Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
840
Views
1
Helpful
4
Replies

Enabling TrustSec "Inline Tagging" for sub-interfaces of CSR1000v

Go to solution
rezaalikhani
VIP
VIP

‎06-10-2023 02:34 AM

Hi all;

Consider the following scenario:

1.png

I this scenario I configured the router with 2 sub-interfaces with the following configuration:

2.png

  • WebSRV is 192.168.100.100 GW: 192.168.100.1
  • DBSRV is 192.168.100.1 GW: 192.168.100.1
  • FTPSRV is 192.168.101.100 GW: 192.168.101.1

With this configuration everything works fines and the servers can ping each other:

3.png

I have also configured the router to interact with ISE:

4.png

I do not have enabled "enforcement" on the router:

5.png

I use the nearly current version if CSR1000v:

6.png

Now I decide to enable "Inline Tagging" on the subinterfaces for the purpose of "SGT over Ethernet" functionality. So, I execute the "cts manual" command on the subinterfaces:

7.png

As you can see above, doing so forces the parent interface to bounce.

Now for the testing operation, I encounter the following problem:

8.png

As you can see above, any routing operation has failed.

Any ideas?

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rezaalikhani
VIP
VIP
In response to Damien Miller

‎06-11-2023 09:14 AM

I run this scenario on EVE-NG.

According to the following post, because I use subinterfaces on my CSR1000v router, I do not need to execute the "cts manual" command. After executing highlighted command below, the router stared to tag inline packets and advertise them using SXP to ISE.

1.png

 

http://www.network-node.com/blog/2019/3/31/154-digging-into-sgt-bindings-priority-and-sxp

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Nancy Saini
Cisco Employee
Cisco Employee

‎06-10-2023 10:06 AM

With just "cts manual" pings should not be dropped. Have you propagated different SGTs for servers? If yes, check if the traffic (ICMP) between the SGTs is allowed.

0 Helpful

Go to solution
rezaalikhani
VIP
VIP
In response to Nancy Saini

‎06-11-2023 05:12 AM

Thanks for your reply.

As I said, I have not configured any ACL on the switch (local ACL or SGACL).

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎06-10-2023 10:18 AM

Does the underlying host you're running the 1000v on support inline tagging? Anytime I have seen this done with a virtual router it's with SXP connections because native inline tagging is not supported. 

When you configure cts manual you're changing the layer 2 frame ethertype and adding a new Cisco Metadata field in. A lot of Cisco hardware supports this, but this isn't usually the case with anything virtualized. 

 

Go to solution
rezaalikhani
VIP
VIP
In response to Damien Miller

‎06-11-2023 09:14 AM

I run this scenario on EVE-NG.

According to the following post, because I use subinterfaces on my CSR1000v router, I do not need to execute the "cts manual" command. After executing highlighted command below, the router stared to tag inline packets and advertise them using SXP to ISE.

1.png

 

http://www.network-node.com/blog/2019/3/31/154-digging-into-sgt-bindings-priority-and-sxp

0 Helpful
Customers Also Viewed These Support Documents