01-24-2023 01:14 PM
I'm migrating from an OLD to NEW ISE environment. Part of the move is to start over on TrustSec. It's never really worked anyway. I have a switch with the following TrustSec config that is hammering NEW ISE with CTS requests, but I have Trustsec disabled in the endpoint. I don't want to mess with the 'cts manual' commands because these commands are on a port-channel and would require me bringing the port-channel down to remove. Can I disable CTS by removing the other commands but leaving 'cts manual'?
SWITCH#show run | sec cts
aaa authorization network cts-list group ISE_RADIUS
cts cache enable
cts cache nv-storage bootflash:
cts authorization list cts-list
cts critical-authentication fallback Cached
cts role-based enforcement vlan-list 1-4094
cts manual
policy static sgt 2 trusted
cts manual
policy static sgt 2 trusted
Solved! Go to Solution.
01-24-2023 01:55 PM
Hello Josh, yes, you can proceed, Trustsec has multiple pieces, and as you may know, one of them is "Propagation", the cts manual commands configured on your interfaces is to allow your device to propagate the packets tagged with the SGTs to other devices, like your next switch, this process is called, inline tagging, you can read more about this in the following doc: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9400/software/release/16-9/configuration_guide/cts/b_169_cts_9400_cg/b_169_cts_9400_cg_chapter_01010.pdf
So in conclusion, removing the other cts commands won't affect your in-line tagging configuration on the interface.
01-24-2023 01:55 PM
Hello Josh, yes, you can proceed, Trustsec has multiple pieces, and as you may know, one of them is "Propagation", the cts manual commands configured on your interfaces is to allow your device to propagate the packets tagged with the SGTs to other devices, like your next switch, this process is called, inline tagging, you can read more about this in the following doc: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9400/software/release/16-9/configuration_guide/cts/b_169_cts_9400_cg/b_169_cts_9400_cg_chapter_01010.pdf
So in conclusion, removing the other cts commands won't affect your in-line tagging configuration on the interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide