https://community.cisco.com/t5/network-security/sgt-assignment-on-c9300/m-p/4449880#M1082908 <P>Hi Gents</P><P>i've setup campus with ISE-driven SGTs (not SXP). Canmus's NADs &amp; FW r configured for TrustSec on ISE. They get authorized &amp; pushed back with SGT-map configured&nbsp; only for this campus on ISE. Something like belowis visible on the switches with "sho cts role-based sgt-map all":</P><P class="lia-indent-padding-left-30px">...</P><P class="lia-indent-padding-left-30px">10.225.10.0/26 7 CLI<BR />...<BR />10.225.10.128/26 5 CLI</P><P class="lia-indent-padding-left-30px">...</P><P>FW (ASA) which is L3-GW for most of subnets also has table of SGTs from ISE (but w/o IP mapping which is strange but is not relevant to my main problem).</P><P>The problem: with capture on FW-facing portchannel i intercepted traffic of interest &amp; noticed interesting thing:</P><P>In most of cases i can see SGT tag added to the source packet as expected (i believe it's done by access switch of endpoint ). F.e. i can see packets sourced from 10.225.10.132 having SGT==5. BUT... in some packets i can see SGT==0 for the similar packet (meaning that src&amp;dst IP&amp;ports r the same)...&nbsp;</P><P>SGT assignment is not enforced on the ISE in AuthZ profiles yet. But switches seem to be assigning SGT already based on the tables they have.</P><P>All interconnects between network HW r configured with "cts manual" to carry frames with SGT.&nbsp;</P><P>Anybody can explain me this behavior pls?</P><P>&nbsp;</P><P>UPD1: just checked other sources &amp; found the there some subnets getting SGT==0 assigned all the time which is actually expected from my pov.</P><P>I'm curious...</P><P>UPD2: after some investigations i've found that my core C9500 does following:</P><P>if it receives frame w/o metadata (because of interconnect to access switch is not configured for cts) it adds to egress frame metadata field with SGT assigned according to SGT-map it receives from ISE.</P><P>any clues?</P> Thu, 19 Aug 2021 11:02:53 GMT Andrii Oliinyk 2021-08-19T11:02:53Z https://community.cisco.com/t5/network-security/sgt-assignment-on-c9300/m-p/4449880#M1082908 <P>Hi Gents</P><P>i've setup campus with ISE-driven SGTs (not SXP). Canmus's NADs &amp; FW r configured for TrustSec on ISE. They get authorized &amp; pushed back with SGT-map configured&nbsp; only for this campus on ISE. Something like belowis visible on the switches with "sho cts role-based sgt-map all":</P><P class="lia-indent-padding-left-30px">...</P><P class="lia-indent-padding-left-30px">10.225.10.0/26 7 CLI<BR />...<BR />10.225.10.128/26 5 CLI</P><P class="lia-indent-padding-left-30px">...</P><P>FW (ASA) which is L3-GW for most of subnets also has table of SGTs from ISE (but w/o IP mapping which is strange but is not relevant to my main problem).</P><P>The problem: with capture on FW-facing portchannel i intercepted traffic of interest &amp; noticed interesting thing:</P><P>In most of cases i can see SGT tag added to the source packet as expected (i believe it's done by access switch of endpoint ). F.e. i can see packets sourced from 10.225.10.132 having SGT==5. BUT... in some packets i can see SGT==0 for the similar packet (meaning that src&amp;dst IP&amp;ports r the same)...&nbsp;</P><P>SGT assignment is not enforced on the ISE in AuthZ profiles yet. But switches seem to be assigning SGT already based on the tables they have.</P><P>All interconnects between network HW r configured with "cts manual" to carry frames with SGT.&nbsp;</P><P>Anybody can explain me this behavior pls?</P><P>&nbsp;</P><P>UPD1: just checked other sources &amp; found the there some subnets getting SGT==0 assigned all the time which is actually expected from my pov.</P><P>I'm curious...</P><P>UPD2: after some investigations i've found that my core C9500 does following:</P><P>if it receives frame w/o metadata (because of interconnect to access switch is not configured for cts) it adds to egress frame metadata field with SGT assigned according to SGT-map it receives from ISE.</P><P>any clues?</P> Thu, 19 Aug 2021 11:02:53 GMT https://community.cisco.com/t5/network-security/sgt-assignment-on-c9300/m-p/4449880#M1082908 Andrii Oliinyk 2021-08-19T11:02:53Z https://community.cisco.com/t5/network-security/sgt-assignment-on-c9300/m-p/4454058#M1083112 <P>It all depends on what re-classification you have within the receiving network device. As per the other community post, if you email me we could organise a chat.</P> Tue, 24 Aug 2021 10:43:34 GMT https://community.cisco.com/t5/network-security/sgt-assignment-on-c9300/m-p/4454058#M1083112 jeaves@cisco.com 2021-08-24T10:43:34Z https://community.cisco.com/t5/network-security/sgt-assignment-on-c9300/m-p/4454166#M1083119 <P>Tnx Jonny!</P><P><A href="https://community.cisco.com/t5/network-security/cts-amp-sgt-behavior-in-c9k-environment/m-p/4454160#M1083117" target="_blank">https://community.cisco.com/t5/network-security/cts-amp-sgt-behavior-in-c9k-environment/m-p/4454160#M1083117</A></P> Tue, 24 Aug 2021 14:21:25 GMT https://community.cisco.com/t5/network-security/sgt-assignment-on-c9300/m-p/4454166#M1083119 Andrii Oliinyk 2021-08-24T14:21:25Z