Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2120
Views
0
Helpful
8
Replies

SGT inline tagging on Catalyst 6509-E, 6513-E, or 6807-XL

Go to solution
jideji
Cisco Employee
Cisco Employee

‎07-01-2019 07:58 PM - edited ‎02-21-2020 11:07 AM

 

 


Attempting to enable SGT inline tagging configuration on the Supervisor Engine interfaces with Hardware Supervisor Engine - VS-SUP2T-10G Modules - WS-X6848-TX-2T (with DFC4)

resulted in the following message:
“CTS configuration could not be activated (Te x/x): CTS SGT Propagation not allowed by platform
Reason: Incompatible Linecards 61xx and/or 67xx CFC/DFC present. Please power down the Incompatible Linecards as they will not come up on next reload/OIR or configure either CTS Egress or CTS Ingress.”

Although I don’t have the modules listed in this message, I assuming  that it also includes the WS-X6848-TX-2T, WS-X6824-SFP-2T, C6800-48P-TX, and C6800-48P-TX-XL modules.
 
Example interface configuration

interface Te x/x | Fo x/x

 switchport

 switchport mode dynamic desirable

 cts manual

  propagate sgt

  policy static sgt 10001 trusted

 channel-group 1 mode active

 

Also, on Egress Reflector Mode


CTS Egress Reflector Mode uses Catalyst Switch Port Analyzer (SPAN) to reflect traffic from a CTS-incapable module to the Supervisor Engine 2T/6T for SGT assignment and insertion.  A CTS egress reflector is implemented on a distribution switch with Layer 3 uplinks, where the CTS-incapable module is connected to access layer switches.  CTS egress reflector supports Centralized Forwarding Cards (CFCs) and Distributed Forwarding Cards (DFCs).
 
Using <platform cts egress> (and reload) and then attempting to test the SGT inline tagging configuration on the Supervisor Engine interfaces with Hardware  Supervisor Engine - C6800-SUP6T Modules - C6800-48P-TX-XL (with DFC4-XL)
    
“CTS configuration could not be activated (Fo x/x): CTS SGT Propagation not allowed by platform
Reason: SGT Propagation not allowed on non-routed ports in CTS Egress mode”
 
This seems supported on  Sup 2T and 6T on the 6500, please any pointers will be greatly appreciated.
 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to jideji

‎07-01-2019 08:43 PM

It lists this as a caveat at the bottom, you have to be using routed ports. The uplink config you shared above is a L2 port.

The following restrictions apply to egress reflection mode:
● All ports configured to propagate SGTs must be L3 routed ports or L3 routed EtherChannel interfaces (L2 switchports are not supported)
● An interval system VLAN will be allocated for every port enabled with Cisco TrustSec SGT
● Service modules are not supported with egress reflector mode, although this may change in future software releases

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎07-01-2019 08:19 PM

Were you able to find and read this document, it covers caveats and support? I don't deploy TrustSec on customers older 6500's because of the exact issues you ran in to and the caveats, instead we waiting for them to refresh the platform. On the other hand though and in my field experience, 6807's with 6900 series line cards do work great.

https://www.cisco.com/c/dam/en/us/solutions/collateral/borderless-networks/trustsec/C07-730151-00_overview_of_trustSec_og.pdf
0 Helpful

Go to solution
jideji
Cisco Employee
Cisco Employee
In response to Damien Miller

‎07-01-2019 08:29 PM

Yes, I did.

According to the Cisco TrustSec Software-Defined Segmentation Platform and Capability Matrix Release 6.4, SGT inline tagging over Ethernet & SGT over MACsec is supported on the Catalyst 6500-E/6807-XL chassis with Supervisor Engine 2T & 6T and the following modules.

  1. WS-X69xx modules
  2. C6800-32P10G/G-XL
  3. C6800-16P10G/G-XL
  4. C6800-8P10G/G-XL
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to jideji

‎07-01-2019 08:43 PM

It lists this as a caveat at the bottom, you have to be using routed ports. The uplink config you shared above is a L2 port.

The following restrictions apply to egress reflection mode:
● All ports configured to propagate SGTs must be L3 routed ports or L3 routed EtherChannel interfaces (L2 switchports are not supported)
● An interval system VLAN will be allocated for every port enabled with Cisco TrustSec SGT
● Service modules are not supported with egress reflector mode, although this may change in future software releases
0 Helpful

Go to solution
jideji
Cisco Employee
Cisco Employee
In response to Damien Miller

‎07-02-2019 07:39 AM

Thanks Damien, I see the caveat  in the document   hslai provided. maybe we add these caveat  to the updated TrustSec compatibility matrix.

 

0 Helpful

Go to solution
BenLora79498
Level 1
Level 1
In response to Damien Miller

‎04-13-2022 08:55 AM

Hello everyone, 

 

Have the same issue here, so to be clear the solution is to change your port from L2 trunk to L3 ports.....correct? 

0 Helpful

Go to solution
jideji
Cisco Employee
Cisco Employee
In response to hslai

‎07-02-2019 05:28 AM

Hslai,

Please what about Sup 6T ? I see the caveats on egress reflection mode Damien mention

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to jideji

‎07-02-2019 07:05 AM

Compare Models Catalyst 6500 Series Switches on Sup Engines - Cisco shows they differing mainly in DFC, MSFC, and PFC. The CTS support should be much the same as 2T.

0 Helpful
Customers Also Viewed These Support Documents