cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below for Cisco DNA Center Resources to help you on your journey with Cisco DNA Center

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

371
Views
0
Helpful
5
Replies
Highlighted
Beginner

TrustSec not working!

Hi All,

In my fabric network Trustsec policies are not working in inter-VN traffic. I investigated and figured out that traffic from Border to Fusion passes without tagged. As I understood after Border decapsulates VXLAN it does not add CMD SGT Values.

 

What is the solution?

Everyone's tags (5)
5 REPLIES 5
Highlighted
Cisco Employee

Re: TrustSec not working!

Highlighted
Beginner

Re: TrustSec not working!

Hi Preston,

Thank you, for your help. But I have already thought about this solution with static mapping. The problem is I do not not use static IP. I have a lot of IP devices which Although sits in same subnet their SGT values are different. For example in A subnet I have SGT 1 and 2 and in B I have 3 and 4. No for writing SGACL in border I have to know which IP particular device has but is is.not solution because IPs change always.

Highlighted
Cisco Employee

Re: TrustSec not working!

I believe SXP is the answer:

 

"Policy mappingThe fabric border node also maps SGT information from within the fabric to be appropriately maintained when exiting that fabric. SGT information is propagated from the fabric border node to the network external to the fabric, either by transporting the tags to Cisco TrustSec-aware devices using SGT ExchangeProtocol (SXP) or by directly mapping SGTs into the Cisco metadata field in a packet, using inline tagging capabilities implemented for connections to the border node."

 

- from https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Software-Defined-Access-Design-Guide-2019SEP.pdf

Highlighted
Beginner

Re: TrustSec not working!

Hi,

The problem still remains for me how I will leak mapping between VRFs? For instance when border forwards traffic from one VRF to another it sends it Fusion with Source VRF. But Border, inside that VRF is not aware another VRF`s mappings

Highlighted
Cisco Employee

Re: TrustSec not working!

CreatePlease to create content
Content for Community-Ad