10-16-2021 07:43 AM
iseHello Team.
We have C9800 with Wave 2 AP in flex mode.
We are trying to implement SGACL enforsment for local switched traffic.
I see SXP connection with ISE. But SGACL enforsment doest work.
But in C9800 GUI in AP page, trustsec tab i see that (screenshot attached ) Policy does not Pushed To AP.
I see SGACL has been downloaded to WLC:
wlc-test#show cts rbacl CTS RBACL Policy ================ RBACL IP Version Supported: IPv4 & IPv6 name = Permit IP-00 IP protocol version = IPV4, IPV6 refcnt = 2 flag = 0xC1000000 stale = FALSE RBACL ACEs: permit ip name = BLOCK-01 IP protocol version = IPV4 refcnt = 3 flag = 0x40000000 stale = FALSE RBACL ACEs: deny ip any any
I see SGT tags has been downloaded to WLC:
wlc-test#show cts role-based sgt-map all Active IPv4-SGT Bindings Information IP Address SGT Source ============================================ 10.64.110.2 2 INTERNAL 10.64.128.6 11 SXP 10.64.128.194 2 INTERNAL 10.86.224.16 17 LOCAL
I have configured CTS policy in flex profile.
Form WLC:
wlc-test#show wireless cts Local Mode CTS Configuration Policy Profile Name SGACL Enforcement Inline-Tagging Default-Sgt ---------------------------------------------------------------------------------------- SM-CORP DISABLED DISABLED 0 SM-IPSK ENABLED DISABLED 0 SM-OPEN DISABLED DISABLED 0 SM-GUEST ENABLED ENABLED 0 SM-OPEN2 DISABLED DISABLED 0 default-policy-profile DISABLED DISABLED 0 Flex Mode CTS Configuration Flex Profile Name SGACL Enforcement Inline-Tagging ----------------------------------------------------------------------- TEST ENABLED DISABLED default-flex-profile DISABLED DISABLED
I need to block traffic from SGT 17 to SGT 6 by applying SGACL on AP.
10-16-2021 09:05 AM
Check if any of the mentioned restrictions could affect your case
>...
Guidelines and Restrictions
SGACL enforcement is carried out on the controller for local mode.
SGACL enforcement is carried out on an AP for flex-mode APs performing local switching.
SGACL enforcement for wireless clients is carried out either on the upstream switch or on the border gateway in a Branch-to-DC scenario.
SGACL enforcement is not supported for non-IP or IP broadcast or multicast traffic.
Per-WLAN SGT assignment is not supported.
SGACL enforcement is not carried out for control-plane traffic between an AP and the wireless controller (for upstream or from upstream traffic).
Non-static SGACL configurations are supported only for dynamic SGACL policies received from ISE.
Static SGACL configuration on an AP is not supported.
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide