11-14-2017 03:16 PM - edited 03-11-2019 01:09 AM
I have a customer who has a concern :
How do we get the static IP-SGT mappings defined in ISE to propagate to the VLAN-level on the Nexus 7K's?? This needs to be automated in a similar manner like it propagates to the default VRF on the Nexus 7K's.
Troubleshooting done :
ISE is speaker and all other devices in enterprise are listeners.
Current setup, ISE push IP-SGT mappings at VRF level onto Nexus. Client is connected behind an access port VLAN due which not working properly.
Started troubleshooting on the N7K where traffic from AC client 10.xx.xx.29 9xx4 trying to reach 10.xx.xx.7 2xxx1
Enforcement not happening correctly as <9xx4,2xxx1> should deny as per SGACL matrix on ISE.
NX-DC# show logging ip access-list cache detail | i 10.xx.xx.29
9xx4 10.xx.xx.29 10.xx.xx.243 0 0 Ethernet2/xx (1)IC
MP (0 )OFF ---- ----- Permit -----
----- ----- 3
65519 10.xx.xx.7 10.xx.xx.29 0 0 port-channel256 (1
)ICMP (0 )OFF ---- ----- Deny -----
----- ----- 2
9xx4 10.xx.xx.29 10.xx.xx.7 0 0 Ethernet2/xx (1)IC
MP (0 )OFF ---- ----- Permit -----
----- ----- 5
We found that sgt-map pushed for VRF:1. However, the end client is behind access port VLAN 10.
The issue is DGT: 0, so <9xx4, 0> will get hit instead of <9xx4, 2xxx1>.
NX-DC# sh system internal forwarding ipv4 route 10.xx.xx.7 de
slot 1
=======
slot 2
=======
RPF Flags legend:
S - Directly attached route (S_Star)
V - RPF valid
M - SMAC IP check enabled
G - SGT valid
E - RPF External table valid
10.xx.xx.7/32 , Vlan10
Dev: 0 , Idx: 0xb266 , RPF Flags: VS , DGT: 0 , VPN: 1
Also noticed that the IP-SGT configuration for 10.xx.xx.7 2xxx1 is under VRF:1, however the enforcement needs to happen on VLAN 10 so the same IP-SGT needs to be configured under VLAN 10
The moment I configured sgt-map for destination IP under vlan 10. Enforcement applied correctly. Traffic got denied.
NX-DC# sh cts role-based sgt-map | in 10.xx.xx.7
10.xx.xx.7 2xxx1(BAS_CCTV_Servers) vlan:
10 CLI Configured
10.xx.xx.7 2xxx1(BAS_CCTV_Servers) vrf:1
CLI Configured
Any help would be appreciated.
Regards
Gagan
11-14-2017 06:14 PM
Moving to TrustSec space.
11-28-2017 02:09 PM
The IP-SGT mapping propagated from ISE to the N7K vrf should bind, as long as the N7K isn't learning a conflicging mapping from a higher priority source. As long as the device has the correct IP-SGT mapping, the egress policies associated with those mappings should apply.
From your problem description, I believe you're saying 10.x.x.29 should have SGT-9xx4 and 10.x.x.7 should have SGT-2xxx1 and the egress policy should deny it, but it does not appear to enforce correctly until you manually add a VLAN mapping on the N7K?
While the problem is occurring, have you verified that the enforcement device has the correct IP-SGT mappings for the source and destination? Can you provide output from "sh cts ro sgt-m | i 10.x.x.7" and "sh cts ro sgt-m | i 10.x.x.29" from the enforcement device?
Also, can you verify that egress policy is correct in both directions on the enforcement device? Please provide output from the N7K of the following two commands: "sh cts ro poli from 9xx4 to 2xxx1" and "sh cts ro poli from 2xxx1 to 9xx4".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide