https://community.cisco.com/t5/software-defined-access-sd-access/about-default-egress-rule/m-p/3878271#M185 <P>Thank you for the information.</P><P>&nbsp;</P><P><SPAN>Currently, “<EM>cts role-based enforcement</EM>” is set to the physical port. </SPAN></P><P><SPAN>Neither “<EM>cts role-based enforcement</EM>” nor “<EM>no cts role-based enforcement</EM>” is set for VLAN. </SPAN></P><P>&nbsp;</P><P><SPAN>And, the following two lines are input in configuration mode: </SPAN></P><P><EM>&nbsp;cts role-based enforcement </EM></P><P><EM>&nbsp;cts role-based enforcement vlan-list 1023 </EM></P><P>&nbsp;</P><P>By setting <SPAN>“<EM>no cts role-based enforcement</EM>”</SPAN> to the physical port, does it mean that the default EgressPolicy can be reflected only on the overlay without affecting the underlay?</P><P>&nbsp;</P> Mon, 24 Jun 2019 04:54:52 GMT Keisuke.I 2019-06-24T04:54:52Z https://community.cisco.com/t5/software-defined-access-sd-access/about-default-egress-rule/m-p/3875768#M180 <P>If FinalCatchAllRule in Default egress rule is set to <EM>Deny_IP</EM> on TrustSec EgressPolicy Matrix screen, it seems that not only overlay but also underlay communication will be denied.</P><P>&nbsp;</P><P>I want to know the setting that only overlay communication is rejected by default without affecting underlay communication.</P><P>&nbsp;</P><P>Regards</P> Wed, 19 Jun 2019 03:52:12 GMT https://community.cisco.com/t5/software-defined-access-sd-access/about-default-egress-rule/m-p/3875768#M180 Keisuke.I 2019-06-19T03:52:12Z https://community.cisco.com/t5/software-defined-access-sd-access/about-default-egress-rule/m-p/3876993#M183 <P>As long as you have "no cts role-based enforcement" on the port config or no cts configured at all on the port you there shouldnt be a problem.</P> <P>&nbsp;</P> Thu, 20 Jun 2019 18:57:54 GMT https://community.cisco.com/t5/software-defined-access-sd-access/about-default-egress-rule/m-p/3876993#M183 ldanny 2019-06-20T18:57:54Z https://community.cisco.com/t5/software-defined-access-sd-access/about-default-egress-rule/m-p/3878271#M185 <P>Thank you for the information.</P><P>&nbsp;</P><P><SPAN>Currently, “<EM>cts role-based enforcement</EM>” is set to the physical port. </SPAN></P><P><SPAN>Neither “<EM>cts role-based enforcement</EM>” nor “<EM>no cts role-based enforcement</EM>” is set for VLAN. </SPAN></P><P>&nbsp;</P><P><SPAN>And, the following two lines are input in configuration mode: </SPAN></P><P><EM>&nbsp;cts role-based enforcement </EM></P><P><EM>&nbsp;cts role-based enforcement vlan-list 1023 </EM></P><P>&nbsp;</P><P>By setting <SPAN>“<EM>no cts role-based enforcement</EM>”</SPAN> to the physical port, does it mean that the default EgressPolicy can be reflected only on the overlay without affecting the underlay?</P><P>&nbsp;</P> Mon, 24 Jun 2019 04:54:52 GMT https://community.cisco.com/t5/software-defined-access-sd-access/about-default-egress-rule/m-p/3878271#M185 Keisuke.I 2019-06-24T04:54:52Z