For my own curiosity and perhaps education, how come an SDA Transit network between borders doesn't solve this problem.  I thought that carrying SGT between fabrics is what it was designed for.

Hi @Preston Chilcote 

This was for two SDA fabrics that were connected via a common fusion switch using IP-based transit. I have just checked and I think that end to end policy using SGTs was maintained using SXP and not inline CTS. Inline CTS was used for SGT propagation to a firewall that was connected to the common fusion switch.

I suppose that SDA transit was designed for this type of deployment, however as this was only two sites, SDA transit was not initially opted for. I have corrected my original post.

Out of interest, can SGT policy between multiple fabric sites with IP-Transit handoff/VRF-lite be maintained with CTS inline tagging or is SXP the only supported option?

Thanks,

Will

@willwetherman I can't remember hearing any updates regarding carrying SGTs inline over IP-Transit.   Instead, there was work done to carry it in VXLAN natively (over SDA transit), or in one of the protocols involved in SD-WAN (maybe IPSEC?).  Both of those eliminate the need for SXP, which improves scale and hopefully reduces complexity.

Thanks for the clarification regarding inline tagging on physical interface configured as trunk.

"can SGT policy between multiple fabric sites with IP-Transit handoff/VRF-lite be maintained with CTS inline tagging or is SXP the only supported option?"

This is what I am trying to achieve. My understanding is that the SGT value in the source packet being transmitted over the IP transit will be preserved and included in the additional header attached to the packet. The receiving fabric will then be able to apply fabric policy to this packet as SGT still intact?

That's OK if all intermediate devices between the two fabrics are SDA enabled but in my scenario this is not the case hence why I am using IP based transit

Hi @willwetherman 

I am doing something very similar, with 9500 borders peering via to 9500 shared/services fusion switches, which then peer to a connected FTD firewall pair, and want to pass the SGTs though to the firewalls.

Did you also need to apply these commands on all physical interfaces on the 9500 shared/services fusion switches in the path to the firewalls?

cts manual
policy static sgt 2 trusted

Cheers,

Dave

Inline SGT tagging not supported on 3560-CX. Please review the TrustSec platform and capability matrix ->  https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/policy-platform-capability-matrix.pdf

I'm fairly certain it is supported on C3560CX & C3560X series:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 3560-CX and 2960-CX Switches) - Configuring MACsec Encryption [Cisco Catalyst 3560-CX Series Switches] - Cisco

As mentioned, inline tagging is not supported on the 3560. Page 3 of the document jedolphi shared shows which TrustSec features are available on the 3560 platform. I can confirm this is accurate. 
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-platform-capability-matrix.pdf

Hi Andrew,

You're right, there is two differents things : you can use SGT and do filtering on 3560CX, but it doesn't do VXLAN so it can't exchange SGT with other switches.

SGT inline tagging and VXLAN are different things.  SGT inline tagging is an Ethernet frame with the Ethertype set to 0x8909 which indicates a CiscoMetaData header is present.  The CiscoMetaData header contains the SGT.  VXLAN is a generic encapsulation.  Cisco put two things in the VXLAN header - the VNID and the SGT.

Solved: SGT Tag vs VxLAN tag - Cisco Community