https://community.cisco.com/t5/network-access-control/vlan-svi-unreachable-after-enabling-cts-vlan-enforcement/m-p/4833291#M581686 <P>Hi,</P><P>After running the <EM>cts role-based enforcement vlan-list 200&nbsp;</EM>in an access switch, the devices can no longer reach its gateway (SVI in a distribution switch) Without reachability to the gateway, outside connectivity is also lost.</P><P>The uplink between the access switch and the distribution switch has CTS enabled. The trustsec matrix allows traffic to "unknown" (untagged) traffic, although I presume this has nothing to&nbsp; do since the distribution switch is not enforcing any traffic. It is configured as&nbsp;<EM>cts role-based monitor all</EM></P><P>As soon as we remove the vlan enforcement, reachability is recovered, however the traffic is not enforced for hosts in the same VLAN with the same tag even if there is a SGACL applied at the switch that denies all the traffic from/to the same SGT.</P><P>Any idea?</P><P>Thanks!</P> Thu, 11 May 2023 13:29:49 GMT Antonio Macia 2023-05-11T13:29:49Z https://community.cisco.com/t5/network-access-control/vlan-svi-unreachable-after-enabling-cts-vlan-enforcement/m-p/4833291#M581686 <P>Hi,</P><P>After running the <EM>cts role-based enforcement vlan-list 200&nbsp;</EM>in an access switch, the devices can no longer reach its gateway (SVI in a distribution switch) Without reachability to the gateway, outside connectivity is also lost.</P><P>The uplink between the access switch and the distribution switch has CTS enabled. The trustsec matrix allows traffic to "unknown" (untagged) traffic, although I presume this has nothing to&nbsp; do since the distribution switch is not enforcing any traffic. It is configured as&nbsp;<EM>cts role-based monitor all</EM></P><P>As soon as we remove the vlan enforcement, reachability is recovered, however the traffic is not enforced for hosts in the same VLAN with the same tag even if there is a SGACL applied at the switch that denies all the traffic from/to the same SGT.</P><P>Any idea?</P><P>Thanks!</P> Thu, 11 May 2023 13:29:49 GMT https://community.cisco.com/t5/network-access-control/vlan-svi-unreachable-after-enabling-cts-vlan-enforcement/m-p/4833291#M581686 Antonio Macia 2023-05-11T13:29:49Z https://community.cisco.com/t5/network-access-control/vlan-svi-unreachable-after-enabling-cts-vlan-enforcement/m-p/4833305#M581687 <P>Could you share the SGACL policy enforced on VLAN list 200? Also, what is the SGT for source and destination here?</P> Thu, 11 May 2023 13:41:17 GMT https://community.cisco.com/t5/network-access-control/vlan-svi-unreachable-after-enabling-cts-vlan-enforcement/m-p/4833305#M581687 Nancy Saini 2023-05-11T13:41:17Z https://community.cisco.com/t5/network-access-control/vlan-svi-unreachable-after-enabling-cts-vlan-enforcement/m-p/4833317#M581688 <P>The SGT is 94 and the intent is to block horizontal traffic while allowing north-south:</P><P><EM>show cts role-based permissions from 94 to 94</EM><BR />IPv4 Role-based permissions from group 94:DUMMY_SGT to group 94:DUMMY_SGT:<BR />Deny IP-00</P><P><EM>show cts rbacl</EM><BR />CTS RBACL Policy<BR />================<BR />RBACL IP Version Supported: IPv4 &amp; IPv6<BR />name = Deny IP-00<BR />IP protocol version = IPV4, IPV6<BR />refcnt = 46<BR />flag = 0xC1000000<BR />stale = FALSE<BR />RBACL ACEs:<BR />deny ip</P><P><BR /><EM>show cts role-based permissions from 94 to unknown</EM><BR />IPv4 Role-based permissions from group 94:DUMMY_SGT to group Unknown:<BR />Permit IP-00</P><P><BR /><EM>show cts rbacl</EM><BR />CTS RBACL Policy<BR />================<BR />name = Permit IP-00<BR />IP protocol version = IPV4, IPV6<BR />refcnt = 6<BR />flag = 0xC1000000<BR />stale = FALSE<BR />RBACL ACEs:<BR />permit ip</P> Thu, 11 May 2023 13:53:52 GMT https://community.cisco.com/t5/network-access-control/vlan-svi-unreachable-after-enabling-cts-vlan-enforcement/m-p/4833317#M581688 Antonio Macia 2023-05-11T13:53:52Z