41- Static Mapping Using ISE SGT, SXP with FMC

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone welcome to my channel continuing the series sncf 317 after explaining the integration of eyes with fmc using a certified authority windows server and we made everything is ready in the previous video video number 40. so now i need to explain the sgt object and how we can do it from eyes in every weekly things great so the title today is sgt tagging using sxp eyes and fmc is gt static ip mapping the title is very long but this is actually what we are going to explain uh very quickly what is sgt sgt is a stand for security group tagging paint okay give me the pen this one's good i think okay uh so we were talking about sgt actually the lgt is an idea came in the eyes to control the traffic using a security group tagging what is security gear thing imagine that i have a switch here i'm not going good in drawing by the way there is here pc and there is another pc another pc okay assume all of them in the same video uh 192.168.3 and this is dot four and this pc dot five so if i want to tag these two pieces it means uh three and four one nine two twenty six eight with three and one and twelve ones with four for example i give it a group tag group that give it a number for example five any number and this one i give it a tag of six then by this i isolated tag group tag number five to communicate with a group tag number six they are in the same video in the same subnet actually so no need for uh routing okay to uh to do the communication this is the simple communication here yes by ngt i can do i can do that this is one use of the sgt maybe i don't want for example a node to communicate for example pc to communicate a server using the sgt so how this will be happening actually there are two types dynamic and aesthetic from eyes dynamic when you are defining the sgt in the eyes and once the users communicate automatically and going to the iec profile and are giving the downloadable access list to like where to go and where not to go in the network then this is gt this is the tagging will be happened now uh this is of course a very long step and need a lot configuration especially in the switch when you are doing the dynamic mapping but also in the eyes there is another one which is i'm going to apply it right now because i don't want actually to do the first one you will be lost with me so i will do static mapping what the static mapping means i will map an ip address any ipad is 192.168. for example with a group tagging i will give it a a name and automatically the ielts will give it a tag number great so let me go to our topology so what i'm going to do and to apply i want to prevent a pc in vlan 10 to communicate with the management pc great let me see the ip address first and the pcb lantern ipconfig s192.168.1010 great and management pc ipconfig it's 100 so is there any pink let me see ping 192.168.110 [Music] great there is thinking this is what i want to uh i don't want to allow the pc one to communicate with sorry pcm vlan 10 to communicate with the management pc so now let me go to the server i think i open everything there no okay in the fmc just i want to remind you in the integration this is what we did in the previous video when we integrate the fmc with the eyes identity sources okay and here there is sxp topic this should be checked exit sxp is a stand for security group exchange protocol okay this protocol is responsible to propagate to send all the group tagging from ice to fmc without having the hardware what does hardware mean without having the hardware it means the switch because normally we are typing the commands okay the integration between that uh if you remember from the escort course uh that it will be the supplicant the supplicant in the pc and the authenticator the authenticator is the switch itself so the switch you will write or the command like that one x and the the sgt everything you will write it there so but in this case i don't want it so this is the sxp this is the protocol it will propagate all the security group tagging from the ice to the fmc so this should be checked okay now i want to go to the eyes gray in the eyes in the administration you have to make sure also that pixie is enabled and one more option like go to deployment inside the deployment there is the nose no note eyes sorry edit here if you remember we made it a primary and we select pixely and also we have to enable sxp service i don't want to enable now because i want to show you what will be happening if we didn't check it so let me go to work center in the world center there's trust check inside the thrust stick press in the thruster to see the panel okay it's open for you here there is something called components there are a predefined components and this is here i want to define my components to like for example pc vlan 10 give it any icon doesn't matter save okay management let's make it all capital caps man management pc and give it any another icon or the same icon doesn't matter so for them from the components we created two things like how we can sell these two things here user vlan sorry okay pc vlan 10 it's here so we created only the tag and i believe it's giving tag 16 we'll check right now now i created this tool now i want to go to ip is ut static mapping this is actually our topic we are doing aesthetic mapping we are thinning the eyes don't care about any switch i don't have any switch consider that you don't have a cisco switch okay like a dummy switch and you want to apply this so you will add okay eyes will tell you like okay what did the ipads you want to map it with the tag with the group tagging that you said i said 192.168. 10.10 this is the pc embeddant okay it will ask you select sgt so the sgt i want to map it the vlan sorry pcv lantern so i mapped this tagging with this ip address after that the sxp protocol will send this will progress this to the fmc great type sent to sxp domain here default to the default domain fmc this i created before normally you would not see it okay deploy to device will type here all locations great save nice another ad for 192.168.100.10 this is the ipad for the management pc sgt is management remove the caps now management pc send to xsp same default deployment in all locations so it will propagate in all locations save now i have this tool save okay i want to go to the settings this settings inside it in the sxp settings i have to enable the publish sxp binding on pixelgrid so the sxp will send all the propagation to the pixel grid and pixel grid because it have a communication between the eyes and the fmc so it will propagate it to there so i have to check this also and save yes okay one more thing go to sxp now sxp device what is this device because i don't have a switch and i'm not writing the commands the sgt commands on the switch then i have to create a device it's a dummy device okay it's doing nothing but it will help the sxp to propagate the tagging to the fmc this is how it work if you have a switch and you wrote it like dynamically you don't need for this step name it anything switch fmc switch for example anything fmc sorry fmc switch okay ip address give it any ip address does not need to be routable anything any dummy ip address okay payroll we have to roll the listener or speaker i choose it both connected psn here i don't have any psn this is where will stop us so please go to here in administration the option that i told you right a click i can do it like this okay just i want to go to enable the sxp from the deployment here you remember i told you i don't want to enable it unless i want to show you so enable sxp and it will be like using the gigabit zero yes the one connected to the switch okay we saved it now go here of course we will not find it because i need a refresh so click once time cancel still no okay i need to do it again add fmc dash switch okay ip address anything 909 we wrote both psn now the eyes node is appearing for you that's why i didn't want to show it ssp domain default okay status enable passwords none keep it in only for any password okay click save now [Music] okay the width yeah okay here it will be unknown first and after that it will be off you care about the status to be off so we are off we are fine all this will be mapping still there is no any mapping appeared here i don't know why it should be maybe takes for some time no data refresh still no data so let's configure this is we did it the sxp device it's up and running okay components we did uh two things and we did the mapping here the mapping tinder 10 with the pcb then 100 return with the management pc great what else we need sxp okay here off settings and these actually settings yes we published and this is not related for that actually but anyways i'm trying to make everything is fine let me see hold xp still it should appear here directly i don't know why it's not okay let me do one thing if i mentioned here create a new sxp domain name it anything you can see too create selected from here it's not assigning okay i can see i refresh maybe things refreshing the page itself still it should appear here okay great good troubleshooting go to eyes show application status eyes let me see what's going on here the services i've been running or what sxp engine service running great applications running pixel grid running running running okay password everything is fine so the pixel 3 and sxp is are running both are running so there is no reason why like this but [Music] okay now we are missing for that just now when i enable the sxp publish just now it's enabling this one okay it's a the software is uh just i refreshed the page it came to me here was the review that ngt exchange protocol xp is used to propagate the ip to sgt mapping information across network device blah blah blah okay great said yes um what is this for i will tell you in a while just refresh it here let me see again you must first enable the sxp service add sp devices switch to eyes to the hd mapping and transfers across okay you can also convert the settings i did everything xp device so the device is here and it's off settings settings publish is here okay go again for ssp our settings it's really weird actually [Music] okay enabled other xp device examined switch to ice all these steps we did it actually where is it going to take me now this one i enabled it's already and we saved it it's enabled and we serve it i think it's not updating something explicit and it's not updating maybe it's neither start the eyes let me see one more shirt [Music] assigned to the fmc okay still okay one more last refresh [Music] well there's no reason why it's happening i want to pause it just i would restart the eyes because i went starting takes time and i will [Music] come back to you okay back again so now this is uh the device as i told you just i restarted the service was jam maybe so this is the a single device so the connection piece in his eyes sxp domain is default let's keep it in the default cancel [Music] go to osp mapping now this is the mapping actually great so these are the two and here in the sv domain default is using piece and involved eyes eyes okay so let's keep it on the default now and let's see there is a command we can check the tagging is where the fmc fmc okay here the fmc so let me type just a command to see what's the tagging is going on so just write sudo su it's asking for password okay great so uh [Music] sf slash user underscore enforce mint okay i'm inside the enforcement uip underscore reader minus f sxp underscore log editor.1 and give it minus p to see the binding so now here dividing it there does not exist okay and it's giving the tag is 16 and 17. great let me go to the fmc now um that i have here okay this is the deployment leave it aside i don't want anything from this policies access control policy let me create a policy to block the communication between the pcm vlan 10 and management pc okay other rules a block via svgs okay communication is blocked with reset uh leave everything just i want to control it this time with sgt in the sgt you have three main tabs security group tagging device up location ip of course security group tagging now sxp protocol should have propagated to fmc so i can see vlan pc vlan 10 this is the one that created and another one actually management management pc that i created they propagated here perfect so management pc it would be in the destination and vlan 10 it will be in the source so source uh to destination metadata will be blocked okay let me and let's enable the login also to check the login add save okay it's saved here go to deployment [Music] and deploy yes so now what i'm going to see here is where is the valentine pc pc if i click ping 192.168.10 minus t so here the pinging there until it's finished the deployment is still eight percent okay go to fmc now here this tagging if you didn't see this tagging then it might not be working with you interested me okay that might might not be uh or for sure will not be working for you if you didn't see the tagging here okay so what i'm going to do uh we are going to apply this now waiting for that that's 75 percent great and we will see like what the communication will be it will be disconnected or what still spending yes it's still spending okay 75 percent let me finish it right now i didn't pause it because it's nearby want to finish here's 83 percent applying a bit policy configuration so let's wait here to check it if it's if it's not to stop the paint then i will tell you how to solve it but here and there um you have to do it the proper way i will explain in a while just this deployment is finished still the pinging is working it means that the deployment has not been completed yet okay it's completed this is what i want but it's still pinging great so let me go to the ice in the sxp devices now what you will you will create here a sign you can assign like fmc2 or fmc this is domain just you create it from here like what i created let me try it with fmc to assign okay so now it's assigned and it's here domain change from default to fmc2 and the same you have to go to components to change it from there ip is it is static go to here it's here deployed by default okay and deploy to all location mapping group nothing so what i will do is edit here the domain i will remove it and i will choose fmc2 again for this remove the default for the fmc to save okay so now it's saved and the ssp device connected to is grey domain fmc 2 let me see now it's needing for update actually maybe it needs a little bit time to update and spare the setting here automatic verification after deployment time verify now trust if the process started any issue will appear in the okay also here push just give it a push to push that one or you will wait like 10 minutes it will give it to there it should be it should be blocked in a way okay let me stop it go to the fmc [Music] the timing is here so the tagging has happened go to fmc to check what's going on it's completed [Music] so what i set here is edit no this is for another one ah okay okay this is my mistake my mistake i'm so sorry when we applied the access control policy we applied it and it's in the early below down so take it up it's actually my bad look let me edit here move into below no not below above rule here's above rule and above number one save it should jump to up yeah block sgt so now it's there it should be working deploy deploy i'm sorry for this inconvenience but things will be taking some time we are working on virtual machine and sometimes we are forgetting a concept but it's very nice yet we are considered as a kind of troubleshooting because not everything is straightforward in your infrastructure in reality so this is eight percent and here is still pinging or what give me the continuous thinking okay great so uh let me pause it and i will come back to you so it's 90 percent great so it starts stopping here request timeout request timeout great let me go to [Music] analysis connection event open link let's see what's going on here [Music] it should be appearing in the events because we trigger the look and you'll request timeout as well [Music] you're supposed to see it over here [Music] if we said visit search let me go to edit search to check okay if i control f as gt okay sdt source it was pc v910 management pc let's make sure of the spinning components static mapping 10 management pc okay pc video them and my pc grid search sources gtpc vlan 10 management pc yeah it is blocked by the sgt so it's fine so it's working fine with us i'm very great so this is all what is about the xp and sgt object so as you see also what you can do is you can go to the object itself in the object management if you don't want to integrate if your device is not integrated with the eyes so what you will do is you will go to objects object management i hope it will be faster okay there is something here we should find it sgt um lgt port security no no no url interfaces no it's it should not be in the interfaces no it's network no it's not inside the network because inside network is due education now there's a claim creator no not inside the network sgt uh prefix time sla it should be somewhere here maybe it's in front of me but i cannot see it because i don't frequently use it but what we can do is if you can go to the access control policy and modify this go to sgt [Music] go down [Music] yes you can add your egt for example from here but this is location ipads is taking and i believe we can do that from here it's not geolocation [Music] it's about security group it should be somewhere from here actually i forget it because it's not frequently used by anyone because no one is using sgt like this so the agent is be using from the eyes but you can do it here or there so i hope it's informative sorry for the inconvenience like the video should not be this longer should be shorter than this but yes we go for some trouble shooting and it was like helpful i'm fine i hope it's informative and you like it please don't forget to subscribe share and like thank you very much see you soon

Info

Channel: Mahmoud Miaari

Views: 80

Rating: undefined out of 5

Keywords: BGP, Networking, CCNA, CCNP, CCIE, CCIE SECURITY, FMC, CCNP SECURITY, FTD, SNCF 300-710

Id: W1iKp3pB7zw

Channel Id: undefined

Length: 40min 24sec (2424 seconds)

Published: Sun Oct 10 2021