cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2520
Views
1
Helpful
2
Replies

TrustSec Design Question

jideji
Cisco Employee
Cisco Employee

L3IF trustSec Interface-to-SGT Mapping, is it possible to receive multiple  SGT  on the ports that is  facing the WAN ?

Sample  topology

      Site-A                                             WAN-Cloud                              Site-B

3750x ---------- ASR-1 ---------------------GREoMPLS---------------ASR2--------------------3750x

On the above topology. In Site-A,  we have five SGT 10,20,30,40 and 50  that we like to propagate across the  MPLS WAN  to Site-B. My question is; what is the best way to get these SGT from Site-A to Site-B  over the MPLS WAN link. Please any pointers will be greatly appreciated. Please also see attached topology.

1 Accepted Solution

Accepted Solutions

mjessup
Cisco Employee
Cisco Employee

Hi Jason,

GRE supports inline tagging much the same as an Ethernet interface. This will allow you to propagate the tags over the service provider MPLS WAN. So all traffic will leave one side of the WAN and arrive at the other side with the original tag.

Note that this is not the same as L3IF-SGT mapping which will take all traffic received on the configured interface and map it to the value specified.

To support inline tagging over GRE apply the command <cts sgt inline> to the tunnel interface as so:

interface Tunnel10

  ip mtu 1360

  ip tcp adjust-mss 1352

  cts sgt inline


You will also notice that with inline tagging over GRE, an additional 8 bytes of overhead will be required so if your ip mtu is set to 1360 for example (typical for IPsec/GRE or DMVPN), you will want to lower the TCP maximum segment size by 8 bytes as above.

Also please note that you will want to be running 3.16.5S on the ASR which fixed a related defect, CSCvb44207.

Mike

TrustSec TME, Cisco Systems

View solution in original post

2 Replies 2

mjessup
Cisco Employee
Cisco Employee

Hi Jason,

GRE supports inline tagging much the same as an Ethernet interface. This will allow you to propagate the tags over the service provider MPLS WAN. So all traffic will leave one side of the WAN and arrive at the other side with the original tag.

Note that this is not the same as L3IF-SGT mapping which will take all traffic received on the configured interface and map it to the value specified.

To support inline tagging over GRE apply the command <cts sgt inline> to the tunnel interface as so:

interface Tunnel10

  ip mtu 1360

  ip tcp adjust-mss 1352

  cts sgt inline


You will also notice that with inline tagging over GRE, an additional 8 bytes of overhead will be required so if your ip mtu is set to 1360 for example (typical for IPsec/GRE or DMVPN), you will want to lower the TCP maximum segment size by 8 bytes as above.

Also please note that you will want to be running 3.16.5S on the ASR which fixed a related defect, CSCvb44207.

Mike

TrustSec TME, Cisco Systems

Thanks