Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
310
Views
1
Helpful
5
Replies

Config recommendation needed for sgt-cache used with NAT

lburleso
Level 1
Level 1

‎09-18-2025 01:23 PM

Greetings all

After having read documentation about SGT caching, I am unable to determine the proper application of this feature. Your assistance is appreciated.

Scenario: 

  • C8500L-8S4X running 17.12.4
  • int te0/1/2, faces ISP
  • ints te0/1/0-1 in port channel as po25, faces inside
  • int po25.700 inside layer 3
  • Platform uses dynamic NAT/PAT for internal endpoints
  • Certain client traffic will arrive at 8500 with meaningful SGT values

Assumption: Using 'cts role-based sgt-cache' will solve problem of return traffic arriving without SGT values

Questions:

  1. Is my assumption correct?
  2. Where should 'cts role-based sgt-cache ingress' be applied?
  3. Where should 'cts role-based sgt-cache egress' be applied?

Diagram attached.

Thank you in advance,
Lee

Preview file
162 KB
0 Helpful
5 Replies 5

lburleso
Level 1
Level 1
In response to ahollifield

‎09-18-2025 01:49 PM - edited ‎09-18-2025 01:50 PM

@ahollifield Given that I already admitted that I don't have the aptitude to discern from the documentation what is the correct configuration, and given that the documentation you linked to does not contain examples with a port-channel, subinterfaces, or on-device NAT I find your comment unhelpful and low-effort.

0 Helpful

Torbjørn
VIP
VIP
In response to lburleso

‎09-19-2025 12:29 AM

CTS caching should solve your issue if I have interpreted your scenario correctly. You must enable it in ingress direction on the interface where you expect to receive tagged traffic. 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

lburleso
Level 1
Level 1
In response to Torbjørn

‎09-19-2025 06:55 AM

@Torbjørn  Thanks, that's a great start.
Is the 'egress' command required?
Also, unlike on switches, routers require 'cts' commands on both the physical and L3 interfaces where tags are used. Would the 'sgt-cache' command be applied on the subinterface, physical int, or both?

0 Helpful

Torbjørn
VIP
VIP
In response to lburleso

‎09-19-2025 10:52 AM

You should not have to configure caching for egress in your setup.

I must admit that I have only configured this once - and that was in my lab: I _think_ you only need to configure it on the subinterface that receives the tagged traffic. You can verify whether it is caching works with "show cts interface brief"(it should list caching as enabled) and "show cts role-based sgt-map all ipv4"(it should have cached entries).

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful
Customers Also Viewed These Support Documents