09-01-2023 12:08 PM - edited 09-01-2023 12:10 PM
Hi
I'm testing Trustsec in my SD Access lab. I can assign 2 ports on edge switches to different groups then apply a policy that blocks pings and it works fine. I'm not authenticating the users so I statically assign an SGT via DNAC when I assign the ports to an address pool.
However, I'm also trying to test securing traffic to an external server that sits in my shared services area which is in the GRT. To get to the server I need to leave my SD Access vrf on a L3 handoff and go through a fusion device where I route leak. So I am trying to apply a policy on my Borders such that I statically designate an IP address to have SGT xx with the commands
cts role-based sgt-map 10.10.10.10 sgt 10
My ISE matrix then blocks my clients in SGT 5 pinging the server in SGT 10. I can see the policy getting to my borders with
show cts role-based permissions
However, the traffic to the external device isn't blocked.
Is it possible to do this and if so what am I missing?
What I want to do is apply an extranet policy to share the INFRA_VN with a customer VN. This works and the traffic doesn't need to go via the Fusion. However, that does not apply any security. It's an all or nothing in that when I designate my INFRA_VN as the provider and my customer VN as the subscriber the customer can get to anything in my INFRA_VN. I want to be able to filter traffic at the Border with an SGT policy. The alternative is I send the customer traffic out via a firewall and back in via the GRT which connects to the INFRA_VN. This works but is inefficient as the traffic hairpins out the fabric borders and back in again.
Thanks for any input, Kev.
Solved! Go to Solution.
09-12-2023 02:11 AM
my SW is 3.2, but i dont think u hit the bug with 3.0 . i also have dropdown but i ignore it & just typing necessary values in the editable area of d/b. u must have the same result as in above images.
09-01-2023 12:39 PM
For non extranet scenario (Border enforcing traffic to an external destination) you must enable the following in the Border:
1) cts role-based enforcement
2) cts role-based enforcement vlan-list (L3 handoff VLAN)
3) cts role-based sgt-map vrf (the fabric client VRF) x.x.x.x sgt xxx (This is called static binding and is vrf aware, you can use SXP for dynamic mappings using ISE).
For extranet scenario:
change the vlan list to include the VLAN used in for the L3 handoff in the GRT.
Regards
09-02-2023 03:31 AM
Excellent, worked a treat.
Thanks for the swift reply, much appreciated.
Kev.
09-03-2023 05:14 AM - edited 09-03-2023 05:15 AM
I had a look at the ISE I have in my SDA lab. I would prefer to use this to define and propagate my static mappings. However, when Iook in
Work centers - TrustSec - Components - IP SGT Static Mapping
there is a drop down against the IP address field as if ISE will populate IP addresses. So I can.t define my external fabric IP address.
Is there a licensing or other requirement on ISE to allow me to configure and deploy static SGT mappings ?
Thanks, Kev.
09-03-2023 05:21 AM - edited 09-11-2023 03:58 AM
See above
09-11-2023 03:58 AM
I'm still unable to define static SGT mappings in ISE. My hope was that I could define them there and propagate them to my Borders so that they know what SGT I want external devices to be mapped to. Then I can use that mapping in the trustsec matrix.
When I go to Trustsec - IP SGT static mapping
it offers me a drop down box on the 1st line next to ip address. It's as if it needs to know about a device IP address before I can then statically assign an SGT. What I want to do is tell ISE the IP address and SGT such that it is propagated to my Border via SXP.
Kev.
09-11-2023 04:29 AM
Isnt this available for u?
09-11-2023 11:04 AM
It is available but the IP address field seems to expect values to be available in the drop down menu. When I type in an IP address it won’t accept it and it never allows me to press the save button.
09-11-2023 12:23 PM
khm... i'll check it in the lab & feed back
09-11-2023 12:57 PM
@KevinR99 You manually add the IP address, there is no drop-down list of pre-populated IP addresses/networks. You can press the save button only once you've added at least the minimum values - IP address, SGT and Send to SXP Domain
09-11-2023 11:40 PM
i can confirm: no issues with saving the configuration.
08-27-2024 08:43 AM - edited 08-27-2024 08:46 AM
Hi Jalejand,
I'm trying to enforce traffic to an external destination on the border with an extranet scenario on a Cat9500 with:
cts role-based enforcement
cts role-based enforcement vlan-list 1093 (l3 hanoff vlan of infra_vn)
cts sxp enable
cts sxp default password cisco
cts sxp connection peer <ISE-ADDR> source <Loopback0> password default mode local listener
The SXP connection is ON and "show cts role-based sgt-map" i can see all my static mappings from ISE.
I configured a policy with deny ip from an internal SGT to the static mapping. But "show cts role-based permissions" is empty.
Am i missing something for the extranet scenario?
SDA 2.3.5.5
ISE 3.2p6
IOS-XE 17.9.5
Cheers,
09-12-2023 01:07 AM
What version of ISE are you using? Mine is 3.0.
There are drop down boxes next to my IP address and Virtual Networks fields but nothing available in them. When I try to type a value it clears as soon as I go to the next field and because I cannot fill in all the fields the save button is never active.
09-12-2023 02:11 AM
my SW is 3.2, but i dont think u hit the bug with 3.0 . i also have dropdown but i ignore it & just typing necessary values in the editable area of d/b. u must have the same result as in above images.
09-13-2023 01:59 AM
Working. When I saw the drop down box I assumed it would populate as I filled in addresses or when I completed an address and moved to the next field my address was accepted. However, as you say, ignore the drop down box but hit return after entering the address and it's accepted. I've then confirmed that the static mappings get propagated to my devices.
Thanks your your input.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide