https://community.cisco.com/t5/network-access-control/l2-sgt-treatment-during-routing/m-p/4771878#M579741 <P>Hello Everyone</P> <H6>after enabling campus for TrustSec we can notice that client's frame generated on access &amp; provisioned with CMD (with SGT assigned by ISE AAA process) need to be routed on the core (also TrustSec aware by "cts manual" on all its interconnects) from original SVI to let's say transit. The Q is how does Cisco treat this case assuming there is no SGT-enforcement on the core, no IP-SGT mappings nor SGACLs &amp; all core's L2 interfaces configured with cts manual ; propagate cts ; policy static sgt 2 trusted):<BR />1) replicate CMD from ingress frame on the egress</H6> <H6>2) insert on egress CMD with trusted SGT&nbsp;</H6> <H6>3) insert on egress CMD with unknown (0) SGT</H6> <H6>4) something else</H6> <P>Could anyone pls shed a light?</P> Mon, 13 Feb 2023 09:36:36 GMT Andrii Oliinyk 2023-02-13T09:36:36Z https://community.cisco.com/t5/network-access-control/l2-sgt-treatment-during-routing/m-p/4771878#M579741 <P>Hello Everyone</P> <H6>after enabling campus for TrustSec we can notice that client's frame generated on access &amp; provisioned with CMD (with SGT assigned by ISE AAA process) need to be routed on the core (also TrustSec aware by "cts manual" on all its interconnects) from original SVI to let's say transit. The Q is how does Cisco treat this case assuming there is no SGT-enforcement on the core, no IP-SGT mappings nor SGACLs &amp; all core's L2 interfaces configured with cts manual ; propagate cts ; policy static sgt 2 trusted):<BR />1) replicate CMD from ingress frame on the egress</H6> <H6>2) insert on egress CMD with trusted SGT&nbsp;</H6> <H6>3) insert on egress CMD with unknown (0) SGT</H6> <H6>4) something else</H6> <P>Could anyone pls shed a light?</P> Mon, 13 Feb 2023 09:36:36 GMT https://community.cisco.com/t5/network-access-control/l2-sgt-treatment-during-routing/m-p/4771878#M579741 Andrii Oliinyk 2023-02-13T09:36:36Z https://community.cisco.com/t5/network-access-control/l2-sgt-treatment-during-routing/m-p/4773355#M579776 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/293790">@Andrii Oliinyk</a> As you know, I did inline tagging between C9800-CL and C8000V. Although C9800-CL has an SVI for management, the cts configuration goes to the physical interface (in my case, Gi1). For C8000V, each of the sub-interfaces is configured for cts manual and policy static sgt 2 trusted. If an L2 frame has a CMD with SGT, then the SGT is preserved. If no SGT, then SGT2 is sent.</P> <P>I've also asked my coworker who wrote the Segmentation Strategy guide to take a look of this thread.</P> Sun, 12 Feb 2023 02:12:09 GMT https://community.cisco.com/t5/network-access-control/l2-sgt-treatment-during-routing/m-p/4773355#M579776 hslai 2023-02-12T02:12:09Z https://community.cisco.com/t5/network-access-control/l2-sgt-treatment-during-routing/m-p/4774110#M579791 <P>OK, remember that the 'policy static sgt x trusted' ONLY has the ability to adjust the assigned SGT in the inbound direction (e.g. int1).<BR />In the outbound direction (e.g. int2), the 'cts manual / policy static sgt x trusted' just enables the propagation of the CMD.<BR />So, inbound then on int1, as I've written the command above, the SGT received on the wire will be trusted and will be forwarded out int2 as is.<BR />If the commands on int1 (inbound) are 'cts manual / policy static sgt x', it means do not trust the SGT on the wire and classify the incoming traffic with SGT x instead. This SGT x will be transmitted via CMD out int2.<BR />This topic is covered in a couple of slides in an ISE webinar I presented recently, found on YouTube here:&nbsp;<A href="https://www.youtube.com/watch?v=KKbvocNPaOQ&amp;t=34s" target="_blank">https://www.youtube.com/watch?v=KKbvocNPaOQ&amp;t=34s</A> starting at 11 minutes 15 seconds.</P> Mon, 13 Feb 2023 11:27:53 GMT https://community.cisco.com/t5/network-access-control/l2-sgt-treatment-during-routing/m-p/4774110#M579791 jeaves@cisco.com 2023-02-13T11:27:53Z https://community.cisco.com/t5/network-access-control/l2-sgt-treatment-during-routing/m-p/4774116#M579792 <P>Hi Jonothan</P> <P>highly appreciate your input (inc. reference to utube)! thanks&nbsp; &nbsp;</P> Mon, 13 Feb 2023 11:41:17 GMT https://community.cisco.com/t5/network-access-control/l2-sgt-treatment-during-routing/m-p/4774116#M579792 Andrii Oliinyk 2023-02-13T11:41:17Z