Information About IPv6 Support for SGT and SGACL
Components of IPv6 Dynamic Learning
Dynamic learning of IPv6 addresses requires three components:
-
Switch Integrated Security Features (SISF): An infrastructure built to take care of security, address assignment, address resolution, neighbor discovery, exit point discovery, and so on.
-
Cisco Enterprise Policy Manager (EPM): A solution that registers with SISF to receive IPv6 address notifications. The Cisco EPM then uses the IPv6 addresses and SGTs downloaded from the Cisco Identity Services Engine (ISE) to generate IP-SGT bindings.
-
Cisco TrustSec: A solution that protects devices from unauthorized access. Cisco TrustSec assigns an SGT to the ingress traffic of a device and enforces the access policy based on the tag anywhere in the network.
Mapping of IPv6 addresses to SGT can be done using the following methods, which are listed from lowest priority (1) to highest priority (6):
-
VLAN: IPv6 addresses learnt through SISF on the VLAN that has an SGT-VLAN mapping. Bindings are learned through ICMPv6 Neighbor Discovery.
-
CLI: Address bindings configured using the IP-SGT form of the cts role-based sgt-map global configuration command.
-
Layer 3 Interface: Bindings added due to forwarding information base (FIB) forwarding entries that have paths through one or more interfaces with consistent Layer 3 interface-SGT mapping or identity port mapping (IPM) on routed ports.
-
SXP: Bindings learned from SGT Exchange Protocol (SXP) peers.
-
Local: Bindings of authenticated hosts that are learned via EPM and device tracking. (Device tracking and SISF are the same.)
-
Internal: Bindings between locally configured IP addresses and the device SGT.