cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

811
Views
0
Helpful
8
Replies
Highlighted

Subnet/IP to SGT tagging on NX-OS

Hi team,

 

I have a case where SGT tagging based on IP/subnet to SGT map is needed on N7K (M3 LC) without enforcement active. Traffic that needs to be tagged can enter nexus:

- via untrusted access portchannel - no SVI for this specific VLAN, packets need to be tagged and are send to another device where they are already part of trusted domain,

- via untrusted access or trunk port for a specific VLAN that has SVI configured.

 

For both cases IP/subnet to SGT mapping is configured (pushed via ISE) but the tagging is not happening. Is there any limitation for this or any special step to take to do this marking?

 

Thank you.

 

Best regards,

Michal

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Subnet/IP to SGT tagging on NX-OS

When pushing mappings from ISE you can use SSH or SXP but the mapping always gets placed at the VRF level.

  • The N7K MUST have an SVI on the VLAN if using IP-SGT learnt via SXP (or) SSH from ISE (or) CLI on a particular VRF [So when mapping resides in the VRF]
  • If N7K is L2 only then create an SVI w/o IP to be able to utilize the SXP or SSH mappings from ISE or the CLI mappings from the VRF

View solution in original post

8 REPLIES 8
Highlighted
Cisco Employee

Re: Subnet/IP to SGT tagging on NX-OS

When pushing mappings from ISE you can use SSH or SXP but the mapping always gets placed at the VRF level.

  • The N7K MUST have an SVI on the VLAN if using IP-SGT learnt via SXP (or) SSH from ISE (or) CLI on a particular VRF [So when mapping resides in the VRF]
  • If N7K is L2 only then create an SVI w/o IP to be able to utilize the SXP or SSH mappings from ISE or the CLI mappings from the VRF

View solution in original post

Highlighted

Re: Subnet/IP to SGT tagging on NX-OS

Hi, thanks. These conditions are clear however is there a way to do the SGT marking without activating the enforcement?

Highlighted
Cisco Employee

Re: Subnet/IP to SGT tagging on NX-OS

Sure, network devices only enforce when they are told to enforce.

The N7k is told to enforce by using the following commands:

 

(config)# cts role-based enforcement

(config)# vrf context x
  cts role-based enforcement

(config)# vlan y
  cts role-based enforcement

Highlighted

Re: Subnet/IP to SGT tagging on NX-OS

The question is will Nexus do SGT marking without active enforcement? This means only SGT maps configured without any enforcement activated.

Highlighted
Cisco Employee

Re: Subnet/IP to SGT tagging on NX-OS

Yes, our network devices (including the N7k) can classify/mark without enforcing.

Classification/marking occurs when there is a mapping present (dynamic, static, from SXP). Enforcement only occurs if the enforcement commands are present and required policy has been downloaded.

 

 

Highlighted

Re: Subnet/IP to SGT tagging on NX-OS

Thanks for the reply.

 

In our setup we have N7k (NX-OS 8.3.1) registered to ISE and envi-data & policies downloaded successfully. IP to SGT mappings are correctly pushed from ISE and present in config and no enforcement is active. We have 1 VLAN with active SVI (default vrf), mapping for this VLAN/subnet is present in the SGT-map and the traffic is coming to N7K over untrusted trunk port (no cts manual) however the traffic is leaving the N7K unmarked (SGT 0). Other traffic that is passing the N7K already marked is keeping the marking so the boundary interfaces are fine. Is there anything else needed to have marking active? 

Highlighted
Cisco Employee

Re: Subnet/IP to SGT tagging on NX-OS

Can you try the following independently:

a) Manually adding the mapping under the VLAN (rather than the VRF).

b) Enable DAI (ip arp inspection vlan <>) on the VLAN and on the corresponding incoming interfaces (ip arp inspection trust)

Highlighted

Re: Subnet/IP to SGT tagging on NX-OS

Thanks for reply. I will try both options and report back.