topic Re: TrustSec SGT Binding Priority in Network Access Control

TrustSec SGT Binding Priority

derrick.ray1 — Mon, 11 Mar 2019 07:41:52 GMT

I had always thought that CTS binding priority was the same throughout TrustSec until recently I discovered that isn't true. Below is the SGT Binding priority that I have always worked with.

1.VLAN- Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping configured

2.CLI- Address bindings configured using the IP_SGT form of the "cts role-based sgt-map" global configuration command

3.Layer 3 Interface- Bindings added du to FIB forwarding entries that have paths through one or more interfaces with consistent L3IF-SGT mapping or Identity Port Mapping on routed ports.

4.SXP- Bindings learned from SXP peers

5.IP_ARP- Bindings learned when tagged ARP packets are received on a CTS capable link

6.LOCAL- Bindings of authenticated hosts which are learned via device tracking. These type of binding also includes individual hosts that are learned via ARP snooping on L2 ports. Direct switch enforcement. These fall under dynamic classification.

7.INTERNAL- Bindings between locally configured IP addresses and the devices own SGT. So, things like loopback addresses or addresses that are locally configured on the device can have and SGT assigned to them.

Now, I have found out that for Nexus NX-OS devices the priority isn't the same. This appears to be the Nexus priority.

1.Cisco Fabric Services (CFS) - CTS IP-SGT bindings learnt on vPC peer. This is applicable only to vPC peer devices.

2.VLAN-SGT - Bindings learned from snooped ARP or DHCP packets on a VLAN that is configured with a VLAN-SGT mapping.

3.SGT-caching - IP-SGT bindings learnt on a VLAN or VRF, where SGT-caching is configured.

4.SXP - Bindings learned from SXP peers.

5.Learnt on interface - Bindings of authenticated hosts which are learned via EPM and device tracking. This type of binding also include individual hosts that are learned via ARP snooping on L2 [I]PM configured ports.

6.CLI - Address bindings configured using the IP-SGT form of the cts role-based sgt-map global configuration command.

7.Port ASIC - SGT bindings derived inline or directly from the port, based on CTS trusted or untrusted configuration.

Question: Is there anyone at Cisco that can provide a listing of priorities based on platform since it appears that this is not standard across all devices participating in TrustSec?

Re: TrustSec SGT Binding Priority

jeaves@cisco.com — Thu, 04 May 2017 15:57:13 GMT

This has just always been the case. It's a difference between IOS and NX-OS only.

In fact, SGT caching is also an option for IOS and it is the 2nd highest priority:

1. VLAN—Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping configured.

2. CLI— Address bindings configured using the IP-SGT form of the cts role-based sgt-map global configuration command.

3. Layer 3 Interface—(L3IF) Bindings added due to FIB forwarding entries that have paths through one or more interfaces with consistent L3IF-SGT mapping or Identity Port Mapping on routed ports.

4. SXP—Bindings learned from SXP peers.

5. IP_ARP—Bindings learned when tagged ARP packets are received on a CTS capable link.

6. LOCAL—Bindings of authenticated hosts which are learned via EPM and device tracking. This type of binding also include individual hosts that are learned via ARP snooping on L2 [I]PM configured ports.

7. SGT CACHING — Bindings learned through the SGT Caching feature by gleaning the inline SGT in the packet.

8. INTERNAL—Bindings between locally configured IP addresses and the device own SGT.

The difference between the priorities on IOS and NX-OS have been documented in the likes of Cisco Live slides and FAQ's and is listed in the troubleshooting guide (found by searching for 'TrustSec troubleshooting guide' in search engines or more directly at: https://communities.cisco.com/docs/DOC-69479#jive_content_id_Is_there_a_priority_list_when_configuring_different_classification_types_on_IOS)

I'll think of other locations where this sort of information should be posted.

Regards, Jonothan.

Re: TrustSec SGT Binding Priority

derrick.ray1 — Thu, 04 May 2017 16:39:12 GMT

Thank you, Jonathan.

Re: TrustSec SGT Binding Priority

Andrii Oliinyk — Thu, 20 Apr 2023 14:15:19 GMT

Hi Jonathan

could u pls help with recognition where in that list L2-port static binding & RADIUS-learned SGT assignment are?

thanks in advance