Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3415
Views
15
Helpful
3
Replies

SGT Propagation Over L3 Networks

Go to solution
DavideRanalli76560
Level 1
Level 1

‎02-15-2021 08:32 AM

Hi,

 ISE is binding tags SGT to IPs, these tags should be retained across a MPLS for which the customer it's the owner (there are only his VRFs configured on PEs). Ps and PEs are ASR903 and the whole network have IOS-XE. 

I know that GETVPN can be used for propagating SGT.

My question is, is it possible to propagate SXP (SGT mapped to IP) over MPLS without using any tunnels at all? therefore without loosing SGTs

 

Many thanks in advance

 

Davide

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to DavideRanalli76560

‎02-28-2021 02:11 PM

If you haven't done so already, I would suggest reviewing the documentation available in the Segmentation & Group-Based Policy Resources. There are also some very good sessions available on ciscolive.com related to TrustSec best practices.

Both SXP and inline tagging are Propagation methods to carry the SGT from the point of Classification to the point of Enforcement. SXP is essentially an overlay and some platforms have strict limitations when it comes to the number of SXP bindings they can handle. Inline tagging is more efficient and should be used where possible with SXP used sparingly where absolutely needed. Inline tagging is supported by several methods including within the Ethernet frame (where platforms support it in hardware), IKEv2 header for IPSec, and in the VXLAN header (used by the SDA fabric, for example).

 

View solution in original post

3 Replies 3

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-15-2021 08:58 AM

As long as there is IP L3 reachability between the customers ISE deployment and remote devices where inline tagging should begin again, then yes you can use SXP to communicate the bindings out of band. 

The caveat I see here is that ASR 903's (or any IOS-XR platform) do not support TrustSec, neither SXP or inline tagging. So this would require pushing the SXP bindings lower in to each site off of the WAN edge, possibly to the site core switch. From the core switch you could leverage inline tagging down to the access to enable east-west SGACL capability if desired where both access and core could provide the enforcement capability. Enforcement would take place where both source and destination SGT's are know, often the core if it's receiving all bindings from ISE. 

In cases like this it's common to use ISE as the source of truth for all IP-SGT bindings and configure you unidirectional SXP peers from ISE > wan edge/core switch. This works ok assuming you are able to accommodate the scale both in the number of SXP peers, and the IP-SGT bindings being pushed are the complete database. If you are manually creating IP-SGT bindings in the environment either by static port tags or bindings on another platform, then ISE and other sites will not learn them.

Keep in mind that every platform has different IP-SGT binding scale, and a maximum number of peers. Here are the platforms that support TrustSec functionality.
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-system-bulletin.pdf


Go to solution
DavideRanalli76560
Level 1
Level 1
In response to Damien Miller

‎02-17-2021 07:23 AM - edited ‎02-18-2021 01:14 AM

Thanks for your precious help Damien,

 

I am still confused about how inline tagging and SXP should be interoperable, as far as I understood inline tagging is more like a static way to do the enforcement as opposed to SXP. 

DC is hosting ISE, on the remote site we have an SD-Access fabric, enforcement would have to be done on fusion router, in this scenario ISE PSN would be the speaker and fusion router the listener, the listener (fusion router) would download SGACL from the speaker. I still don't understand, how does inline tagging fits in?

 

Davide 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to DavideRanalli76560

‎02-28-2021 02:11 PM

If you haven't done so already, I would suggest reviewing the documentation available in the Segmentation & Group-Based Policy Resources. There are also some very good sessions available on ciscolive.com related to TrustSec best practices.

Both SXP and inline tagging are Propagation methods to carry the SGT from the point of Classification to the point of Enforcement. SXP is essentially an overlay and some platforms have strict limitations when it comes to the number of SXP bindings they can handle. Inline tagging is more efficient and should be used where possible with SXP used sparingly where absolutely needed. Inline tagging is supported by several methods including within the Ethernet frame (where platforms support it in hardware), IKEv2 header for IPSec, and in the VXLAN header (used by the SDA fabric, for example).

 

Customers Also Viewed These Support Documents