Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
804
Views
11
Helpful
3
Replies

L2-SGT treatment during routing

Go to solution
andy!doesnt!like!uucp
VIP
VIP

‎02-09-2023 12:04 AM - edited ‎02-13-2023 01:36 AM

Hello Everyone

after enabling campus for TrustSec we can notice that client's frame generated on access & provisioned with CMD (with SGT assigned by ISE AAA process) need to be routed on the core (also TrustSec aware by "cts manual" on all its interconnects) from original SVI to let's say transit. The Q is how does Cisco treat this case assuming there is no SGT-enforcement on the core, no IP-SGT mappings nor SGACLs & all core's L2 interfaces configured with cts manual ; propagate cts ; policy static sgt 2 trusted):
1) replicate CMD from ingress frame on the egress
2) insert on egress CMD with trusted SGT 
3) insert on egress CMD with unknown (0) SGT
4) something else

Could anyone pls shed a light?

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee
In response to hslai

‎02-13-2023 03:27 AM

OK, remember that the 'policy static sgt x trusted' ONLY has the ability to adjust the assigned SGT in the inbound direction (e.g. int1).
In the outbound direction (e.g. int2), the 'cts manual / policy static sgt x trusted' just enables the propagation of the CMD.
So, inbound then on int1, as I've written the command above, the SGT received on the wire will be trusted and will be forwarded out int2 as is.
If the commands on int1 (inbound) are 'cts manual / policy static sgt x', it means do not trust the SGT on the wire and classify the incoming traffic with SGT x instead. This SGT x will be transmitted via CMD out int2.
This topic is covered in a couple of slides in an ISE webinar I presented recently, found on YouTube here: https://www.youtube.com/watch?v=KKbvocNPaOQ&t=34s starting at 11 minutes 15 seconds.

View solution in original post

3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-11-2023 06:12 PM

@andy!doesnt!like!uucp As you know, I did inline tagging between C9800-CL and C8000V. Although C9800-CL has an SVI for management, the cts configuration goes to the physical interface (in my case, Gi1). For C8000V, each of the sub-interfaces is configured for cts manual and policy static sgt 2 trusted. If an L2 frame has a CMD with SGT, then the SGT is preserved. If no SGT, then SGT2 is sent.

I've also asked my coworker who wrote the Segmentation Strategy guide to take a look of this thread.

0 Helpful

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee
In response to hslai

‎02-13-2023 03:27 AM

OK, remember that the 'policy static sgt x trusted' ONLY has the ability to adjust the assigned SGT in the inbound direction (e.g. int1).
In the outbound direction (e.g. int2), the 'cts manual / policy static sgt x trusted' just enables the propagation of the CMD.
So, inbound then on int1, as I've written the command above, the SGT received on the wire will be trusted and will be forwarded out int2 as is.
If the commands on int1 (inbound) are 'cts manual / policy static sgt x', it means do not trust the SGT on the wire and classify the incoming traffic with SGT x instead. This SGT x will be transmitted via CMD out int2.
This topic is covered in a couple of slides in an ISE webinar I presented recently, found on YouTube here: https://www.youtube.com/watch?v=KKbvocNPaOQ&t=34s starting at 11 minutes 15 seconds.

Go to solution
andy!doesnt!like!uucp
VIP
VIP
In response to jeaves@cisco.com

‎02-13-2023 03:41 AM

Hi Jonothan

highly appreciate your input (inc. reference to utube)! thanks   

Customers Also Viewed These Support Documents