Hello, In my understanding, ISE 'downloads' the IP-to-SGT mappings of the endpoints connected to the switch. This allows policy verification and permit/deny decision by the switch. Although rules and policies are configured between SGT's, the permi...
Hello support community, In our OT environment there are devices setting 802.1p priority (COS) while using vlan tag 0 in their dot1q header.1) on which switching platforms does Cisco support this feature? Reading //www.cisco.com/c/en/us/td/docs/swit...
Hello, Is there a means to deny traffic between endpoints belonging to the same Scalable Group? This for the obvious reason to prevent lateral movement between SG members. I am looking for the lookalike of ACI's 'Intra EPG isolation'.
Hello,
We notice the following difference on C3750 and C3650
C3750
Dot1x Info for FastEthernet1/0/3-----------------------------------PAE = AUTHENTICATORPortControl = AUTOControlDirection = BothHostMode ...
Jerome, that's a clear answer ... Even if profiling of a non-IP device would succeed, if there is no IP address to bind the SGT with, no SGT will be assigned, and my above story of SGT-based segregation ends up as wishful thinking.
Joseph, thank you for this fast return.Now, let us assume we arrive to assign an SGT to the IEC 61850 endpoint community, say SGT_61850. I imagine we could do this assignment by ISE profiling with the endpoint's MAC OUI as match criterion, as these ...
Thank you Georg, nice to read that my understanding is correct. However, is there someone in the audience to answer Q1 above? Is dot1p priority setting + tagging in VLAN 0 supported on more switches than IE2K/4K/5K? Especially IE3K is of interest f...
Tx, Roddie. This way of defining intra-SG-isolation (by deny any <SG> <SG>, where SG is one and the same scalable group) sounds logic. I did not think enough 'out of the box'., to find this solution by myself This merits to be documented somewhere, ...
