topic Re: Subnet/IP to SGT tagging on NX-OS in Network Access Control

Subnet/IP to SGT tagging on NX-OS

Michal Olsovsky — Wed, 28 Nov 2018 13:42:27 GMT

Hi team,

I have a case where SGT tagging based on IP/subnet to SGT map is needed on N7K (M3 LC) without enforcement active. Traffic that needs to be tagged can enter nexus:

- via untrusted access portchannel - no SVI for this specific VLAN, packets need to be tagged and are send to another device where they are already part of trusted domain,

- via untrusted access or trunk port for a specific VLAN that has SVI configured.

For both cases IP/subnet to SGT mapping is configured (pushed via ISE) but the tagging is not happening. Is there any limitation for this or any special step to take to do this marking?

Thank you.

Best regards,

Michal

Re: Subnet/IP to SGT tagging on NX-OS

jeaves@cisco.com — Wed, 12 Dec 2018 11:57:12 GMT

When pushing mappings from ISE you can use SSH or SXP but the mapping always gets placed at the VRF level.

The N7K MUST have an SVI on the VLAN if using IP-SGT learnt via SXP (or) SSH from ISE (or) CLI on a particular VRF [So when mapping resides in the VRF]
If N7K is L2 only then create an SVI w/o IP to be able to utilize the SXP or SSH mappings from ISE or the CLI mappings from the VRF

Re: Subnet/IP to SGT tagging on NX-OS

Michal Olsovsky — Thu, 13 Dec 2018 08:26:19 GMT

Hi, thanks. These conditions are clear however is there a way to do the SGT marking without activating the enforcement?

Re: Subnet/IP to SGT tagging on NX-OS

jeaves@cisco.com — Thu, 13 Dec 2018 09:04:25 GMT

Sure, network devices only enforce when they are told to enforce.

The N7k is told to enforce by using the following commands:

(config)# cts role-based enforcement

(config)# vrf context x
cts role-based enforcement

(config)# vlan y
cts role-based enforcement

Re: Subnet/IP to SGT tagging on NX-OS

Michal Olsovsky — Thu, 13 Dec 2018 09:08:47 GMT

The question is will Nexus do SGT marking without active enforcement? This means only SGT maps configured without any enforcement activated.

Re: Subnet/IP to SGT tagging on NX-OS

jeaves@cisco.com — Thu, 13 Dec 2018 09:18:28 GMT

Yes, our network devices (including the N7k) can classify/mark without enforcing.

Classification/marking occurs when there is a mapping present (dynamic, static, from SXP). Enforcement only occurs if the enforcement commands are present and required policy has been downloaded.

Re: Subnet/IP to SGT tagging on NX-OS

Michal Olsovsky — Thu, 13 Dec 2018 10:10:33 GMT

Thanks for the reply.

In our setup we have N7k (NX-OS 8.3.1) registered to ISE and envi-data & policies downloaded successfully. IP to SGT mappings are correctly pushed from ISE and present in config and no enforcement is active. We have 1 VLAN with active SVI (default vrf), mapping for this VLAN/subnet is present in the SGT-map and the traffic is coming to N7K over untrusted trunk port (no cts manual) however the traffic is leaving the N7K unmarked (SGT 0). Other traffic that is passing the N7K already marked is keeping the marking so the boundary interfaces are fine. Is there anything else needed to have marking active?

Re: Subnet/IP to SGT tagging on NX-OS

jeaves@cisco.com — Thu, 13 Dec 2018 10:57:26 GMT

Can you try the following independently:

a) Manually adding the mapping under the VLAN (rather than the VRF).

b) Enable DAI (ip arp inspection vlan <>) on the VLAN and on the corresponding incoming interfaces (ip arp inspection trust)

Re: Subnet/IP to SGT tagging on NX-OS

Michal Olsovsky — Fri, 14 Dec 2018 11:09:36 GMT

Thanks for reply. I will try both options and report back.