topic Re: SGT Inline Tagging on 9500 in Cisco Catalyst Center

SGT Inline Tagging on 9500

trickyg — Wed, 25 Aug 2021 15:20:09 GMT

I am looking to enable the above feature between a 9500 (Border Router) and a switch (9300) that sits between two deployed fabrics in order to preserve SGT values between the two fabric deployments.

However I notice that whilst the 9300 allows the "CTS manual" command to be applied to either the physical interface OR the Vlan interface the 9500 only allows apply of command to the Physical interface. As the routed transit is an SVI and not a routed port will the CTS manual command when applied to the 9500 physical interface be honoured for the traffic passing over the routed SVI?

Re: SGT Inline Tagging on 9500

willwetherman — Wed, 25 Aug 2021 23:19:01 GMT

Hi @trickyg

Yes this will work without any issues. I have installed a number of Catalyst 9500 borders that handoff to either a Catalyst 9300/9500 that is acting a shared services/fusion switch with SGT inline tagging to propagate SGTs to a perimeter firewall.

In my deployments I use Border Handoff automation so DNA Center configures the routed transit for each VN as an SVI (VLAN ID 3XXX). This is an example config that I apply to my border to shared services/fusion handoff interface.

interface FortyGigabitEthernet1/0/22
description Link to Shared Services
switchport mode trunk
switchport trunk allowed vlan 3001-3004
cts manual
policy static sgt 2 trusted

Re: SGT Inline Tagging on 9500

Preston Chilcote — Wed, 25 Aug 2021 22:26:46 GMT

For my own curiosity and perhaps education, how come an SDA Transit network between borders doesn't solve this problem. I thought that carrying SGT between fabrics is what it was designed for.

Re: SGT Inline Tagging on 9500

willwetherman — Wed, 25 Aug 2021 23:18:32 GMT

Hi @Preston Chilcote

This was for two SDA fabrics that were connected via a common fusion switch using IP-based transit. I have just checked and I think that end to end policy using SGTs was maintained using SXP and not inline CTS. Inline CTS was used for SGT propagation to a firewall that was connected to the common fusion switch.

I suppose that SDA transit was designed for this type of deployment, however as this was only two sites, SDA transit was not initially opted for. I have corrected my original post.

Out of interest, can SGT policy between multiple fabric sites with IP-Transit handoff/VRF-lite be maintained with CTS inline tagging or is SXP the only supported option?

Thanks,

Will

Re: SGT Inline Tagging on 9500

Preston Chilcote — Wed, 25 Aug 2021 23:34:14 GMT

@willwetherman I can't remember hearing any updates regarding carrying SGTs inline over IP-Transit. Instead, there was work done to carry it in VXLAN natively (over SDA transit), or in one of the protocols involved in SD-WAN (maybe IPSEC?). Both of those eliminate the need for SXP, which improves scale and hopefully reduces complexity.

Re: SGT Inline Tagging on 9500

trickyg — Thu, 26 Aug 2021 08:45:01 GMT

That's OK if all intermediate devices between the two fabrics are SDA enabled but in my scenario this is not the case hence why I am using IP based transit

Re: SGT Inline Tagging on 9500

trickyg — Thu, 26 Aug 2021 08:51:10 GMT

Thanks for the clarification regarding inline tagging on physical interface configured as trunk.

"can SGT policy between multiple fabric sites with IP-Transit handoff/VRF-lite be maintained with CTS inline tagging or is SXP the only supported option?"

This is what I am trying to achieve. My understanding is that the SGT value in the source packet being transmitted over the IP transit will be preserved and included in the additional header attached to the packet. The receiving fabric will then be able to apply fabric policy to this packet as SGT still intact?

Re: SGT Inline Tagging on 9500

davidjohnredfern — Mon, 04 Jul 2022 07:10:51 GMT

Hi @willwetherman

I am doing something very similar, with 9500 borders peering via to 9500 shared/services fusion switches, which then peer to a connected FTD firewall pair, and want to pass the SGTs though to the firewalls.

Did you also need to apply these commands on all physical interfaces on the 9500 shared/services fusion switches in the path to the firewalls?

cts manual
policy static sgt 2 trusted

Cheers,

Dave

Re: SGT Inline Tagging on 9500

andrew.butterworth — Tue, 05 Jul 2022 07:36:34 GMT

Can this configuration be applied on routed interfaces?

I've got a C3560CX and a C3560X in the lab and have never been able to get a link to come with just this:

cts manual
 policy static sgt 4 trusted
 propagate sgt

Both switches are running the latest IOS versions.

Re: SGT Inline Tagging on 9500

jedolphi — Tue, 05 Jul 2022 08:21:50 GMT

Inline SGT tagging not supported on 3560-CX. Please review the TrustSec platform and capability matrix -> https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/policy-platform-capability-matrix.pdf

Re: SGT Inline Tagging on 9500

andrew.butterworth — Tue, 05 Jul 2022 09:34:37 GMT

I'm fairly certain it is supported on C3560CX & C3560X series:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 3560-CX and 2960-CX Switches) - Configuring MACsec Encryption [Cisco Catalyst 3560-CX Series Switches] - Cisco

Re: SGT Inline Tagging on 9500

Damien Miller — Tue, 05 Jul 2022 14:43:56 GMT

As mentioned, inline tagging is not supported on the 3560. Page 3 of the document jedolphi shared shows which TrustSec features are available on the 3560 platform. I can confirm this is accurate.
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-platform-capability-matrix.pdf

Re: SGT Inline Tagging on 9500

andrew.butterworth — Wed, 13 Jul 2022 10:42:14 GMT

OK. I'm getting my technologies mixed up here...

MACSEC is supported on C3560CX, but not CTS inline tagging it seems.

So on the C3560CX platform we can't do SGT based access-control? Or am I missing something here? The RADIUS server pushes the cisco-av-pair for the SGT tag and I can see this in the 'Server Policies' when looking at the authentication status of the interface. Would SGT only be applicable within the switch? i.e. two hosts attached to the C3560CX get different SGT values and a policy could implement micro-segmentation within the switch between the two hosts, but the SGT can't propagate out of the switch?

Re: SGT Inline Tagging on 9500

FranckL — Thu, 29 Sep 2022 08:02:39 GMT

Hi Andrew,

You're right, there is two differents things : you can use SGT and do filtering on 3560CX, but it doesn't do VXLAN so it can't exchange SGT with other switches.

Re: SGT Inline Tagging on 9500

andrew.butterworth — Mon, 03 Oct 2022 08:08:47 GMT

SGT inline tagging and VXLAN are different things. SGT inline tagging is an Ethernet frame with the Ethertype set to 0x8909 which indicates a CiscoMetaData header is present. The CiscoMetaData header contains the SGT. VXLAN is a generic encapsulation. Cisco put two things in the VXLAN header - the VNID and the SGT.

Solved: SGT Tag vs VxLAN tag - Cisco Community

Re: SGT Inline Tagging on 9500

alieson — Wed, 15 Jan 2025 07:30:16 GMT

Hello willwetherman,

Can you elaborate more about end to end configuration of SGT inline tagging?

Did you apply the above commands on each interface in the path which required to forward the CMD info?

Thx in advance..