ISE SGT vs Custom SGT Rule Conditions
Some rules allow you to control traffic based on assigned SGT. Depending on the rule type and your identity source configuration, you can use either ISE-assigned SGTs or custom SGTs to match traffic with assigned SGT attributes.
Note | If you use ISE SGTs to match traffic, even if a packet does not have an assigned SGT attribute, the packet still matches an ISE SGT rule if the SGT associated with the packet's source IP address is known in ISE. |
Condition Type |
Requires |
SGTs Listed in Rule Editor |
---|---|---|
ISE SGT |
ISE identity source |
SGTs obtained by querying the ISE server, with automatically updated metadata |
Custom SGT |
No ISE identity source No ISE/ISE-PIC identity source |
Static SGT objects you create |