Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
880
Views
5
Helpful
8
Replies

SDA Multisite: carry SGTs via ACI Fabric?

Go to solution
Sylvain_Che
Level 1
Level 1

‎06-13-2023 11:39 PM

Hello,

I'm planning a multisite SD-Access Fabric. Both sites are connected to an ACI Fabric and connectivity between both SDA Fabric sites should occur via this ACI Fabric.
IP-Transit will be configured. SD-Access Transit was not possible (not enough hardware purchased).

How then VN/SGT information should be carried between Fabric Sites? I don't know how ACI can transport this segmentation information. Inline Tagging? SXP between ISE and SDA Border nodes? Other mean?

Online documentation only shows the interaction between SGTs and EPGs but not the transport of the SGTs.


Regards,
Sylvain.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jedolphi
Cisco Employee
Cisco Employee

‎06-14-2023 12:59 AM

"the transport of SGTs between Fabric Sites can be handled by ACI switches using Inline Tagging method?"

Sylvian, you can review the TrustSec capabilitiy matrix to see which Cisco switching platforms support SGT in Ethernet,

https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/solution-overview-listing.html

SGT in Ethernet not supported on ACI switches. Use SD-Access Transit or use SXP from ISE to Border Nodes, noting that SXP from ISE will not carry static SGTs (static port-SGT or static VLAN-SGT) as ISE did not assign static SGTs it will not populate them into the SXP table.

Cheers, Jerome

View solution in original post

8 Replies 8

Go to solution
jalejand
Cisco Employee
Cisco Employee

‎06-13-2023 11:45 PM - edited ‎06-13-2023 11:49 PM

If the entire path between the SD Access Fabric to ACI supports inline tagging, this would be the less resource-intensive approach, but of course all the devices in between would need to support inline tagging and its propagation.

 

If your classification of SGT-IP mappings is relatively small (mapping entire subnets to an SGT rather than individual endpoints) you could simply use manual SGT-IP binding in Borders or Fusions, this will download the required rules automatically.
 
The commands would be (with VRF awareness):

  cts role-based sgt-map vrf xxxx x.x.x.x/xx sgt xx

But if you want dynamic mappings between fabric networks, SXP would be the way to do it (with the appropriate filtering/summarization as CTS mappings are bound to hardware/tcam resources). SXP can also import radius live sessions into bindings so authenticated endpoints in each fabric can be advertised via SXP to the rest of fabric sites (borders).

 

For SXP, take a look to:

 

https://community.cisco.com/t5/security-knowledge-base/policy-enforcement-within-sda-border/ta-p/3646816

0 Helpful

Go to solution
Sylvain_Che
Level 1
Level 1
In response to jalejand

‎06-14-2023 12:05 AM

Hi,

So in the following scenario (see screenshot) where both SDA Fabric Sites are directly connected to ACI Fabric (no intermediate devices), the transport of SGTs between Fabric Sites can be handled by ACI switches using Inline Tagging method?

Sylvain_Che_0-1686726178469.png

If so, is there something to configure in ACI ?

Sylvain.

0 Helpful

Go to solution
andy!doesnt!like!uucp
Spotlight
Spotlight
In response to Sylvain_Che

‎06-14-2023 12:26 AM

this looks like a bit unusual scenario for leveraging 2 x L3Outs on the ACI to both provide access to ACI's endpoints & to interconnect 2 x SDA Fabric Sites. while technically this might be possible i'm pretty sure u wont be able to use ACI either to transport inline CTS L2-CMD or apply CTS role-based commands on the leaves.  

Go to solution
andy!doesnt!like!uucp
Spotlight
Spotlight

‎06-14-2023 12:12 AM

I hardly can find use-case where one would use ACI as transit between 2 Sites of multi-site SDA Fabric...

Can u shed more light on it?

is slide 12 of BRKCRS-2815 (ciscolive.com)  what u want to achieve with ACI replacing dwdm/metro in orange-bordered cloud?

Go to solution
Sylvain_Che
Level 1
Level 1
In response to andy!doesnt!like!uucp

‎06-14-2023 12:26 AM

Both fabric sites have direct connection to the datacenter (ACI fabric). There are some use-cases where we need to enforce TrustSec policies between fabric sites actually.

Yes exactly as depicted in the slide, replacing dwdm/metro cloud via ACI.

0 Helpful

Go to solution
andy!doesnt!like!uucp
Spotlight
Spotlight
In response to Sylvain_Che

‎06-14-2023 12:38 AM - edited ‎06-14-2023 12:39 AM

well, if u have ACI Fabric u also must have minimum 1 L3Out to the external world. in turns there already must be some non-ACI HW/SW u support ACI's L3Out with on the opposite side of that L3Out physical link. From any perspective that HW would be much more convenient place to interconnect your 2 SDA Sites.   

Go to solution
jedolphi
Cisco Employee
Cisco Employee

‎06-14-2023 12:59 AM

"the transport of SGTs between Fabric Sites can be handled by ACI switches using Inline Tagging method?"

Sylvian, you can review the TrustSec capabilitiy matrix to see which Cisco switching platforms support SGT in Ethernet,

https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/solution-overview-listing.html

SGT in Ethernet not supported on ACI switches. Use SD-Access Transit or use SXP from ISE to Border Nodes, noting that SXP from ISE will not carry static SGTs (static port-SGT or static VLAN-SGT) as ISE did not assign static SGTs it will not populate them into the SXP table.

Cheers, Jerome

Go to solution
Sylvain_Che
Level 1
Level 1
In response to jedolphi

‎06-14-2023 01:31 AM

Thank you Jerome, helpful as always. It answers my question.

Cheers,
Sylvain.

0 Helpful
Customers Also Viewed These Support Documents