Trustsec Inline tagging POC

joeharb · ‎06-16-2022

I am in the process setting up cts inline tagging and not seeing the tag on the layer 3 device that is the users gw.

Does cts manual and propagate sgt need to be configured one the users interface or just the interface facing the layer 3 device?

When I enabled it on the trunk port from the switch to the router I lost connectivity to everything on the switch until I enabled the cts manual/propagate sgt on all the sub interfaces. I did a capture on the router and I see packets from the router destined to end user has the CMD field in the trace but packets from the client doesn't have it. When I attempt to add the cts manual/propagate sgt on the users interface I get an error "Command rejected (Gi1/0/8): conflict with Dot1x Auth".

Does the cts command need to be on the base router interface as well as the subs, now I don't see cdp information from the router facing the switch but the switch sees it properly.

Thanks in advance,

Joe

Damien Miller · ‎06-16-2022

You do not configure cts manual or cts propogation on user facing interfaces, only on links between devices that support inline tagging.

If the router interface has sub interfaces, then yes you need cts manual enabled on the parent and each sub interface too.

joeharb · ‎06-17-2022

Thanks for the reply, I have added the cts manual to the parent interface and I am now seeing good cdp traffic but my capture at the router is not showing the tags on traffic coming back from the switch.

Any idea of how to troubleshoot?

Thanks,

Joe

Damien Miller · ‎06-17-2022

If you enable CTS SGT caching on the router you would be able to see if the SGTs are making it to the router.

cts role-based sgt-caching will enable the feature, and sh cts role-based sgt-map all | inc CACHED will display any ip-sgt bindings learned via inline tagging.

As for troubleshooting, can you give me an idea about the flow and network devices involved first or a diagram. example;
endpoint <> 3850 <> 6840 <> 4431

joeharb · ‎06-17-2022

I simply doing a ping to a device on the switch. The 2 devices that I am testing the inline are 4300 ISR router trunked to a cat 9300 switch. The device on the switch is a printer and I can it has a sgt of 6. My packet capture on the 4300 shows my traffic with to the printer with CMD but the return does not.

Thanks,
Joe

andrewswanson · ‎06-17-2022

The link below shows how to use Netflow to monitor inline tagging (no netflow collector is required - you can view the flows on the box). I found it very useful when deploying TrustSec.

hth
Andy

https://community.cisco.com/t5/security-documents/trustsec-troubleshooting-guide/ta-p/3647576#toc-hId-1858751395

joeharb · ‎07-14-2022

I have enabled the netflow and I am able to see outbound tags applied but I am still not seeing these upstream. I rebooted the switch last night to enable the dna add on for netflow. I have not physically shutdown the interface between the router and switch, should I attempt that or possible reboot of the router? I have started a TAC case but most of the debugs they have tried are either not valid or not giving much information. Odd part is if I do a capture from the router I see the egress traffic having the metadata but nothing from the switch, if I do a similar capture on the switch I see the packets coming from the router having the metadata but not packets leaving the switch. Not sure why the flow would show the proper tagging but the capture does not.

Thanks,

Joe

andrewswanson · ‎07-14-2022

Is the bug below applicable to your setup?

https://quickview.cloudapps.cisco.com/quickview/bug/CSCve60357

joeharb · ‎07-14-2022

We are on 16.12.03a on the switch which appears to be a fixed version.

andy!doesnt!like!uucp · ‎02-08-2023

hi Joe
i've passed throu 16.12.3a 1.5+ years ago with C9300 network advantage . 
apart of cts manual on the uplinks to core i integrated LAN of 29 switches in trustsec domain with ISE by quite simple cts config (apart of turning to pac authorization with my ISE PSNs radius group):
cts credentials id <switchname> password <cts-pass>
aaa authorization network TRUSTSEC group auth-radius
cts authorization list TRUSTSEC
after that switches started to insert CMD (SGT=0) into authenticated client's frames.
then when on ISE i've been configuring SGT assignment within AuthZ profiles SGT values in frames changed correspondingly.
what is your cts configuration?

hslai · ‎02-09-2023

Just to share my in-line tagging experience.

Recently I tried in-line tagging between C9800-CL and C8000V and both hosted on a nested ESXi. C9800-CL is on IOS-XE 17.10.1, to get the official DACL support. C8000V was initially 17.6.1a but inline tagging not working from C9800-CL to C8000V. After trying a number of newer IOS-XE releases, it works finally with IOS-XE 17.10.1a.

andy!doesnt!like!uucp · ‎02-09-2023

hi

just for better clarity pls what SW for which platform did u end up to make it work?

andy!doesnt!like!uucp · ‎02-10-2023

hi hslai
could u pls also take a look at 2 other treads? tnx in advance
L2-SGT treatment during routing - Cisco Community
SGT VXLAN into L2-SGT translation option - Cisco Community