A SGT static mapping will be defined for each DC server or network device that will be used later in an ACL on the ASA in order to permit/deny traffic as required. These SGT mappings will be pushed from ISE to the ASA via the SXP peering.
For testing we will define 2 x IP address, mapped to 2 unique SGTs (as created previously), these will be sent via SXP to the ASA.
* Navigate to Work Centers > TrustSec > Components > IP SGT Static Mappings
* Click Add to create a new IP SGT static mapping
* Enter the IP address of a server to define mappings
IP address/host |
SGT |
Deploy via |
2.2.2.1 |
ROUTER (1002/03EA) |
default |
2.2.2.10 |
WEBSVR (1001/03E9) |
default |