Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
16
Helpful
3
Replies

SGT VXLAN into L2-SGT translation option

Go to solution
andy!doesnt!like!uucp
Spotlight
Spotlight

‎02-09-2023 01:20 AM

Hi Guys

here is use-case for subject with topology comprised with multiple branches LANs interconnected to DC via ASA FWs (which are fusion routers in fact) on WAN-edge.

ASAs have their policies configured using SGTs (ASAs are managed by CSM integrated with ISE from where CSM collects SGTs for vast majority of flows). for some reason we dont want to build VXLAN tunnels between BNs & ASAs. But we still want to deliver campus traffic with SGTs in packets & we have for this L2-SGT enabled interconnect between BN & FW

Q is does Cisco suggest an option of translation VXLAN SGT into L2-SGT & vice versa on the BNs?

thanks in advance

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee
In response to andy!doesnt!like!uucp

‎02-13-2023 03:37 AM

Yes, correct.
As well as enabling inline tagging on the fusion:
If the Border is a switch then just configure 'cts manual / policy static sgt x trusted' on the trunk.
If the Border is a router then just configure 'cts manual / policy static sgt x trusted' on the sub-interfaces.
These commands are not automated by DNAC so will need to be added manually.
In the Northbound direction, the SGT will be received by the Border via VXLAN from the Fabric Edge, and the Border will forward it northbound in the CMD field to the Fusion.
In the Southbound direction, the SGT will be received by the Border via CMD from the Fusion, and the Border will forward it southbound in VXLAN to the Fabric Edge (where it will be enforced).

View solution in original post

3 Replies 3

Go to solution
andy!doesnt!like!uucp
Spotlight
Spotlight

‎02-10-2023 07:12 AM - edited ‎02-13-2023 01:44 AM

UPD: according to Segmentation Strategy - Cisco Community BN should implement translation automatically as soon as  (sub)interface(s) toward FR are configured for L2-SGT (i.e. cts manual; cts propagate ; policy static sgt 2 trusted):

"In an SDA deployment, VXLAN would be used to propagate the source SGT from Edge to Border and then inline tagging could be utilized from the Border to the destination DC switch."

"Note: An SDA Border can take the SGT from the VXLAN header and insert it into the L2 CMD field i.e. inline tag it to the likes of a connected fusion device. The same is true in the other direction."

do i get it correctly?

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee
In response to andy!doesnt!like!uucp

‎02-13-2023 03:37 AM

Yes, correct.
As well as enabling inline tagging on the fusion:
If the Border is a switch then just configure 'cts manual / policy static sgt x trusted' on the trunk.
If the Border is a router then just configure 'cts manual / policy static sgt x trusted' on the sub-interfaces.
These commands are not automated by DNAC so will need to be added manually.
In the Northbound direction, the SGT will be received by the Border via VXLAN from the Fabric Edge, and the Border will forward it northbound in the CMD field to the Fusion.
In the Southbound direction, the SGT will be received by the Border via CMD from the Fusion, and the Border will forward it southbound in VXLAN to the Fabric Edge (where it will be enforced).

Go to solution
andy!doesnt!like!uucp
Spotlight
Spotlight
In response to jeaves@cisco.com

‎02-13-2023 03:44 AM

Hi Jonothan

another tons of thanks for clarification!

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card