cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5763
Views
10
Helpful
6
Replies

Disable CTS SGT Propagation

paul
Level 10
Level 10

By default the interfaces on the FTD have the following:

cts manual

  propagate sgt preserve-untag

  policy static sgt disabled trusted

Is there any way to turn off the propagation of SGT tags?   We are using pxGrid to provide IP to SGT tags that we can use in our ACP.  We have no need to have FTD apply that tag to a packet on egress.  Is it possible to turn that off?

1 Accepted Solution

Accepted Solutions

Pranay Prasoon
Level 3
Level 3

Hi,

I think you should be able to do it by flexconfig. I see only following command inside interface is blocked from modifying through flexconfig

Interface

Only nameif, mode, shutdown, ip address and mac-addresscommands are blocked.

Firepower Management Center Configuration Guide, Version 6.2 - FlexConfig Policies [Cisco Firepower Management Center] …

View solution in original post

6 Replies 6

Pranay Prasoon
Level 3
Level 3

Hi,

I think you should be able to do it by flexconfig. I see only following command inside interface is blocked from modifying through flexconfig

Interface

Only nameif, mode, shutdown, ip address and mac-addresscommands are blocked.

Firepower Management Center Configuration Guide, Version 6.2 - FlexConfig Policies [Cisco Firepower Management Center] …

Thanks it worked perfectly:

interface GigabitEthernet1/1

cts manual

no propagate sgt

I haven’t tested to see if that change affected my ability to do SGT based ACP rules, but I would doubt that it does.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

anthony.wild
Level 1
Level 1

Reviving this to let others know that this was a requirement to get traffic to pass from a Firepower 2130 into our Application Centric Infrastructure (ACI) Fabric / Nexus 9ks. ACI was dropping the traffic outright due to the tag on ingress.

HTH

Hi Anthony, 

 

It looks like we have the same setup wherein we have deployed a FTD 2130 for VPN traffic using anyconnect as part of our Trustsec environment and then egress out to our Nexus 9k (Core Switch) and then reach our services to our Data center FW which is also an FTD from where all the authZ and SGT are being inherited from ISE

 

I am hoping i could get some clarity around the following? 

 

When i tried to disable the SGT propagation in our VPN FW (engress to Nexus 9k with "no propagation" command) it looks like i can  see from my capture that traffic coming from the VPN as"untagged" although i could see from my anyconnect session that there is a SGT number and AuthZ inherited from ISE hence, if there's a need to communicate to other Far End FW that is listener to the pxGrid the connection is being dropped if the ACP has applied with SGT to that Far end FW (FTD)

 

I have raised a case with Cisco TAC and i was advised that SGT propagation from the VPN FW at the egress direction to Nexus 9k (Core Switches) should be enabled so the tag could be preserved all the way to the Far End FW but TAC claimed that the issue is that Nexus 9k are not cable to handle TrustSec frames hence it will be dropped? 

This is interesting... 

 


@eleevercl wrote:

"but TAC claimed that the issue is that Nexus 9k are not cable to handle TrustSec frames hence it will be dropped? "



I'm wondering what they mean and in what context. If you go into ISE > Work Centers > TrustSEC > ACI Settings, there are two options... Data Plane and Policy Plane. From my understanding, data plane integration allows inline SGTs. Maybe though that only applies to L3 Outs? We are only doing some Policy Plane integration now and referencing those Tags under Tenants > Tenant > Networking > L3Outs > L3Out-Name > External EPGs > (SGT Tags show up here to write contracts against once your ISE <> ACI integration is setup). I'll start reading up tomorrow A.M more on this to see if I find anything more useful for you. 

 

Caveats aside, even if you can't carry the tag end to end through the ACI Fabric, there might still be a way to pick the tag back up at the Far End Firewall (via PxGrid as you mentioned) and still derive your ACP based off of it.

 

Cheers.

Just a thought, my far end FW which is also subscribed to pxgrid has also preserved the SGT at the ingress direction.

I am wondering if the right approach is to do a no propagate at my VPN propagation towards my engress direction (to nexus 9k) and then to the ingress direction of my far end fw do a no propagate, i wonder if that should still preserve my authz and sgt from ISE 

 

cts manual

  propagate sgt preserve-untag

  policy static sgt disabled trusted

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: