View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0218 - ISE 2.0 TrustSec - SGACL (Part 1)

Average: 5 (2 votes)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0218 - Video Download $14.00
Purchase SEC0218 - Video Download $14.00
The video walks you through configuration of SGACL on Cisco ISE 2.0. Using the SGT created in the previous video, we will map them into SGACL matrix and apply appropriate access policy. We will configure a switch to download SGACL from ISE and have it act as our enforcement point (Network as a Enforcer). 
Part 1 of this video covers SGACL creation and switch SGACL configuration download
  • Security Group ACL (SGACL)
  • SGACL Matrix
  • SGACL Component
  • SGACL Egress Policy
  • SGACL Source Tree

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


I have 2 Cisco 3560 configured for TrustSec and ISE 2.0 SP4. I can have the following under
sh cts role-based permissions

IPv4 Role-based permissions from group 3:SGT_Domain_User to group 2:SGT_TrustSec_Device:
Permit IP-00

I can still ping my devices even after I do a cts refresh policy
My Wired Policy authorization tags the 3:SGT_Domain_User for permissions
My TrustSec Network Device Athorization tags 2:SGT_TrustSec_Device

Please advise


Are they 3560x? If not, they do not support SGACL per metrix in the link below.


My apologies, I have 2 Cisco 3650-24 switches
WS-C3650-24TS 03.07.05E cat3k_caa-universalk9 INSTALL

Please make sure the following commands are present. Can you also use netflow to confirm that the SGT is there?

cts role-based enforcement
cts role-based enforcement vlan-list all 

Thank you. After applying cts role-based enforcement it worked.


Lab Minutes Classifieds