11-28-2018 05:42 AM
Hi team,
I have a case where SGT tagging based on IP/subnet to SGT map is needed on N7K (M3 LC) without enforcement active. Traffic that needs to be tagged can enter nexus:
- via untrusted access portchannel - no SVI for this specific VLAN, packets need to be tagged and are send to another device where they are already part of trusted domain,
- via untrusted access or trunk port for a specific VLAN that has SVI configured.
For both cases IP/subnet to SGT mapping is configured (pushed via ISE) but the tagging is not happening. Is there any limitation for this or any special step to take to do this marking?
Thank you.
Best regards,
Michal
Solved! Go to Solution.
12-12-2018 03:57 AM
When pushing mappings from ISE you can use SSH or SXP but the mapping always gets placed at the VRF level.
12-12-2018 03:57 AM
When pushing mappings from ISE you can use SSH or SXP but the mapping always gets placed at the VRF level.
12-13-2018 12:26 AM
Hi, thanks. These conditions are clear however is there a way to do the SGT marking without activating the enforcement?
12-13-2018 01:04 AM
Sure, network devices only enforce when they are told to enforce.
The N7k is told to enforce by using the following commands:
(config)# cts role-based enforcement
(config)# vrf context x
cts role-based enforcement
(config)# vlan y
cts role-based enforcement
12-13-2018 01:08 AM
The question is will Nexus do SGT marking without active enforcement? This means only SGT maps configured without any enforcement activated.
12-13-2018 01:18 AM
Yes, our network devices (including the N7k) can classify/mark without enforcing.
Classification/marking occurs when there is a mapping present (dynamic, static, from SXP). Enforcement only occurs if the enforcement commands are present and required policy has been downloaded.
12-13-2018 02:10 AM
Thanks for the reply.
In our setup we have N7k (NX-OS 8.3.1) registered to ISE and envi-data & policies downloaded successfully. IP to SGT mappings are correctly pushed from ISE and present in config and no enforcement is active. We have 1 VLAN with active SVI (default vrf), mapping for this VLAN/subnet is present in the SGT-map and the traffic is coming to N7K over untrusted trunk port (no cts manual) however the traffic is leaving the N7K unmarked (SGT 0). Other traffic that is passing the N7K already marked is keeping the marking so the boundary interfaces are fine. Is there anything else needed to have marking active?
12-13-2018 02:57 AM
Can you try the following independently:
a) Manually adding the mapping under the VLAN (rather than the VRF).
b) Enable DAI (ip arp inspection vlan <>) on the VLAN and on the corresponding incoming interfaces (ip arp inspection trust)
12-14-2018 03:09 AM
Thanks for reply. I will try both options and report back.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide