05-11-2023 06:29 AM
Hi,
After running the cts role-based enforcement vlan-list 200 in an access switch, the devices can no longer reach its gateway (SVI in a distribution switch) Without reachability to the gateway, outside connectivity is also lost.
The uplink between the access switch and the distribution switch has CTS enabled. The trustsec matrix allows traffic to "unknown" (untagged) traffic, although I presume this has nothing to do since the distribution switch is not enforcing any traffic. It is configured as cts role-based monitor all
As soon as we remove the vlan enforcement, reachability is recovered, however the traffic is not enforced for hosts in the same VLAN with the same tag even if there is a SGACL applied at the switch that denies all the traffic from/to the same SGT.
Any idea?
Thanks!
05-11-2023 06:41 AM
Could you share the SGACL policy enforced on VLAN list 200? Also, what is the SGT for source and destination here?
05-11-2023 06:53 AM
The SGT is 94 and the intent is to block horizontal traffic while allowing north-south:
show cts role-based permissions from 94 to 94
IPv4 Role-based permissions from group 94:DUMMY_SGT to group 94:DUMMY_SGT:
Deny IP-00
show cts rbacl
CTS RBACL Policy
================
RBACL IP Version Supported: IPv4 & IPv6
name = Deny IP-00
IP protocol version = IPV4, IPV6
refcnt = 46
flag = 0xC1000000
stale = FALSE
RBACL ACEs:
deny ip
show cts role-based permissions from 94 to unknown
IPv4 Role-based permissions from group 94:DUMMY_SGT to group Unknown:
Permit IP-00
show cts rbacl
CTS RBACL Policy
================
name = Permit IP-00
IP protocol version = IPV4, IPV6
refcnt = 6
flag = 0xC1000000
stale = FALSE
RBACL ACEs:
permit ip
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide