To fully understand this blog, you should have fair understanding of Cisco SDA solution components, VRF based routing and AAA.

We will look at Access control from endpoint in Fabric to a Server in Non-Fabric Domain.

Topology

high level topology

We will perform following steps to achieve this

  1. Create an SGT on ISE named WLC with an SGT tag, I am using tag 500 in this case.
  2. Assign SGT to the right VN.
  3. We will first create a manual IP-SGT SXP mapping on ISE for the server we are trying to control access to and from, in this case WLC Server with ip 192.168.104.235
  4. We will add device in SXP domain on ISE where we want the mapping to propagate, we are using anycase IP for VN which is 10.10.128.1/24
  5. Enable SXP on L3 device (s) where you want the SGT-IP mapping to propagate and Verify both ISE and device(s) side.
  6. We will create SGT for the device based on their AD group, in this case doctor.
  7. We will create a policy on DNAC to deny access from source SGT doctor to destination SGT WLC in both directions.
  8. Connect a user with doctor credential and test.
  9. Edit the policy on DNAC to permit access from source SGT doctor to destination SGT WLC in both directions.
  10. Reauthenticate the user and test again.
  11. In first case access will be denied, in second case access will be permitted.

Lets start ..

Create an SGT on ISE named WLC with an SGT tag, I am using tag 500 in this case

1

Through PxGrid Service on ISE this SGT should automatically propagate on DNAC.

Assign SGT to the right VN.

fab2.pngWe will first create a manual IP-SGT SXP mapping on ISE for the server we are trying to control access to and from, in this case WLC Server with ip 192.168.104.235

fab4

Verify IP-SGT Mapping

fab5

We will add device in SXP domain where we want the SXP mapping to propagate.

I want IP-SGT mapping to propagate on Border, we want the traffic to be blocked on border as it leaves fabric.

fab3

Enable SXP on L3 device where you want the SGT-IP mapping to propagate and Verify both ISE and device side.

SDA-BORDER#sh run | sec cts
cts sxp enable
cts sxp default password <password>
cts sxp connection peer 192.168.200.98 source 10.10.28.1 password default mode local listener hold-time 0 0 vrf GDS

cts role-based enforcement vlan-list 3002 (egress vlan, going outside the fabric towards fusion)

Lets Verify on ISE First (might take a minute to move from Pending_ON to ON state)

fab6

Lets verify on Border side

fab7

fab8

We will create SGT for the device based on their AD group, in this case doctor.

Capture

Untitled

We will create a policy on DNAC to deny access from source SGT doctor to destination SGT WLC in both directions.

fab11

Connect a user with doctor credential and test.

Before enduser connects to the edge device, does not have and SGACL pushed on the port through ISE.

fab12

Use connects using AD credentials and gets an IP in VN GDS.

fab13

Now SGACL is pushed on the port through ISE.

fab14

Also note the Doctor SGT is propagated in the SXP mapping table through radius, you can set this in SXP setting.

Untitled2

fab15

Lets also ensure the mapping is propagated on Border.

fab16

Now lets login to endpoint, connected to an edge port configured for closed authentication using doctor’s credential and try to ping the WLC Server hosted outside Fabric.

fab17

Lets verify and ensure the deny is happening because of our policy and not because of some other reason.

fab28

Edit the policy on DNAC to permit access from source SGT doctor to destination SGT WLC in both directions.

fab19

Lets ensure policy is propagated on Border

fab29.png

Endpoint can ping the server now.

fab22

Lets also verify it from Edge Switch.

Capture.JPG

I hope you enjoyed reading this as much as I enjoyed writing it.