Solved: Re: Subnet/IP to SGT tagging on NX-OS

Michal Olsovsky · ‎11-28-2018

Hi team,

I have a case where SGT tagging based on IP/subnet to SGT map is needed on N7K (M3 LC) without enforcement active. Traffic that needs to be tagged can enter nexus:

- via untrusted access portchannel - no SVI for this specific VLAN, packets need to be tagged and are send to another device where they are already part of trusted domain,

- via untrusted access or trunk port for a specific VLAN that has SVI configured.

For both cases IP/subnet to SGT mapping is configured (pushed via ISE) but the tagging is not happening. Is there any limitation for this or any special step to take to do this marking?

Thank you.

Best regards,

Michal

jeaves@cisco.com · ‎12-12-2018

When pushing mappings from ISE you can use SSH or SXP but the mapping always gets placed at the VRF level.

The N7K MUST have an SVI on the VLAN if using IP-SGT learnt via SXP (or) SSH from ISE (or) CLI on a particular VRF [So when mapping resides in the VRF]
If N7K is L2 only then create an SVI w/o IP to be able to utilize the SXP or SSH mappings from ISE or the CLI mappings from the VRF

View solution in original post

jeaves@cisco.com · ‎12-12-2018

When pushing mappings from ISE you can use SSH or SXP but the mapping always gets placed at the VRF level.

The N7K MUST have an SVI on the VLAN if using IP-SGT learnt via SXP (or) SSH from ISE (or) CLI on a particular VRF [So when mapping resides in the VRF]
If N7K is L2 only then create an SVI w/o IP to be able to utilize the SXP or SSH mappings from ISE or the CLI mappings from the VRF

Michal Olsovsky · ‎12-13-2018

Hi, thanks. These conditions are clear however is there a way to do the SGT marking without activating the enforcement?

jeaves@cisco.com · ‎12-13-2018

Sure, network devices only enforce when they are told to enforce.

The N7k is told to enforce by using the following commands:

(config)# cts role-based enforcement

(config)# vrf context x
cts role-based enforcement

(config)# vlan y
cts role-based enforcement

Michal Olsovsky · ‎12-13-2018

The question is will Nexus do SGT marking without active enforcement? This means only SGT maps configured without any enforcement activated.

jeaves@cisco.com · ‎12-13-2018

Yes, our network devices (including the N7k) can classify/mark without enforcing.

Classification/marking occurs when there is a mapping present (dynamic, static, from SXP). Enforcement only occurs if the enforcement commands are present and required policy has been downloaded.

Michal Olsovsky · ‎12-13-2018

Thanks for the reply.

In our setup we have N7k (NX-OS 8.3.1) registered to ISE and envi-data & policies downloaded successfully. IP to SGT mappings are correctly pushed from ISE and present in config and no enforcement is active. We have 1 VLAN with active SVI (default vrf), mapping for this VLAN/subnet is present in the SGT-map and the traffic is coming to N7K over untrusted trunk port (no cts manual) however the traffic is leaving the N7K unmarked (SGT 0). Other traffic that is passing the N7K already marked is keeping the marking so the boundary interfaces are fine. Is there anything else needed to have marking active?

jeaves@cisco.com · ‎12-13-2018

Can you try the following independently:

a) Manually adding the mapping under the VLAN (rather than the VRF).

b) Enable DAI (ip arp inspection vlan <>) on the VLAN and on the corresponding incoming interfaces (ip arp inspection trust)

Michal Olsovsky · ‎12-14-2018

Thanks for reply. I will try both options and report back.