Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2391
Views
0
Helpful
4
Replies

C9300 trustSec Enforcement

Go to solution
Michal Rzepecki
Level 1
Level 1

‎06-11-2019 01:54 AM - edited ‎02-21-2020 11:06 AM

I'm setting up simple lab with two 9300 switches (ver. 16.9.3) connected with L3 link (no switchport).I've configured trustSec but I noticed that policy is enforced on switch 1 although destination host was connected to switch 2. I wonder if it is because these two switches are not in the same trustSec domain?

L3 link is configured as follows (other side similarly):

interface GigabitEthernet1/0/24
no switchport
ip address 10.1.254.5 255.255.255.252
cts manual
policy static sgt 999 trusted

Do you think this is possible that ingress switch was enforcing policy because in it's point of view egress switch is not part of trustSec domain?

What is the proper way to make trustSec domain in new software (16.9)? Is seed and non-seed topology still needed?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Michal Rzepecki
Level 1
Level 1
In response to Michal Rzepecki

‎06-11-2019 06:43 AM

Ingress switch was trying to enforce policy even if it doesn't know the destination group tag. It was assuming that destination group tag is 0 because it didn't know real tag. To resolve this problem we've disabled enforcement on L3 link that is connected to second switch.

interface GigabitEthernet1/0/24
 no switchport
 ip address 10.1.254.5 255.255.255.252
 cts manual
  policy static sgt 2 trusted
 no cts role-based enforcement

Is it the only/correct resolution?

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Michal Rzepecki
Level 1
Level 1

‎06-11-2019 02:07 AM

In C6500 :) configuration guide I found:
Cisco TrustSec IEEE 802.1X links are not supported on platforms supported in the Cisco IOS XE Denali and Everest releases, and hence only the Authenticator is supported; the Supplicant is not supported.

Does it mean I shouldn't use non-seed devices?
How to set up TS domain properly without seed/non-seed topology?
0 Helpful

Go to solution
Michal Rzepecki
Level 1
Level 1
In response to Michal Rzepecki

‎06-11-2019 06:42 AM

Ingress switch was trying to enforce policy even if it doesn't know the destination group tag. It was assuming that destination group tag is 0 because it didn't know real tag. To resolve this problem we've disabled enforcement on L3 link that is connected to second switch.

interface GigabitEthernet1/0/24
 no switchport
 ip address 10.1.254.5 255.255.255.252
 cts manual
  policy static sgt 2 trusted
 no cts role-based enforcement

Is it the only/correct resolution?

0 Helpful

Go to solution
Michal Rzepecki
Level 1
Level 1
In response to Michal Rzepecki

‎06-11-2019 06:43 AM

Ingress switch was trying to enforce policy even if it doesn't know the destination group tag. It was assuming that destination group tag is 0 because it didn't know real tag. To resolve this problem we've disabled enforcement on L3 link that is connected to second switch.

interface GigabitEthernet1/0/24
 no switchport
 ip address 10.1.254.5 255.255.255.252
 cts manual
  policy static sgt 2 trusted
 no cts role-based enforcement

Is it the only/correct resolution?

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Michal Rzepecki

‎06-11-2019 07:49 AM

It sounds like your default policy/SGACL is to deny unknown aka tag 0.  In that case it would be working as designed.  You could change the default from deny all to permit all.  

If you look at the bottom of the TrustSec matrix in ISE, is the default below the table permit all, or deny all?
https://<ise pan ip>/admin/#workcenters/workcenter_trustsec/workcenter_trustsec_policy/egress/matrix

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents