Trustsec SGTACL stops restricting traffic after a period of time.

joeharb · ‎10-30-2024

I am testing the deployment of SGT's and SGTACL's as part of a POC. I am using a 3650 switch and when I put end user/port into a SGT that should deny traffic to another SGT it works perfectly for a random period of time.

USER is given tag 4:NON_PCI_USER and there is a static ip to sgt mapping for 10.4.62.19 to 5:PCI_DATA

IPv4 Role-based permissions from group 4:NON_PCI_USER to group 5:PCI_DATA:
DENY_IP-01

Once I authenticate I run an continuous ping to the 10.4.62.19 and it is not successful, FTP is also running on 10.4.62.19 which is denied as well. I have tried to time it but have not found it be consistent (less than 15 min generally) but after some time the pings are successful and I am able to connect to the 10.4.62.19 via ftp. If I clear the access-session the restriction is put back in place, I have verified that there is no reauth occuring and the policy is the same when it denies as it is when the traffic is allowed.

Switch is running: 16.09.04

Thanks,

Joe

ahollifield · ‎10-30-2024

You should not be attempting TrustSec on a 3650. 3650 has reached end of software support. There are MANY TrustSec related bugs in 16.9 that will never get fixed.

https://www.cisco.com/site/us/en/products/collateral/switches/catalyst-3650-series-switches/eos-eol-notice-c51-744426.html

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9300-series-switches/eos-eol-notice-c51-742700.html

Aref Alsouqi · ‎10-31-2024

It does seem to be a buggy behaviour. If you could try to upgrade the code to the latest recommended which I believe it is 16.12.12. Also as @ahollifield mentioned, some of the 3650 switches services are already end of life, however, I think you still have a couple of years before the end of support is reached.