Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
955
Views
5
Helpful
2
Replies

Sharing IP-SGT-Mappings between Switches with inline propagation

Go to solution
rmueller@cisco.com
Cisco Employee
Cisco Employee

‎08-03-2018 02:58 AM

Hi all,

 

I have a maybe basic question about SGACL-enforcement locally on access switches:

Let’s assume I have two access-switches within a L2-deployment (Access-Switch A and Access-Switch B).

On Access-Switch A User_a is being authenticated, he get’s SGT 10. The switch downloads SGACL for SGT 10 from ISE, and the switch also has the SGT-to-ip mapping for User_a.

On Access-Switch B User_b is being authenticated, he get’s SGT 20. The switch downloads SGACL for SGT 20 from ISE, and the switch also has the SGT-to-ip mapping for User_b.

Propagation method is inline tagging.

 

Now the SGACL denies communication between SGT 10 and SGT 20. If the packet now is sourced on access-switch A, how does access-switch A know about the SGT-to-ip mapping for User_b, which is stored locally on switch B?

 

Thanks in advance.

 

Roland

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee

‎08-03-2018 03:33 AM

Hi Roland,

it doesn't know of the remote mapping.

Remember that the technology is built for egress enforcement.

So, traffic flows from A to B, the A side doesn't know of the B mapping so there can't be any enforcement on the A side for this flow. However, switch A inserts the source SGT into the L2 frame (inline propagation) for the packets sent to B. The B switch reads the source SGT off the wire, has the destination SGT and can enforce.

So, egress enforcement on B.

In the other direction it's the same - egress enforcement at A.

If you want/need to do ingress enforcement then you have to propagate the destination mappings back to the source (using something like SXP) but that doesn't scale.

Cheers, Jonothan.

View solution in original post

2 Replies 2

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee

‎08-03-2018 03:33 AM

Hi Roland,

it doesn't know of the remote mapping.

Remember that the technology is built for egress enforcement.

So, traffic flows from A to B, the A side doesn't know of the B mapping so there can't be any enforcement on the A side for this flow. However, switch A inserts the source SGT into the L2 frame (inline propagation) for the packets sent to B. The B switch reads the source SGT off the wire, has the destination SGT and can enforce.

So, egress enforcement on B.

In the other direction it's the same - egress enforcement at A.

If you want/need to do ingress enforcement then you have to propagate the destination mappings back to the source (using something like SXP) but that doesn't scale.

Cheers, Jonothan.

Go to solution
rmueller@cisco.com
Cisco Employee
Cisco Employee
In response to jeaves@cisco.com

‎08-06-2018 08:20 AM

Jonathan,

 

thank you very much - this explains it!

 

Roland

0 Helpful
Customers Also Viewed These Support Documents