Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
401
Views
1
Helpful
2
Replies

Inline tagging propagation

Go to solution
Antonio Macia
Participant
Participant

‎04-18-2023 07:41 AM

Hi,

I'm struggling understanding the inline SGT propagation commands when there is a device that does not support or does not have CTS enabled. Two scenarios here:

  • Let's say I have an access switch with Trustsec enabled and a third party distribution switch that doesn't or a Cisco switch without CTS enabled. In order to make the traffic pass between devices I must add the "no sgt propagation" command on the uplink interfaces to remove the CMD, so the frame is accepted by the upstream device, correct?
  • When both, the access and distribution switches are Cisco and have CTS configured. Since by default SGT is propagated. Should I configure the "cts manual" and "policy static sgt XXX trusted" (XXX is the device trustsec device SGT) or traffic will pass without them? 

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP
VIP

‎04-18-2023 07:54 AM

In the first scenario don't apply any cts manual / policy static commands. The switch will take care of this correctly and pass standard ethernet frames without tags across any link not configured for cts. You can create an sxp connection to span the unsupported device in the path.

 

On the second scenario, what you said is correct. 

View solution in original post

2 Replies 2

Go to solution
Damien Miller
VIP
VIP

‎04-18-2023 07:54 AM

In the first scenario don't apply any cts manual / policy static commands. The switch will take care of this correctly and pass standard ethernet frames without tags across any link not configured for cts. You can create an sxp connection to span the unsupported device in the path.

 

On the second scenario, what you said is correct. 

Go to solution
Antonio Macia
Participant
Participant
In response to Damien Miller

‎04-19-2023 12:52 AM - edited ‎04-19-2023 01:01 AM

Hi Damien,

For the first scenario, I was testing this and north-south traffic is getting dropped. That's why I assumed that the "no sgt propagation" command is needed. Are you sure it is not? Non-CTS enabled devices ignore the CMD and forward the traffic automatically?

Regarding the second, the "policy static sgt XXX trusted" is used to allow infrastructure traffic (routing protocols, etc) generated by the switch itself, correct?

 

Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents