Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2321
Views
1
Helpful
2
Replies

TrustSec Design Question

Go to solution
jideji
Cisco Employee
Cisco Employee

‎02-12-2017 11:54 AM - edited ‎03-11-2019 12:27 AM

L3IF trustSec Interface-to-SGT Mapping, is it possible to receive multiple  SGT  on the ports that is  facing the WAN ?

Sample  topology

      Site-A                                             WAN-Cloud                              Site-B

3750x ---------- ASR-1 ---------------------GREoMPLS---------------ASR2--------------------3750x

On the above topology. In Site-A,  we have five SGT 10,20,30,40 and 50  that we like to propagate across the  MPLS WAN  to Site-B. My question is; what is the best way to get these SGT from Site-A to Site-B  over the MPLS WAN link. Please any pointers will be greatly appreciated. Please also see attached topology.

Labels:
Preview file
59 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mjessup
Cisco Employee
Cisco Employee

‎02-13-2017 01:22 PM

Hi Jason,

GRE supports inline tagging much the same as an Ethernet interface. This will allow you to propagate the tags over the service provider MPLS WAN. So all traffic will leave one side of the WAN and arrive at the other side with the original tag.

Note that this is not the same as L3IF-SGT mapping which will take all traffic received on the configured interface and map it to the value specified.

To support inline tagging over GRE apply the command <cts sgt inline> to the tunnel interface as so:

interface Tunnel10

  ip mtu 1360

  ip tcp adjust-mss 1352

  cts sgt inline


You will also notice that with inline tagging over GRE, an additional 8 bytes of overhead will be required so if your ip mtu is set to 1360 for example (typical for IPsec/GRE or DMVPN), you will want to lower the TCP maximum segment size by 8 bytes as above.

Also please note that you will want to be running 3.16.5S on the ASR which fixed a related defect, CSCvb44207.

Mike

TrustSec TME, Cisco Systems

View solution in original post

2 Replies 2

Go to solution
mjessup
Cisco Employee
Cisco Employee

‎02-13-2017 01:22 PM

Hi Jason,

GRE supports inline tagging much the same as an Ethernet interface. This will allow you to propagate the tags over the service provider MPLS WAN. So all traffic will leave one side of the WAN and arrive at the other side with the original tag.

Note that this is not the same as L3IF-SGT mapping which will take all traffic received on the configured interface and map it to the value specified.

To support inline tagging over GRE apply the command <cts sgt inline> to the tunnel interface as so:

interface Tunnel10

  ip mtu 1360

  ip tcp adjust-mss 1352

  cts sgt inline


You will also notice that with inline tagging over GRE, an additional 8 bytes of overhead will be required so if your ip mtu is set to 1360 for example (typical for IPsec/GRE or DMVPN), you will want to lower the TCP maximum segment size by 8 bytes as above.

Also please note that you will want to be running 3.16.5S on the ASR which fixed a related defect, CSCvb44207.

Mike

TrustSec TME, Cisco Systems

Go to solution
jideji
Cisco Employee
Cisco Employee
In response to mjessup

‎02-13-2017 01:24 PM

Thanks

0 Helpful
Customers Also Viewed These Support Documents