02-12-2017 11:54 AM - edited 03-11-2019 12:27 AM
L3IF trustSec Interface-to-SGT Mapping, is it possible to receive multiple SGT on the ports that is facing the WAN ?
Sample topology
Site-A WAN-Cloud Site-B
3750x ---------- ASR-1 ---------------------GREoMPLS---------------ASR2--------------------3750x
On the above topology. In Site-A, we have five SGT 10,20,30,40 and 50 that we like to propagate across the MPLS WAN to Site-B. My question is; what is the best way to get these SGT from Site-A to Site-B over the MPLS WAN link. Please any pointers will be greatly appreciated. Please also see attached topology.
Solved! Go to Solution.
02-13-2017 01:22 PM
Hi Jason,
GRE supports inline tagging much the same as an Ethernet interface. This will allow you to propagate the tags over the service provider MPLS WAN. So all traffic will leave one side of the WAN and arrive at the other side with the original tag.
Note that this is not the same as L3IF-SGT mapping which will take all traffic received on the configured interface and map it to the value specified.
To support inline tagging over GRE apply the command <cts sgt inline> to the tunnel interface as so:
interface Tunnel10
ip mtu 1360
ip tcp adjust-mss 1352
cts sgt inline
You will also notice that with inline tagging over GRE, an additional 8 bytes of overhead will be required so if your ip mtu is set to 1360 for example (typical for IPsec/GRE or DMVPN), you will want to lower the TCP maximum segment size by 8 bytes as above.
Also please note that you will want to be running 3.16.5S on the ASR which fixed a related defect, CSCvb44207.
Mike
TrustSec TME, Cisco Systems
02-13-2017 01:22 PM
Hi Jason,
GRE supports inline tagging much the same as an Ethernet interface. This will allow you to propagate the tags over the service provider MPLS WAN. So all traffic will leave one side of the WAN and arrive at the other side with the original tag.
Note that this is not the same as L3IF-SGT mapping which will take all traffic received on the configured interface and map it to the value specified.
To support inline tagging over GRE apply the command <cts sgt inline> to the tunnel interface as so:
interface Tunnel10
ip mtu 1360
ip tcp adjust-mss 1352
cts sgt inline
You will also notice that with inline tagging over GRE, an additional 8 bytes of overhead will be required so if your ip mtu is set to 1360 for example (typical for IPsec/GRE or DMVPN), you will want to lower the TCP maximum segment size by 8 bytes as above.
Also please note that you will want to be running 3.16.5S on the ASR which fixed a related defect, CSCvb44207.
Mike
TrustSec TME, Cisco Systems
02-13-2017 01:24 PM
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide