06-11-2019 01:54 AM - edited 02-21-2020 11:06 AM
I'm setting up simple lab with two 9300 switches (ver. 16.9.3) connected with L3 link (no switchport).I've configured trustSec but I noticed that policy is enforced on switch 1 although destination host was connected to switch 2. I wonder if it is because these two switches are not in the same trustSec domain?
L3 link is configured as follows (other side similarly):
interface GigabitEthernet1/0/24 no switchport ip address 10.1.254.5 255.255.255.252 cts manual policy static sgt 999 trusted
Do you think this is possible that ingress switch was enforcing policy because in it's point of view egress switch is not part of trustSec domain?
What is the proper way to make trustSec domain in new software (16.9)? Is seed and non-seed topology still needed?
Solved! Go to Solution.
06-11-2019 06:43 AM
Ingress switch was trying to enforce policy even if it doesn't know the destination group tag. It was assuming that destination group tag is 0 because it didn't know real tag. To resolve this problem we've disabled enforcement on L3 link that is connected to second switch.
interface GigabitEthernet1/0/24 no switchport ip address 10.1.254.5 255.255.255.252 cts manual policy static sgt 2 trusted no cts role-based enforcement
Is it the only/correct resolution?
06-11-2019 02:07 AM
06-11-2019 06:42 AM
Ingress switch was trying to enforce policy even if it doesn't know the destination group tag. It was assuming that destination group tag is 0 because it didn't know real tag. To resolve this problem we've disabled enforcement on L3 link that is connected to second switch.
interface GigabitEthernet1/0/24 no switchport ip address 10.1.254.5 255.255.255.252 cts manual policy static sgt 2 trusted no cts role-based enforcement
Is it the only/correct resolution?
06-11-2019 06:43 AM
Ingress switch was trying to enforce policy even if it doesn't know the destination group tag. It was assuming that destination group tag is 0 because it didn't know real tag. To resolve this problem we've disabled enforcement on L3 link that is connected to second switch.
interface GigabitEthernet1/0/24 no switchport ip address 10.1.254.5 255.255.255.252 cts manual policy static sgt 2 trusted no cts role-based enforcement
Is it the only/correct resolution?
06-11-2019 07:49 AM
It sounds like your default policy/SGACL is to deny unknown aka tag 0. In that case it would be working as designed. You could change the default from deny all to permit all.
If you look at the bottom of the TrustSec matrix in ISE, is the default below the table permit all, or deny all?
https://<ise pan ip>/admin/#workcenters/workcenter_trustsec/workcenter_trustsec_policy/egress/matrix
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide