cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
409
Views
0
Helpful
4
Replies

C9300 trustSec Enforcement

I'm setting up simple lab with two 9300 switches (ver. 16.9.3) connected with L3 link (no switchport).I've configured trustSec but I noticed that policy is enforced on switch 1 although destination host was connected to switch 2. I wonder if it is because these two switches are not in the same trustSec domain?

L3 link is configured as follows (other side similarly):

interface GigabitEthernet1/0/24
no switchport
ip address 10.1.254.5 255.255.255.252
cts manual
policy static sgt 999 trusted

Do you think this is possible that ingress switch was enforcing policy because in it's point of view egress switch is not part of trustSec domain?

What is the proper way to make trustSec domain in new software (16.9)? Is seed and non-seed topology still needed?

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: C9300 trustSec Enforcement

Ingress switch was trying to enforce policy even if it doesn't know the destination group tag. It was assuming that destination group tag is 0 because it didn't know real tag. To resolve this problem we've disabled enforcement on L3 link that is connected to second switch.

interface GigabitEthernet1/0/24
 no switchport
 ip address 10.1.254.5 255.255.255.252
 cts manual
  policy static sgt 2 trusted
 no cts role-based enforcement

Is it the only/correct resolution?

4 REPLIES 4

Re: C9300 trustSec Enforcement

In C6500 :) configuration guide I found:
Cisco TrustSec IEEE 802.1X links are not supported on platforms supported in the Cisco IOS XE Denali and Everest releases, and hence only the Authenticator is supported; the Supplicant is not supported.

Does it mean I shouldn't use non-seed devices?
How to set up TS domain properly without seed/non-seed topology?

Re: C9300 trustSec Enforcement

Ingress switch was trying to enforce policy even if it doesn't know the destination group tag. It was assuming that destination group tag is 0 because it didn't know real tag. To resolve this problem we've disabled enforcement on L3 link that is connected to second switch.

interface GigabitEthernet1/0/24
 no switchport
 ip address 10.1.254.5 255.255.255.252
 cts manual
  policy static sgt 2 trusted
 no cts role-based enforcement

Is it the only/correct resolution?

Highlighted

Re: C9300 trustSec Enforcement

Ingress switch was trying to enforce policy even if it doesn't know the destination group tag. It was assuming that destination group tag is 0 because it didn't know real tag. To resolve this problem we've disabled enforcement on L3 link that is connected to second switch.

interface GigabitEthernet1/0/24
 no switchport
 ip address 10.1.254.5 255.255.255.252
 cts manual
  policy static sgt 2 trusted
 no cts role-based enforcement

Is it the only/correct resolution?

VIP Engager

Re: C9300 trustSec Enforcement

It sounds like your default policy/SGACL is to deny unknown aka tag 0.  In that case it would be working as designed.  You could change the default from deny all to permit all.  

If you look at the bottom of the TrustSec matrix in ISE, is the default below the table permit all, or deny all?
https://<ise pan ip>/admin/#workcenters/workcenter_trustsec/workcenter_trustsec_policy/egress/matrix