10-22-2019 03:03 AM
Hi All,
In my fabric network Trustsec policies are not working in inter-VN traffic. I investigated and figured out that traffic from Border to Fusion passes without tagged. As I understood after Border decapsulates VXLAN it does not add CMD SGT Values.
What is the solution?
10-22-2019 08:40 AM
10-22-2019 10:07 AM
Hi Preston,
Thank you, for your help. But I have already thought about this solution with static mapping. The problem is I do not not use static IP. I have a lot of IP devices which Although sits in same subnet their SGT values are different. For example in A subnet I have SGT 1 and 2 and in B I have 3 and 4. No for writing SGACL in border I have to know which IP particular device has but is is.not solution because IPs change always.
10-22-2019 11:12 AM
I believe SXP is the answer:
"Policy mapping—The fabric border node also maps SGT information from within the fabric to be appropriately maintained when exiting that fabric. SGT information is propagated from the fabric border node to the network external to the fabric, either by transporting the tags to Cisco TrustSec-aware devices using SGT ExchangeProtocol (SXP) or by directly mapping SGTs into the Cisco metadata field in a packet, using inline tagging capabilities implemented for connections to the border node."
10-24-2019 12:17 AM
Hi,
The problem still remains for me how I will leak mapping between VRFs? For instance when border forwards traffic from one VRF to another it sends it Fusion with Source VRF. But Border, inside that VRF is not aware another VRF`s mappings
10-30-2019 01:24 PM
This has been answered in other thread, https://community.cisco.com/t5/software-defined-access-sd/loopback-interface-registration-in-lisp/m-p/3947250
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide