Hi Preston,

Thank you, for your help. But I have already thought about this solution with static mapping. The problem is I do not not use static IP. I have a lot of IP devices which Although sits in same subnet their SGT values are different. For example in A subnet I have SGT 1 and 2 and in B I have 3 and 4. No for writing SGACL in border I have to know which IP particular device has but is is.not solution because IPs change always.

I believe SXP is the answer:

"Policy mapping—The fabric border node also maps SGT information from within the fabric to be appropriately maintained when exiting that fabric. SGT information is propagated from the fabric border node to the network external to the fabric, either by transporting the tags to Cisco TrustSec-aware devices using SGT ExchangeProtocol (SXP) or by directly mapping SGTs into the Cisco metadata field in a packet, using inline tagging capabilities implemented for connections to the border node."

- from https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Software-Defined-Access-Design-Guide-2019SEP.pdf

Hi,

The problem still remains for me how I will leak mapping between VRFs? For instance when border forwards traffic from one VRF to another it sends it Fusion with Source VRF. But Border, inside that VRF is not aware another VRF`s mappings

This has been answered in other thread, https://community.cisco.com/t5/software-defined-access-sd/loopback-interface-registration-in-lisp/m-p/3947250