cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1112
Views
1
Helpful
2
Replies
Highlighted
Beginner

TrustSec SGT Binding Priority

I had always thought that CTS binding priority was the same throughout TrustSec until recently I discovered that isn't true. Below is the SGT Binding priority that I have always worked with.

1.VLAN- Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping configured

2.CLI- Address bindings configured using the IP_SGT form of the "cts role-based sgt-map" global configuration command

3.Layer 3 Interface- Bindings added du to FIB forwarding entries that have paths through one or more interfaces with consistent L3IF-SGT mapping or Identity Port Mapping on routed ports.

4.SXP- Bindings learned from SXP peers

5.IP_ARP- Bindings learned when tagged ARP packets are received on a CTS capable link

6.LOCAL- Bindings of authenticated hosts which are learned via device tracking. These type of binding also includes individual hosts that are learned via ARP snooping on L2 ports. Direct switch enforcement. These fall under dynamic classification.

7.INTERNAL- Bindings between locally configured IP addresses and the devices own SGT. So, things like loopback addresses or addresses that are locally configured on the device can have and SGT assigned to them.

 

Now, I have found out that for Nexus NX-OS devices the priority isn't the same. This appears to be the Nexus priority.

1.Cisco Fabric Services (CFS) - CTS IP-SGT bindings learnt on vPC peer. This is applicable only to vPC peer devices.

2.VLAN-SGT - Bindings learned from snooped ARP or DHCP packets on a VLAN that is configured with a VLAN-SGT mapping.

3.SGT-caching - IP-SGT bindings learnt on a VLAN or VRF, where SGT-caching is configured.

4.SXP - Bindings learned from SXP peers.

5.Learnt on interface - Bindings of authenticated hosts which are learned via EPM and device tracking. This type of binding also include individual hosts that are learned via ARP snooping on L2 [I]PM configured ports.

6.CLI - Address bindings configured using the IP-SGT form of the cts role-based sgt-map global configuration command.

7.Port ASIC - SGT bindings derived inline or directly from the port, based on CTS trusted or untrusted configuration.

Question: Is there anyone at Cisco that can provide a listing of priorities based on platform since it appears that this is not standard across all devices participating in TrustSec?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

This has just always been the case. It's a difference between IOS and NX-OS only.

In fact, SGT caching is also an option for IOS and it is the 2nd highest priority:

1. VLAN—Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping configured.

2. CLI— Address bindings configured using the IP-SGT form of the cts role-based sgt-map global configuration command.

3. Layer 3 Interface—(L3IF) Bindings added due to FIB forwarding entries that have paths through one or more interfaces with consistent L3IF-SGT mapping or Identity Port Mapping on routed ports.

4. SXP—Bindings learned from SXP peers.

5. IP_ARP—Bindings learned when tagged ARP packets are received on a CTS capable link.

6. LOCAL—Bindings of authenticated hosts which are learned via EPM and device tracking. This type of binding also include individual hosts that are learned via ARP snooping on L2 [I]PM configured ports.

7. SGT CACHING — Bindings learned through the SGT Caching feature by gleaning the inline SGT in the packet.

8. INTERNAL—Bindings between locally configured IP addresses and the device own SGT.

The difference between the priorities on IOS and NX-OS have been documented in the likes of Cisco Live slides and FAQ's and is listed in the troubleshooting guide (found by searching for 'TrustSec troubleshooting guide' in search engines or more directly at: https://communities.cisco.com/docs/DOC-69479#jive_content_id_Is_there_a_priority_list_when_configuring_different_classification_types_on_IOS)

I'll think of other locations where this sort of information should be posted.

Regards, Jonothan.

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

This has just always been the case. It's a difference between IOS and NX-OS only.

In fact, SGT caching is also an option for IOS and it is the 2nd highest priority:

1. VLAN—Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping configured.

2. CLI— Address bindings configured using the IP-SGT form of the cts role-based sgt-map global configuration command.

3. Layer 3 Interface—(L3IF) Bindings added due to FIB forwarding entries that have paths through one or more interfaces with consistent L3IF-SGT mapping or Identity Port Mapping on routed ports.

4. SXP—Bindings learned from SXP peers.

5. IP_ARP—Bindings learned when tagged ARP packets are received on a CTS capable link.

6. LOCAL—Bindings of authenticated hosts which are learned via EPM and device tracking. This type of binding also include individual hosts that are learned via ARP snooping on L2 [I]PM configured ports.

7. SGT CACHING — Bindings learned through the SGT Caching feature by gleaning the inline SGT in the packet.

8. INTERNAL—Bindings between locally configured IP addresses and the device own SGT.

The difference between the priorities on IOS and NX-OS have been documented in the likes of Cisco Live slides and FAQ's and is listed in the troubleshooting guide (found by searching for 'TrustSec troubleshooting guide' in search engines or more directly at: https://communities.cisco.com/docs/DOC-69479#jive_content_id_Is_there_a_priority_list_when_configuring_different_classification_types_on_IOS)

I'll think of other locations where this sort of information should be posted.

Regards, Jonothan.

View solution in original post

Highlighted
Beginner

Thank you, Jonathan.