02-09-2023 01:20 AM
Hi Guys
here is use-case for subject with topology comprised with multiple branches LANs interconnected to DC via ASA FWs (which are fusion routers in fact) on WAN-edge.
ASAs have their policies configured using SGTs (ASAs are managed by CSM integrated with ISE from where CSM collects SGTs for vast majority of flows). for some reason we dont want to build VXLAN tunnels between BNs & ASAs. But we still want to deliver campus traffic with SGTs in packets & we have for this L2-SGT enabled interconnect between BN & FW
Q is does Cisco suggest an option of translation VXLAN SGT into L2-SGT & vice versa on the BNs?
thanks in advance
Solved! Go to Solution.
02-13-2023 03:37 AM
Yes, correct.
As well as enabling inline tagging on the fusion:
If the Border is a switch then just configure 'cts manual / policy static sgt x trusted' on the trunk.
If the Border is a router then just configure 'cts manual / policy static sgt x trusted' on the sub-interfaces.
These commands are not automated by DNAC so will need to be added manually.
In the Northbound direction, the SGT will be received by the Border via VXLAN from the Fabric Edge, and the Border will forward it northbound in the CMD field to the Fusion.
In the Southbound direction, the SGT will be received by the Border via CMD from the Fusion, and the Border will forward it southbound in VXLAN to the Fabric Edge (where it will be enforced).
02-10-2023 07:12 AM - edited 02-13-2023 01:44 AM
UPD: according to Segmentation Strategy - Cisco Community BN should implement translation automatically as soon as (sub)interface(s) toward FR are configured for L2-SGT (i.e. cts manual; cts propagate ; policy static sgt 2 trusted):
"In an SDA deployment, VXLAN would be used to propagate the source SGT from Edge to Border and then inline tagging could be utilized from the Border to the destination DC switch."
"Note: An SDA Border can take the SGT from the VXLAN header and insert it into the L2 CMD field i.e. inline tag it to the likes of a connected fusion device. The same is true in the other direction."
do i get it correctly?
02-13-2023 03:37 AM
Yes, correct.
As well as enabling inline tagging on the fusion:
If the Border is a switch then just configure 'cts manual / policy static sgt x trusted' on the trunk.
If the Border is a router then just configure 'cts manual / policy static sgt x trusted' on the sub-interfaces.
These commands are not automated by DNAC so will need to be added manually.
In the Northbound direction, the SGT will be received by the Border via VXLAN from the Fabric Edge, and the Border will forward it northbound in the CMD field to the Fusion.
In the Southbound direction, the SGT will be received by the Border via CMD from the Fusion, and the Border will forward it southbound in VXLAN to the Fabric Edge (where it will be enforced).
02-13-2023 03:44 AM
Hi Jonothan
another tons of thanks for clarification!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide