You are here
SEC0218 - ISE 2.0 TrustSec - SGACL (Part 1)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video walks you through configuration of SGACL on Cisco ISE 2.0. Using the SGT created in the previous video, we will map them into SGACL matrix and apply appropriate access policy. We will configure a switch to download SGACL from ISE and have it act as our enforcement point (Network as a Enforcer).
Part 1 of this video covers SGACL creation and switch SGACL configuration download
Topic:
- Security Group ACL (SGACL)
- SGACL Matrix
- SGACL Component
- SGACL Egress Policy
- SGACL Source Tree
About Author
Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
5 comments
ISE 2.0 with TrustSec SGT
I have 2 Cisco 3560 configured for TrustSec and ISE 2.0 SP4. I can have the following under
sh cts role-based permissions
IPv4 Role-based permissions from group 3:SGT_Domain_User to group 2:SGT_TrustSec_Device:
Deny_ICMP-10
Permit IP-00
I can still ping my devices even after I do a cts refresh policy
My Wired Policy authorization tags the 3:SGT_Domain_User for permissions
My TrustSec Network Device Athorization tags 2:SGT_TrustSec_Device
Please advise
Thanks
Dennis
ISE 2.0 with TrustSec SGT
Are they 3560x? If not, they do not support SGACL per metrix in the link below.
http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trus...
ISE 2.0 with TrustSec SGT
My apologies, I have 2 Cisco 3650-24 switches
WS-C3650-24TS 03.07.05E cat3k_caa-universalk9 INSTALL
ISE 2.0 with TrustSec SGT
Please make sure the following commands are present. Can you also use netflow to confirm that the SGT is there?
ISE 2.0 with TrustSec SGT
Thank you. After applying cts role-based enforcement it worked.
Dennis