cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
809
Views
1
Helpful
2
Replies

Inline tagging propagation

Antonio Macia
Level 3
Level 3

Hi,

I'm struggling understanding the inline SGT propagation commands when there is a device that does not support or does not have CTS enabled. Two scenarios here:

  • Let's say I have an access switch with Trustsec enabled and a third party distribution switch that doesn't or a Cisco switch without CTS enabled. In order to make the traffic pass between devices I must add the "no sgt propagation" command on the uplink interfaces to remove the CMD, so the frame is accepted by the upstream device, correct?
  • When both, the access and distribution switches are Cisco and have CTS configured. Since by default SGT is propagated. Should I configure the "cts manual" and "policy static sgt XXX trusted" (XXX is the device trustsec device SGT) or traffic will pass without them? 

Thanks.

1 Accepted Solution

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni

In the first scenario don't apply any cts manual / policy static commands. The switch will take care of this correctly and pass standard ethernet frames without tags across any link not configured for cts. You can create an sxp connection to span the unsupported device in the path.

 

On the second scenario, what you said is correct. 

View solution in original post

2 Replies 2

Damien Miller
VIP Alumni
VIP Alumni

In the first scenario don't apply any cts manual / policy static commands. The switch will take care of this correctly and pass standard ethernet frames without tags across any link not configured for cts. You can create an sxp connection to span the unsupported device in the path.

 

On the second scenario, what you said is correct. 

Hi Damien,

For the first scenario, I was testing this and north-south traffic is getting dropped. That's why I assumed that the "no sgt propagation" command is needed. Are you sure it is not? Non-CTS enabled devices ignore the CMD and forward the traffic automatically?

Regarding the second, the "policy static sgt XXX trusted" is used to allow infrastructure traffic (routing protocols, etc) generated by the switch itself, correct?

 

Thanks.