Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3142
Views
1
Helpful
3
Replies

SGT Propagation on VSS VSL?

Go to solution
jonwoloshyn
Level 4
Level 4

‎04-16-2018 04:19 PM - edited ‎03-11-2019 01:32 AM

Hello,

I'm in the process of enabling cts manual on uplinks/downlinks for an environment that consists mainly of 3850s. I have a 6880 VSS pair and the question has now come up as to what needs to happen on the VSL link between the two switches in order from tagged frames to be pass between them without the SGT being dropped.

So, can anyone tell me:

1. Do I have to have cts configured on the VSL Links? Or is VSS "smart enough" to carry the tag (or even retag on the other side) on the link? note, that I'm not doing NDAC, or MACsec. Right now it is a simple cts manual with "policy static sgt 2 trusted". I have this configured on all the downlinks to distribution switches etc.

2. If I have to configure cts manual on the VSL member interfaces what is the process? cts manual can't be configured on member ports of a port-channel and the VSL interface is a port channel. With other uplinks/downlinks I simply, remove all but one port from the port channel and swap ports in and out making sure not to black-hole myself. At one point there are no ports in the port-channel. It's a bit of a process but it works. VSL is a bit different though since it is not a normal port-channel. If I remove all of the ports from the VSL port-channel, I'll likely go split-brain. I'm not sure i see anyway of getting around that short of making the change to the saved config and reloading with it which is ugly.

Anyone have any advice here? TAC haven't been too responsive on this.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
khook@cisco.com
Cisco Employee
Cisco Employee
In response to jonwoloshyn

‎04-17-2018 10:33 AM

However, hopefully the following helps.

There is no explicit requirement for CTS propagation across the VSL! The VSL is equivalent to the internal backplane (between local Supervisor and local Linecards). Specifically… the concept of SGT comes from the Cisco Meta Data (CMD) header, which is applied to each packet at ingress and egress… while the concept of SGT based ACL (SGACL) is an internal construct, used by the hardware Port/CTS ASICs and Forwarding ASICs. Since the VSS behaves as a single system… the actual CMD is not within the chassis (or across the VSL) itself.

When a packet first enters the C6K/VSS… the ingress Port/CTS ASIC on the local Linecard will parse the CMD header and extract the SGT ID. This information is passed along (with other packet details) to the Forwarding ASIC... and the Forwarding ASIC can then impose an SGACL action (or not) during destination lookup. Once the packet has passed SGACL, and the destination(s) determined… the egress Port/CTS ASIC (on the same card, or some other remote card) will finally re-apply a new CMD header to the packet… as it leaves the C6K/VSS.

Note… we do support MACSEC over the VSL, because that is the physical (L1) medium between VSS Switch 1 and Switch 2… and that does need to be configured manually (it is not on by default).

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/virtual_switching_systems.html#pgfId-1341144

Cheers,

Ken

View solution in original post

0 Helpful
3 Replies 3

Go to solution
khook@cisco.com
Cisco Employee
Cisco Employee

‎04-17-2018 08:33 AM

“CTS configuration on VSL is not required.  If MACsec is required however, that must be configured manually.”


Cheers,

Ken

Go to solution
jonwoloshyn
Level 4
Level 4
In response to khook@cisco.com

‎04-17-2018 08:36 AM

Thanks Kenneth. Can you point me to the documentation for this assuming it exists?

0 Helpful

Go to solution
khook@cisco.com
Cisco Employee
Cisco Employee
In response to jonwoloshyn

‎04-17-2018 10:33 AM

However, hopefully the following helps.

There is no explicit requirement for CTS propagation across the VSL! The VSL is equivalent to the internal backplane (between local Supervisor and local Linecards). Specifically… the concept of SGT comes from the Cisco Meta Data (CMD) header, which is applied to each packet at ingress and egress… while the concept of SGT based ACL (SGACL) is an internal construct, used by the hardware Port/CTS ASICs and Forwarding ASICs. Since the VSS behaves as a single system… the actual CMD is not within the chassis (or across the VSL) itself.

When a packet first enters the C6K/VSS… the ingress Port/CTS ASIC on the local Linecard will parse the CMD header and extract the SGT ID. This information is passed along (with other packet details) to the Forwarding ASIC... and the Forwarding ASIC can then impose an SGACL action (or not) during destination lookup. Once the packet has passed SGACL, and the destination(s) determined… the egress Port/CTS ASIC (on the same card, or some other remote card) will finally re-apply a new CMD header to the packet… as it leaves the C6K/VSS.

Note… we do support MACSEC over the VSL, because that is the physical (L1) medium between VSS Switch 1 and Switch 2… and that does need to be configured manually (it is not on by default).

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/virtual_switching_systems.html#pgfId-1341144

Cheers,

Ken

0 Helpful
Customers Also Viewed These Support Documents