Dear all,
I'm struggling to enforce role-based permissions between endpoints of the same SGT group when the mapping of the source endpoint is learned through SXP (non-continues SGT support between source and destination). While seeing the SGT mapping from the speaker (3560G, network ingress point) on the listener instance (3560X, network egress point), it seems that the mappings are not taken into account for actual enforcement. The enforcement is working as expected with endpoints connected to either 3560X (continues Trustsec domain). Attached is an overview of the test setup. The SGT used is 10 for both source and destination endpoint. ACL1 (SGACL) is blocking ICMP traffic and permitting all other IP.
As can be seen, the mappings are learned from the 3560G on both 3560X via SXP.
SXP-speaker#show cts role-based sgt-map all
Active IP-SGT Bindings Information
IP Address SGT Source
============================================
172.28.135.152 10 LOCAL
172.28.135.157 10 LOCAL
172.28.135.158 10 LOCAL
172.28.135.159 10 LOCAL
172.28.135.160 10 LOCAL
172.28.135.167 10 LOCAL
172.28.135.171 10 LOCAL
172.28.135.174 10 LOCAL
172.28.135.176 10 LOCAL
172.28.135.183 10 LOCAL
IP-SGT Active Bindings Summary
============================================
Total number of LOCAL bindings = 10
Total number of active bindings = 10
SXP-listener1#sh cts role-based sgt-map all
Active IP-SGT Bindings Information
IP Address SGT Source
============================================
172.28.135.152 10 SXP
172.28.135.157 10 SXP
172.28.135.158 10 SXP
172.28.135.159 10 SXP
172.28.135.160 10 SXP
172.28.135.167 10 SXP
172.28.135.171 10 SXP
172.28.135.174 10 SXP
172.28.135.176 10 SXP
172.28.135.183 10 SXP
IP-SGT Active Bindings Summary
============================================
Total number of SXP bindings = 10
Total number of active bindings = 10
SXP-listener2#sh cts role-based sgt-map all
Active IP-SGT Bindings Information
IP Address SGT Source
============================================
172.28.135.152 10 SXP
172.28.135.157 10 SXP
172.28.135.158 10 SXP
172.28.135.159 10 SXP
172.28.135.160 10 SXP
172.28.135.167 10 SXP
172.28.135.170 10 LOCAL
172.28.135.171 10 SXP
172.28.135.174 10 SXP
172.28.135.176 10 SXP
172.28.135.183 10 SXP
IP-SGT Active Bindings Summary
============================================
Total number of SXP bindings = 10
Total number of LOCAL bindings = 1
Total number of active bindings = 11
Is there anything obvious that I might be missing or has anybody already had a similar issue?
Any feedback is really appreciated.
Thank you and kind regards!