10-11-2017 02:28 PM
By default the interfaces on the FTD have the following:
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
Is there any way to turn off the propagation of SGT tags? We are using pxGrid to provide IP to SGT tags that we can use in our ACP. We have no need to have FTD apply that tag to a packet on egress. Is it possible to turn that off?
Solved! Go to Solution.
10-11-2017 11:06 PM
Hi,
I think you should be able to do it by flexconfig. I see only following command inside interface is blocked from modifying through flexconfig
Interface | Only nameif, mode, shutdown, ip address and mac-addresscommands are blocked. |
10-11-2017 11:06 PM
Hi,
I think you should be able to do it by flexconfig. I see only following command inside interface is blocked from modifying through flexconfig
Interface | Only nameif, mode, shutdown, ip address and mac-addresscommands are blocked. |
10-12-2017 08:08 AM
Thanks it worked perfectly:
interface GigabitEthernet1/1
cts manual
no propagate sgt
I haven’t tested to see if that change affected my ability to do SGT based ACP rules, but I would doubt that it does.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
05-31-2018 01:24 AM
Reviving this to let others know that this was a requirement to get traffic to pass from a Firepower 2130 into our Application Centric Infrastructure (ACI) Fabric / Nexus 9ks. ACI was dropping the traffic outright due to the tag on ingress.
HTH
04-15-2020 07:43 PM
Hi Anthony,
It looks like we have the same setup wherein we have deployed a FTD 2130 for VPN traffic using anyconnect as part of our Trustsec environment and then egress out to our Nexus 9k (Core Switch) and then reach our services to our Data center FW which is also an FTD from where all the authZ and SGT are being inherited from ISE
I am hoping i could get some clarity around the following?
When i tried to disable the SGT propagation in our VPN FW (engress to Nexus 9k with "no propagation" command) it looks like i can see from my capture that traffic coming from the VPN as"untagged" although i could see from my anyconnect session that there is a SGT number and AuthZ inherited from ISE hence, if there's a need to communicate to other Far End FW that is listener to the pxGrid the connection is being dropped if the ACP has applied with SGT to that Far end FW (FTD)
I have raised a case with Cisco TAC and i was advised that SGT propagation from the VPN FW at the egress direction to Nexus 9k (Core Switches) should be enabled so the tag could be preserved all the way to the Far End FW but TAC claimed that the issue is that Nexus 9k are not cable to handle TrustSec frames hence it will be dropped?
04-15-2020 08:50 PM
This is interesting...
@eleevercl wrote:"but TAC claimed that the issue is that Nexus 9k are not cable to handle TrustSec frames hence it will be dropped? "
I'm wondering what they mean and in what context. If you go into ISE > Work Centers > TrustSEC > ACI Settings, there are two options... Data Plane and Policy Plane. From my understanding, data plane integration allows inline SGTs. Maybe though that only applies to L3 Outs? We are only doing some Policy Plane integration now and referencing those Tags under Tenants > Tenant > Networking > L3Outs > L3Out-Name > External EPGs > (SGT Tags show up here to write contracts against once your ISE <> ACI integration is setup). I'll start reading up tomorrow A.M more on this to see if I find anything more useful for you.
Caveats aside, even if you can't carry the tag end to end through the ACI Fabric, there might still be a way to pick the tag back up at the Far End Firewall (via PxGrid as you mentioned) and still derive your ACP based off of it.
Cheers.
04-15-2020 08:57 PM
Just a thought, my far end FW which is also subscribed to pxgrid has also preserved the SGT at the ingress direction.
I am wondering if the right approach is to do a no propagate at my VPN propagation towards my engress direction (to nexus 9k) and then to the ingress direction of my far end fw do a no propagate, i wonder if that should still preserve my authz and sgt from ISE
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide