cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
142
Views
0
Helpful
0
Replies
Highlighted

Combination issue of SXP and SGT (3560G, 3560X)

Dear all,

I'm struggling to enforce role-based permissions between endpoints of the same SGT group when the mapping of the source endpoint is learned through SXP (non-continues SGT support between source and destination). While seeing the SGT mapping from the speaker (3560G, network ingress point) on the listener instance (3560X, network egress point), it seems that the mappings are not taken into account for actual enforcement. The enforcement is working as expected with endpoints connected to either 3560X (continues Trustsec domain). Attached is an overview of the test setup. The SGT used is 10 for both source and destination endpoint. ACL1 (SGACL) is blocking ICMP traffic and permitting all other IP.

As can be seen, the mappings are learned from the 3560G on both 3560X via SXP.

SXP-speaker#show cts role-based sgt-map all
Active IP-SGT Bindings Information

IP Address              SGT     Source
============================================
172.28.135.152          10      LOCAL
172.28.135.157          10      LOCAL
172.28.135.158          10      LOCAL
172.28.135.159          10      LOCAL
172.28.135.160          10      LOCAL
172.28.135.167          10      LOCAL
172.28.135.171          10      LOCAL
172.28.135.174          10      LOCAL
172.28.135.176          10      LOCAL
172.28.135.183          10      LOCAL

IP-SGT Active Bindings Summary
============================================
Total number of LOCAL    bindings = 10
Total number of active   bindings = 10

 

SXP-listener1#sh cts role-based sgt-map all
Active IP-SGT Bindings Information

IP Address              SGT     Source
============================================
172.28.135.152          10      SXP
172.28.135.157          10      SXP
172.28.135.158          10      SXP
172.28.135.159          10      SXP
172.28.135.160          10      SXP
172.28.135.167          10      SXP
172.28.135.171          10      SXP
172.28.135.174          10      SXP
172.28.135.176          10      SXP
172.28.135.183          10      SXP

IP-SGT Active Bindings Summary
============================================
Total number of SXP      bindings = 10
Total number of active   bindings = 10

 

SXP-listener2#sh cts role-based sgt-map all
Active IP-SGT Bindings Information

IP Address              SGT     Source
============================================
172.28.135.152          10      SXP
172.28.135.157          10      SXP
172.28.135.158          10      SXP
172.28.135.159          10      SXP
172.28.135.160          10      SXP
172.28.135.167          10      SXP
172.28.135.170          10      LOCAL
172.28.135.171          10      SXP
172.28.135.174          10      SXP
172.28.135.176          10      SXP
172.28.135.183          10      SXP

IP-SGT Active Bindings Summary
============================================
Total number of SXP      bindings = 10
Total number of LOCAL    bindings = 1
Total number of active   bindings = 11

Is there anything obvious that I might be missing or has anybody already had a similar issue?

Any feedback is really appreciated.

Thank you and kind regards!

Everyone's tags (6)