Re: Cisco 3650CX SGT not working

m.maier · ‎11-18-2024

Hi Cisco Community

We have used some C3560CX as office extenders and now want to activate SGT.

Unfortunately this does not work and we do not yet understand the reasons. A new C9200CX works perfectly.

There are contradictory announcements and many tests are not positive.

!-- Office Extender:

HW: WS-C3560CX-12PD-S, 15.2(7)E5 - do not work

HW: C9200CX-12P-2X2G, 17.09.05 - works well

Here the current example of my testing and logdata. (see below):

Uplink from FE C9300-FE-053 to extender node C3560CX:

interface Port-channel9

switchport mode trunk

!

interface GigabitEthernet1/0/15

switchport mode trunk

channel-group 9 mode desirable

service-policy output DNA-dscp#APIC_QOS_Q_OUT

C9300-FE-053#show cts interface GigabitEthernet1/0/15

Interface GigabitEthernet1/0/15:

CTS is disabled.

L3 IPM: disabled.

!-- Office Exender node WS-C3560CX-12PD-S (C3560CX):

Uplink from extender node C3560CX to C9300-FE-053

aaa authentication login dnac-cts-list group dnac-client-radius-group local

aaa authorization network dnac-cts-list group dnac-client-radius-group

cts authorization list cts-list

!

interface Port-channel1

switchport mode trunk

!

interface GigabitEthernet1/0/13

switchport mode trunk

srr-queue bandwidth share 1 55 37 7

priority-queue out

channel-group 1 mode desirable

!

radius server dnac-radius_10.x.x.x

address ipv4 10.x.x.x auth-port 1812 acct-port 1813

timeout 5

retransmit 3

automate-tester username dummy ignore-acct-port probe-on

pac key 7 xxxxxxx

!-- Office Exender node C9200CX-12P-2X2G:

Uplink from FE C9300-FE-051 to exender node C9200CX:

interface Port-channel2

switchport mode trunk

!

interface TenGigabitEthernet1/1/7

switchport mode trunk

cts manual

policy static sgt 8000 trusted

channel-group 2 mode desirable

service-policy output DNA-dscp#APIC_QOS_Q_OUT

Uplink to C9300-FE-051:

aaa authentication login dnac-cts-list group dnac-client-radius-group local

aaa authorization network dnac-cts-list group dnac-client-radius-group

cts authorization list dnac-cts-list

!

cts role-based enforcement

cts role-based enforcement vlan-list 1021,1023-1024,1026-1028,1036-1040,1042,1044-1048,2045-2047

!

radius server dnac-radius_10.x.x.x

address ipv4 10.x.x.x auth-port 1812 acct-port 1813

timeout 5

retransmit 3

automate-tester username dummy ignore-acct-port probe-on

pac key 7 xxxx

!

interface Port-channel1

switchport mode trunk

ip dhcp snooping trust

!

interface GigabitEthernet1/1/1

switchport mode trunk

cts manual

policy static sgt 8000 trusted

channel-group 1 mode desirable

service-policy output DNA-dscp#APIC_QOS_Q_OUT

ip dhcp snooping trust

Logdate:

Logdate from C9300-FE-051 with C9200CX:

C9300-FE-051#show cts interface TenGigabitEthernet1/1/7

Global Dot1x feature is Disabled

Interface TenGigabitEthernet1/1/7:

CTS is enabled, mode: MANUAL

IFC state: OPEN

Interface Active for 6d17h

Authentication Status: NOT APPLICABLE

Peer identity: "unknown"

Peer's advertised capabilities: ""

Authorization Status: SUCCEEDED

Peer SGT: 8000

Peer SGT assignment: Trusted

SAP Status: NOT APPLICABLE

Propagate SGT: Enabled

Cache Info:

Expiration : N/A

Cache applied to link : NONE

Statistics:

authc success: 0

authc reject: 0

authc failure: 0

authc no response: 0

authc logoff: 0

sap success: 0

sap fail: 0

authz success: 0

authz fail: 0

port auth fail: 0

L3 IPM: disabled.

Logdate from C9300-FE-051 with C3560CX:

C9300-FE-053#show cts interface GigabitEthernet1/0/15

Interface GigabitEthernet1/0/15:

CTS is disabled.

L3 IPM: disabled.

Note: The entire configuration is generated using DNAC (CC).

Thank you for your input.

Markus

Andrii Oliinyk · ‎11-18-2024

a bit confusing sentences... can u 1st attach diagram with how u connect C3560CX to Fabric?

m.maier · ‎11-18-2024

The C3560CX is implemented as an office extender node and is connected to a Fabric Edge C9300.

Andrii Oliinyk · ‎11-18-2024

have u actually succeeded with promoting C560CX ExtendedNode role?

Flavio Miranda · ‎11-18-2024

@m.maier

Which license this switch have?

m.maier · ‎11-18-2024

The c3560CX has an RTU license active.

Feature: iServices
License Type: PermanentRightToUse

Andrii Oliinyk · ‎11-18-2024

i'm afraid u need DNA Advantage for ExtendedNode functionality for C3560CX
Solutions - Cisco SD-Access Ordering Guide - Cisco

jeaves@cisco.com · ‎11-18-2024

See here for the policy extended node guide: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-3-7/user_guide/b_cisco_dna_center_ug_2_3_7/b_cisco_dna_center_ug_2_3_7_chapter_01110.html#id_97609
See that the 3560CX cannot be used as a PEN. The 9200 has a full IP-based TrustSec architecture and supports inline tagging to the edge, hence the orchestration of cts manual / policy static sgt 8000 trusted. The 3560CX on the other hand has a legacy port-based architecture and can only be added as a general extended node, not a policy extended node (PEN). I hope that answers the question.

Faton-Shala · ‎11-18-2024

Great! Thank's a lot for the fast respond.

Markus and I work together, headed into that issue and were struggling with it.
Have a good day.