Restrictions for Configuring SGACL Policies
-
Due to hardware limitations, Cisco TrustSec SGACLs cannot be enforced for punt (CPU bound) traffic in hardware. SGACL enforcement in software is bypassed wfor CPU bound traffic for SVI, layer 2 and layer 3 Location Identifier Separation Protocol (LISP), and loopback interfaces.
-
When configuring SGACL policies, if you change the IP version dynamically from IPv4 or IPv6 to Agnostic (applies to both IPv4 and IPv6) and vice-versa, the corresponding SGACL policies for IPv4 and IPv6 are not downloaded completely via the management VRF interface.
-
When configuring SGACL policies, if you change the existing IP version to any other version (IPv4 or IPv6 or Agnostic) and vice-versa, Change of Authorization (CoA) from Cisco Identity Services Engine (ISE) should not be performed using RADIUS. Instead, use SSH and run the cts refresh policy command to perform a manual policy refresh.
-
When using an SGT allowed list model with default action as deny all , in some cases, Cisco TrustSec policies are partially downloaded from the ISE server after a device reload.
To prevent this, define a static policy on the device. Even if the deny all option is applied, the static policy permits traffic which allows the device to download policies from the ISE server and overwrite the defined static policies. For device SGT, configure the following commands in global configuration mode:
-
cts role-based permissions from <sgt_num> to unknown
-
cts role-based permissions from unknown to <sgt_num>
-