An engineer is configuring static SGT classification. Which configuration should be used when authentication is disabled and third-party switches are in use?
B: IP-SGT: https://community.cisco.com/t5/security-knowledge-base/segmentation-strategy/ta-p/3757424: "The method of sending out IP to SGT mappings from ISE is particularly useful if the access switch does not support TrustSec"
Overview of VLAN-to-SGT Mapping
The VLAN-to-SGT mapping feature binds an SGT to packets from a specified VLAN. This simplifies the migration from legacy to Cisco TrustSec-capable networks as follows:
Supports devices that are not Cisco TrustSec-capable but are VLAN-capable, such as, legacy switches, wireless controllers, access points, VPNs, etc.
The VLAN-to-SGT binding is configured with the cts role-based sgt-map vlan-list global configuration command.
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9400/software/release/16-10/configuration_guide/cts/b_1610_cts_9400_cg/m9-1610-trustsec-sgt.html
Security Group Tag (SGT)—TrustSec service assigns to each security group a unique 16-bit security group number whose scope is global within a TrustSec domain. The number of security groups in the Segmentation TrustSec Components switch is limited to the number of authenticated network entities. You do not have to manually configure security group numbers. They are automatically generated, but you have the option to reserve a range of SGTs for IP-to-SGT mapping.
It can be B but cause authentication is disabled the right answer is A
When users authenticate onto the network, ISE learns of the user IP and assigns an SGT via the authorization table. So, ISE is the first platform in the network which learns of the IP to SGT mapping for dynamically authenticated endpoints.
The method of sending out IP to SGT mappings from ISE is particularly useful if the access switch does not support TrustSec.
CAUSED HERE AUTHENTICATION IS NOT ENABLED WE NEED TO USE THE VLAN TO SGT MAPPING
Overview of VLAN-to-SGT Mapping
The VLAN-to-SGT mapping feature binds an SGT to packets from a specified VLAN. This simplifies the migration from legacy to Cisco TrustSec-capable networks as follows:
Supports devices that are not Cisco TrustSec-capable but are VLAN-capable, such as, legacy switches, wireless controllers, access points, VPNs, etc.
Provides backward compatibility for topologies where VLANs and VLAN ACLs segment the network, such as, server segmentation in data centers.
Hosts in a specific VLAN can be mapped to a specific static SGT. This method can be used when there are third-party switches or Cisco switches that do not support TrustSec.
ciscopress page 576
The other options are not as feasible because:
IP Address to SGT mapping is not supported by all switches.
L3IF to SGT mapping requires layer-3 switching, which is not supported by all switches.
Subnet to SGT mapping requires that the switch be able to perform subnetting, which is not supported by all switches.
VLAN to SGT mapping is the most reliable and efficient way to implement static SGT classification when authentication is disabled and third-party switches are in use.
If the answer is B, does this apply to non Cisco L2 switches?
upvoted 1 times
...
This section is not available anymore. Please use the main Exam Page.300-715 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Frankie_Boy
Highly Voted 1 year, 9 months agoCachaman
Most Recent 1 month, 1 week agokerimeba
8 months, 1 week agoXBfoundX
10 months, 2 weeks agoXBfoundX
10 months, 2 weeks agoIETF1
12 months agofaridh
1 year, 2 months agoElCobra90
1 year, 3 months agorhylos
1 year, 5 months agodenverfly
1 year, 5 months agoCnoteone
1 year, 7 months agoCnoteone
1 year, 8 months ago