TrustSec Cat9300 VLAN to SGT

przemoa · ‎02-18-2019

Hello,
I have configured trustsec vlan enforcement on the Cat9300:
   cts role-based sgt-map vlan-list 222 sgt 222
   cts role-based enforcement
   cts role-based enforcement vlan-list 222
but the command "show cts role-based sgt-map all" shows nothing.
The command "show device-tracking database" shows properly the connected host:
Binding Table has 2 entries, 2 dynamic (limit 100000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned

    Network Layer Address               Link Layer Address Interface        vlan prlvl age   state     Time left
ARP 10.22.22.2                              0050.5692.5acb Gi1/0/4         222 0011    8s REACHABLE 292 s try 0

I have tried various IOS XE software 16.10.1, 16.9.2, 16.6.5 but unsuccessfully.
Does anyone have experience with the Trustsec configuration on the Catalyst 9000 series and mapping VLANs to SGT?

Best Regards,

Przemo

Damien Miller · ‎02-18-2019

Your configuration is fine. It's not until traffic in vlan 222 passes through the switch that you will get IP-SGT mappings based on your static vlan tagging. The VLAN to SGT mapping only shows up in the config. I can demonstrate it because I only have traffic on vlan 1 with my lab switch.

9300(config)#cts role-based sgt-map vlan-list 222 sgt 222
9300(config)#do sh cts role-based sgt-map all
Active IPv4-SGT Bindings Information
IP Address SGT Source
============================================
10.0.0.26 6 CLI

9300(config)#no cts role-based sgt-map vlan-list 222 sgt 222

9300(config)#cts role-based sgt-map vlan-list 1 sgt 222
9300(config)#do sh cts role-based sgt-map all
Active IPv4-SGT Bindings Information

IP Address SGT Source
============================================
10.0.0.8 222 VLAN
10.0.0.9 222 VLAN
10.0.0.10 222 VLAN
10.0.0.25 222 VLAN
10.0.0.26 6 CLI
10.0.0.27 222 VLAN
10.0.0.85 222 VLAN

IP-SGT Active Bindings Summary
============================================
Total number of VLAN bindings = 6
Total number of CLI bindings = 1
Total number of active bindings = 7

przemoa · ‎02-19-2019

Damien
for the test I changed VLAN 222 to VLAN 1 and the mapping SGT to VLAN works fine but in my lab I have hosts in VLAN 222.
I have a trunk between Catalyst 9300 an Catalyst 3850(software 16.9.2). Two hosts are connected to Cat9300 and one host to Cat3850, all hosts communicate with each other, traffic goes through both switches in VLAN 222. On the Cat3850 the command "show cts role-based sgt-map all" shows:
Active IPv4-SGT Bindings Information

IP Address SGT Source
============================================
10.22.22.214 222 VLAN

but on Cat9300 nothing shows and as a result there is no possibility of enforcement (SGACL).

Damien Miller · ‎02-19-2019

On the 3850 is there an SVI for vlan 222? No vlan 222 SVI on the 9300?

przemoa · ‎02-19-2019

Damien
the 3850 has SVI for VLAN 222 but when I removed it, the mapping SGT in VLAN 222 remains untouched.
The 9300 has no SVI for any VLAN. When I add SVI for VLAN 222, the mapping SGT to VLAN appears but the idea is that the 9300 must be access switch role without any SVI.