based segregation ends up as wishful thinking.

View solution in original post

5 Replies 5

Go to solution
jedolphi
Cisco Employee
Cisco Employee

‎03-03-2022 09:10 PM

Hi Jan, solid reasoning! TrustSec policy enforcement requires endpoints to have an IP address. In the scenario that endpoints do not have an IP address you would need to use some other mechanism to micro-segment the endpoints, perhaps Private VLANs. Regards, Jerome

Go to solution
JAN DEVOS
Level 1
Level 1
In response to jedolphi

‎03-04-2022 12:30 AM - edited ‎03-04-2022 12:32 AM

Joseph, thank you for this fast return.

Now, let us assume we arrive to assign an SGT to the IEC 61850 endpoint community, say SGT_61850.  I imagine we could do this assignment by ISE profiling with the endpoint's MAC OUI as match criterion, as these devices belong to a limited set of manufacturers.  If we don't specify any policy for SGT_61850, is my understanding correct that :

1) all intra-SGT_61850 traffic (which is limited to L2 IEC 61850 aka Goose Ethertype 88B8) will pass by default, as they are endpoints of same SGT

2) all traffic to/from SGT_61850 will be dropped (what is what we want to achieve : no compromise of these endpoints from externally, and no 'multicast flooding' from these endpoints to externally).

We assume hereby that intra-SGT_61850 (1 above) is legal.  Illegal traffic issued by an SGT_61850 endpoint would need 'hacking' of the station itself.  Cyberhacking is prevented by (2).  Hacking in-situ would require illegal physical access to the endpoint's site and 'cannibalizing' the endpoint itself or connecting a laptop spoofing the endpoint's MAC OUI, but this could maybe be prevented by adding more criteria in ISE's profiling for IEC 61850 devices, in addition to OUI.

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to JAN DEVOS

‎03-05-2022 02:48 PM

Hi

 From what I have experience, not exactly.  When you give an endpoint a SGT, you are makring him so that you can recognize and filter but you need to create your matrix. So, you are responsible to allow or deny who is going to talk with who.  But, keep in mind that this is about device to device communication within the fabric. If this devices were called from outside fabric, you need to have a firewall to protect it.

Go to solution
jedolphi
Cisco Employee
Cisco Employee
In response to JAN DEVOS

‎03-06-2022 03:07 PM

Hi Jan, initially the question was about "non IP devices". If the device does not have an IP address then there is nothing more to discuss: TrustSec does not work for devices that do not have an IP address. Regards, Jerome

Go to solution
JAN DEVOS
Level 1
Level 1
In response to jedolphi

‎03-07-2022 08:59 AM

Jerome, that's a clear answer ...  Even if profiling of a non-IP device would succeed, if there is no IP address to bind the SGT with, no SGT will be assigned, and my above story of SGT-based segregation ends up as wishful thinking.

Customers Also Viewed These Support Documents