Solved: L2-SGT treatment during routing

andy!doesnt!like!uucp · ‎02-09-2023

Hello Everyone

after enabling campus for TrustSec we can notice that client's frame generated on access & provisioned with CMD (with SGT assigned by ISE AAA process) need to be routed on the core (also TrustSec aware by "cts manual" on all its interconnects) from original SVI to let's say transit. The Q is how does Cisco treat this case assuming there is no SGT-enforcement on the core, no IP-SGT mappings nor SGACLs & all core's L2 interfaces configured with cts manual ; propagate cts ; policy static sgt 2 trusted):
1) replicate CMD from ingress frame on the egress

2) insert on egress CMD with trusted SGT

3) insert on egress CMD with unknown (0) SGT

4) something else

Could anyone pls shed a light?

jeaves@cisco.com · ‎02-13-2023

OK, remember that the 'policy static sgt x trusted' ONLY has the ability to adjust the assigned SGT in the inbound direction (e.g. int1).
In the outbound direction (e.g. int2), the 'cts manual / policy static sgt x trusted' just enables the propagation of the CMD.
So, inbound then on int1, as I've written the command above, the SGT received on the wire will be trusted and will be forwarded out int2 as is.
If the commands on int1 (inbound) are 'cts manual / policy static sgt x', it means do not trust the SGT on the wire and classify the incoming traffic with SGT x instead. This SGT x will be transmitted via CMD out int2.
This topic is covered in a couple of slides in an ISE webinar I presented recently, found on YouTube here: https://www.youtube.com/watch?v=KKbvocNPaOQ&t=34s starting at 11 minutes 15 seconds.

View solution in original post

hslai · ‎02-11-2023

@andy!doesnt!like!uucp As you know, I did inline tagging between C9800-CL and C8000V. Although C9800-CL has an SVI for management, the cts configuration goes to the physical interface (in my case, Gi1). For C8000V, each of the sub-interfaces is configured for cts manual and policy static sgt 2 trusted. If an L2 frame has a CMD with SGT, then the SGT is preserved. If no SGT, then SGT2 is sent.

I've also asked my coworker who wrote the Segmentation Strategy guide to take a look of this thread.

jeaves@cisco.com · ‎02-13-2023

OK, remember that the 'policy static sgt x trusted' ONLY has the ability to adjust the assigned SGT in the inbound direction (e.g. int1).
In the outbound direction (e.g. int2), the 'cts manual / policy static sgt x trusted' just enables the propagation of the CMD.
So, inbound then on int1, as I've written the command above, the SGT received on the wire will be trusted and will be forwarded out int2 as is.
If the commands on int1 (inbound) are 'cts manual / policy static sgt x', it means do not trust the SGT on the wire and classify the incoming traffic with SGT x instead. This SGT x will be transmitted via CMD out int2.
This topic is covered in a couple of slides in an ISE webinar I presented recently, found on YouTube here: https://www.youtube.com/watch?v=KKbvocNPaOQ&t=34s starting at 11 minutes 15 seconds.

andy!doesnt!like!uucp · ‎02-13-2023

Hi Jonothan

highly appreciate your input (inc. reference to utube)! thanks