This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
In my fabric network Trustsec policies are not working in inter-VN traffic. I investigated and figured out that traffic from Border to Fusion passes without tagged. As I understood after Border decapsulates VXLAN it does not add CMD SGT Values.
What is the solution?
Thank you, for your help. But I have already thought about this solution with static mapping. The problem is I do not not use static IP. I have a lot of IP devices which Although sits in same subnet their SGT values are different. For example in A subnet I have SGT 1 and 2 and in B I have 3 and 4. No for writing SGACL in border I have to know which IP particular device has but is is.not solution because IPs change always.
I believe SXP is the answer:
"Policy mapping—The fabric border node also maps SGT information from within the fabric to be appropriately maintained when exiting that fabric. SGT information is propagated from the fabric border node to the network external to the fabric, either by transporting the tags to Cisco TrustSec-aware devices using SGT ExchangeProtocol (SXP) or by directly mapping SGTs into the Cisco metadata field in a packet, using inline tagging capabilities implemented for connections to the border node."
The problem still remains for me how I will leak mapping between VRFs? For instance when border forwards traffic from one VRF to another it sends it Fusion with Source VRF. But Border, inside that VRF is not aware another VRF`s mappings
This has been answered in other thread, https://community.cisco.com/t5/software-defined-access-sd/loopback-interface-registration-in-lisp/m-p/3947250