Re: VLAN SVI unreachable after enabling CTS VLAN enforcement

Antonio Macia · ‎05-11-2023

Hi,

After running the cts role-based enforcement vlan-list 200 in an access switch, the devices can no longer reach its gateway (SVI in a distribution switch) Without reachability to the gateway, outside connectivity is also lost.

The uplink between the access switch and the distribution switch has CTS enabled. The trustsec matrix allows traffic to "unknown" (untagged) traffic, although I presume this has nothing to do since the distribution switch is not enforcing any traffic. It is configured as cts role-based monitor all

As soon as we remove the vlan enforcement, reachability is recovered, however the traffic is not enforced for hosts in the same VLAN with the same tag even if there is a SGACL applied at the switch that denies all the traffic from/to the same SGT.

Any idea?

Thanks!

Nancy Saini · ‎05-11-2023

Could you share the SGACL policy enforced on VLAN list 200? Also, what is the SGT for source and destination here?

Antonio Macia · ‎05-11-2023

The SGT is 94 and the intent is to block horizontal traffic while allowing north-south:

show cts role-based permissions from 94 to 94
IPv4 Role-based permissions from group 94:DUMMY_SGT to group 94:DUMMY_SGT:
Deny IP-00

show cts rbacl
CTS RBACL Policy
================
RBACL IP Version Supported: IPv4 & IPv6
name = Deny IP-00
IP protocol version = IPV4, IPV6
refcnt = 46
flag = 0xC1000000
stale = FALSE
RBACL ACEs:
deny ip

show cts role-based permissions from 94 to unknown
IPv4 Role-based permissions from group 94:DUMMY_SGT to group Unknown:
Permit IP-00

show cts rbacl
CTS RBACL Policy
================
name = Permit IP-00
IP protocol version = IPV4, IPV6
refcnt = 6
flag = 0xC1000000
stale = FALSE
RBACL ACEs:
permit ip