topic Re: TrustSec Design Question in Network Access Control

TrustSec Design Question

jideji — Mon, 11 Mar 2019 07:27:21 GMT

L3IF trustSec Interface-to-SGT Mapping, is it possible to receive multiple SGT on the ports that is facing the WAN ?

Sample topology

Site-A WAN-Cloud Site-B

3750x ---------- ASR-1 ---------------------GREoMPLS---------------ASR2--------------------3750x

On the above topology. In Site-A, we have five SGT 10,20,30,40 and 50 that we like to propagate across the MPLS WAN to Site-B. My question is; what is the best way to get these SGT from Site-A to Site-B over the MPLS WAN link. Please any pointers will be greatly appreciated. Please also see attached topology.

Re: TrustSec Design Question

mjessup — Mon, 13 Feb 2017 21:22:18 GMT

Hi Jason,

GRE supports inline tagging much the same as an Ethernet interface. This will allow you to propagate the tags over the service provider MPLS WAN. So all traffic will leave one side of the WAN and arrive at the other side with the original tag.

Note that this is not the same as L3IF-SGT mapping which will take all traffic received on the configured interface and map it to the value specified.

To support inline tagging over GRE apply the command <cts sgt inline> to the tunnel interface as so:

interface Tunnel10

ip mtu 1360

ip tcp adjust-mss 1352

cts sgt inline

You will also notice that with inline tagging over GRE, an additional 8 bytes of overhead will be required so if your ip mtu is set to 1360 for example (typical for IPsec/GRE or DMVPN), you will want to lower the TCP maximum segment size by 8 bytes as above.

Also please note that you will want to be running 3.16.5S on the ASR which fixed a related defect, CSCvb44207.

Mike

TrustSec TME, Cisco Systems

Re: TrustSec Design Question

jideji — Mon, 13 Feb 2017 21:24:57 GMT

Thanks