03-02-2023 07:49 AM
I have an issue where even though my SGTs and SGACL appear to be working correctly, traffic is not being enforced based on the SGACL. While working with TAC, they shared the following note, but haven't yet been able to expand on this statement. Can anyone help me understand this? The switch I'm working with is a Cat 4510 on 3.16. It is a L2 only switch, no L3 other than mgmt, and no vrfs...which is why I'm having a hard time tying this statement to my situation.
Catalyst 4500 Series Release 3.9 and later, with the introduction of VRF, an SVI is needed for L3 lookup to
derive SGT for switched traffic, and a SVI is also needed on the VLAN for the derivation of source group for L2
traffic.
Cisco Group Based Policy – Platform and Capability Matrix
Solved! Go to Solution.
03-07-2023 03:06 AM
Yes, you're switching within VLAN X. Your endpoints are receiving (or have) an IP address from a subnet range, say 10.10.1.0/24 for example. If you're purely switching then the default gateway for VLAN X will be on a platform north-bound somewhere, that default gateway probably being something like 10.1.1.1 or 10.10.1.254.
To add an SVI on the 4500, just add a VLAN interface and add an unused IP from within that subnet range e.g.
interface vlan X
ip address 10.10.1.200 255.255.255.0
As Andrew mentioned above, the IP may not be required under the VLAN interface; add one if needed to get it to work
03-02-2023 08:01 AM
what supervisor you have, how is your config looks like ?
Do you have ISE - what version?
03-02-2023 08:05 AM
SUP8-E, ISE v3.1, patch 3
n-z3swidf17#show run | sec cts
aaa authentication login cts-list group ISE_RADIUS local
aaa authorization network cts-list group ISE_RADIUS
cts authorization list cts-list
cts role-based enforcement
cts role-based enforcement vlan-list 1-4094
n-z3swidf17#show cts role-based sgt-map all
Active IPv4-SGT Bindings Information
IP Address SGT Source
============================================
10.42.58.18 5 LOCAL
10.42.58.30 7 LOCAL
10.42.91.178 7 LOCAL
IP-SGT Active Bindings Summary
============================================
Total number of LOCAL bindings = 3
Total number of active bindings = 3
n-z3swidf17#show cts role-based permissions from 5 to 7
IPv4 Role-based permissions from group 5:TEST_1 to group 7:TEST_2:
DENY_443_LOG-10
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
03-02-2023 04:22 PM
Hi
I ran into a similar situation with a L2 3650 stack a while back. SGT assignment was by VLAN-to-SGT and IP Source Guard was enabled
from:
the 3650 restictions were:
Cisco TrustSec cannot be configured on a pure bridging domain with the IPSG feature enabled. You must disable the IPSG feature in the bridging domain.
For Cisco IOS Release 3.7E and later, Cisco TrustSec VLAN-to-SGT binding cannot be enabled in pure bridging domain. You have to either manually enable IP device tracking on the ports in the VLAN, or enable SVI interface for the VLAN.
I got sgacl enforcement working by:
With the above in place, sgacl enforcement worked. From what you've posted, you aren't doing VLAN-to-SGT mapping but the above may be worth a try.
hth
Andy
03-07-2023 03:06 AM
Yes, you're switching within VLAN X. Your endpoints are receiving (or have) an IP address from a subnet range, say 10.10.1.0/24 for example. If you're purely switching then the default gateway for VLAN X will be on a platform north-bound somewhere, that default gateway probably being something like 10.1.1.1 or 10.10.1.254.
To add an SVI on the 4500, just add a VLAN interface and add an unused IP from within that subnet range e.g.
interface vlan X
ip address 10.10.1.200 255.255.255.0
As Andrew mentioned above, the IP may not be required under the VLAN interface; add one if needed to get it to work
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide