Solved: Trustsec and static mappings

KevinR99 · ‎09-01-2023

Hi

I'm testing Trustsec in my SD Access lab. I can assign 2 ports on edge switches to different groups then apply a policy that blocks pings and it works fine. I'm not authenticating the users so I statically assign an SGT via DNAC when I assign the ports to an address pool.

However, I'm also trying to test securing traffic to an external server that sits in my shared services area which is in the GRT. To get to the server I need to leave my SD Access vrf on a L3 handoff and go through a fusion device where I route leak. So I am trying to apply a policy on my Borders such that I statically designate an IP address to have SGT xx with the commands

cts role-based sgt-map 10.10.10.10 sgt 10

My ISE matrix then blocks my clients in SGT 5 pinging the server in SGT 10. I can see the policy getting to my borders with

show cts role-based permissions

However, the traffic to the external device isn't blocked.

Is it possible to do this and if so what am I missing?

What I want to do is apply an extranet policy to share the INFRA_VN with a customer VN. This works and the traffic doesn't need to go via the Fusion. However, that does not apply any security. It's an all or nothing in that when I designate my INFRA_VN as the provider and my customer VN as the subscriber the customer can get to anything in my INFRA_VN. I want to be able to filter traffic at the Border with an SGT policy. The alternative is I send the customer traffic out via a firewall and back in via the GRT which connects to the INFRA_VN. This works but is inefficient as the traffic hairpins out the fabric borders and back in again.

Thanks for any input, Kev.

andy!doesnt!like!uucp · ‎09-12-2023

my SW is 3.2, but i dont think u hit the bug with 3.0 . i also have dropdown but i ignore it & just typing necessary values in the editable area of d/b. u must have the same result as in above images.

View solution in original post

jalejand · ‎09-01-2023

For non extranet scenario (Border enforcing traffic to an external destination) you must enable the following in the Border:

1) cts role-based enforcement

2) cts role-based enforcement vlan-list (L3 handoff VLAN)

3) cts role-based sgt-map vrf (the fabric client VRF) x.x.x.x sgt xxx (This is called static binding and is vrf aware, you can use SXP for dynamic mappings using ISE).

For extranet scenario:

change the vlan list to include the VLAN used in for the L3 handoff in the GRT.

Regards

KevinR99 · ‎09-02-2023

Excellent, worked a treat.

Thanks for the swift reply, much appreciated.

Kev.

KevinR99 · ‎09-03-2023

I had a look at the ISE I have in my SDA lab. I would prefer to use this to define and propagate my static mappings. However, when Iook in

Work centers - TrustSec - Components - IP SGT Static Mapping

there is a drop down against the IP address field as if ISE will populate IP addresses. So I can.t define my external fabric IP address.

Is there a licensing or other requirement on ISE to allow me to configure and deploy static SGT mappings ?

Thanks, Kev.

KevinR99 · ‎09-03-2023

See above

KevinR99 · ‎09-11-2023

I'm still unable to define static SGT mappings in ISE. My hope was that I could define them there and propagate them to my Borders so that they know what SGT I want external devices to be mapped to. Then I can use that mapping in the trustsec matrix.

When I go to Trustsec - IP SGT static mapping

it offers me a drop down box on the 1st line next to ip address. It's as if it needs to know about a device IP address before I can then statically assign an SGT. What I want to do is tell ISE the IP address and SGT such that it is propagated to my Border via SXP.

Kev.

andy!doesnt!like!uucp · ‎09-11-2023

Isnt this available for u?

KevinR99 · ‎09-11-2023

It is available but the IP address field seems to expect values to be available in the drop down menu. When I type in an IP address it won’t accept it and it never allows me to press the save button.

andy!doesnt!like!uucp · ‎09-11-2023

khm... i'll check it in the lab & feed back

Rob Ingram · ‎09-11-2023

@KevinR99 You manually add the IP address, there is no drop-down list of pre-populated IP addresses/networks. You can press the save button only once you've added at least the minimum values - IP address, SGT and Send to SXP Domain

andy!doesnt!like!uucp · ‎09-11-2023

i can confirm: no issues with saving the configuration.

KevinR99 · ‎09-12-2023

What version of ISE are you using? Mine is 3.0.

There are drop down boxes next to my IP address and Virtual Networks fields but nothing available in them. When I try to type a value it clears as soon as I go to the next field and because I cannot fill in all the fields the save button is never active.

andy!doesnt!like!uucp · ‎09-12-2023

my SW is 3.2, but i dont think u hit the bug with 3.0 . i also have dropdown but i ignore it & just typing necessary values in the editable area of d/b. u must have the same result as in above images.

KevinR99 · ‎09-13-2023

Working. When I saw the drop down box I assumed it would populate as I filled in addresses or when I completed an address and moved to the next field my address was accepted. However, as you say, ignore the drop down box but hit return after entering the address and it's accepted. I've then confirmed that the static mappings get propagated to my devices.

Thanks your your input.