ISE SGT vs Custom SGT Rule Conditions

Some rules allow you to control traffic based on assigned SGT. Depending on the rule type and your identity source configuration, you can use either ISE-assigned SGTs or custom SGTs to match traffic with assigned SGT attributes.

Note
If you use ISE SGTs to match traffic, even if a packet does not have an assigned SGT attribute, the packet still matches an ISE SGT rule if the SGT associated with the packet's source IP address is known in ISE.

Condition Type

Requires

SGTs Listed in Rule Editor

ISE SGT

ISE identity source

SGTs obtained by querying the ISE server, with automatically updated metadata

Custom SGT

No ISE identity source

No ISE/ISE-PIC identity source

Static SGT objects you create