Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
2
Helpful
4
Replies

Problem with SGT enforcement on Cat 4500 v3.9 and later

Go to solution
Josh Morris
Level 3
Level 3

‎03-02-2023 07:49 AM

I have an issue where even though my SGTs and SGACL appear to be working correctly, traffic is not being enforced based on the SGACL. While working with TAC, they shared the following note, but haven't yet been able to expand on this statement. Can anyone help me understand this? The switch I'm working with is a Cat 4510 on 3.16. It is a L2 only switch, no L3 other than mgmt, and no vrfs...which is why I'm having a hard time tying this statement to my situation.

Catalyst 4500 Series Release 3.9 and later, with the introduction of VRF, an SVI is needed for L3 lookup to
derive SGT for switched traffic, and a SVI is also needed on the VLAN for the derivation of source group for L2
traffic.

Cisco Group Based Policy – Platform and Capability Matrix

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee

‎03-07-2023 03:06 AM

Yes, you're switching within VLAN X. Your endpoints are receiving (or have) an IP address from a subnet range, say 10.10.1.0/24 for example. If you're purely switching then the default gateway for VLAN X will be on a platform north-bound somewhere, that default gateway probably being something like 10.1.1.1 or 10.10.1.254.
To add an SVI on the 4500, just add a VLAN interface and add an unused IP from within that subnet range e.g.
interface vlan X
  ip address 10.10.1.200 255.255.255.0
As Andrew mentioned above, the IP may not be required under the VLAN interface; add one if needed to get it to work

View solution in original post

4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-02-2023 08:01 AM

what supervisor you have, how is your config looks like ?

Do you have ISE - what version?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Josh Morris
Level 3
Level 3
In response to balaji.bandi

‎03-02-2023 08:05 AM

SUP8-E, ISE v3.1, patch 3

n-z3swidf17#show run | sec cts
aaa authentication login cts-list group ISE_RADIUS local
aaa authorization network cts-list group ISE_RADIUS 
cts authorization list cts-list
cts role-based enforcement
cts role-based enforcement vlan-list 1-4094
n-z3swidf17#show cts role-based sgt-map all 
Active IPv4-SGT Bindings Information

IP Address              SGT     Source
============================================
10.42.58.18             5       LOCAL
10.42.58.30             7       LOCAL
10.42.91.178            7       LOCAL

IP-SGT Active Bindings Summary
============================================
Total number of LOCAL    bindings = 3
Total number of active   bindings = 3

n-z3swidf17#show cts role-based permissions from 5 to 7
IPv4 Role-based permissions from group 5:TEST_1 to group 7:TEST_2:
	DENY_443_LOG-10
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to Josh Morris

‎03-02-2023 04:22 PM

 

Hi

I ran into a similar situation with a L2 3650 stack a while back. SGT assignment was by VLAN-to-SGT and IP Source Guard was enabled

from:

https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/appa_cat3k.html

the 3650 restictions were:

Cisco TrustSec cannot be configured on a pure bridging domain with the IPSG feature enabled. You must disable the IPSG feature in the bridging domain.

For Cisco IOS Release 3.7E and later, Cisco TrustSec VLAN-to-SGT binding cannot be enabled in pure bridging domain. You have to either manually enable IP device tracking on the ports in the VLAN, or enable SVI interface for the VLAN.


I got sgacl enforcement working by:

  • enable "ip routing" on the switch
  • replace default-gateway command with a default route for the mgmt svi
  • create svi's (with no ip address) for all the client vlans

With the above in place, sgacl enforcement worked. From what you've posted, you aren't doing VLAN-to-SGT mapping but the above may be worth a try.

hth
Andy

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee

‎03-07-2023 03:06 AM

Yes, you're switching within VLAN X. Your endpoints are receiving (or have) an IP address from a subnet range, say 10.10.1.0/24 for example. If you're purely switching then the default gateway for VLAN X will be on a platform north-bound somewhere, that default gateway probably being something like 10.1.1.1 or 10.10.1.254.
To add an SVI on the 4500, just add a VLAN interface and add an unused IP from within that subnet range e.g.
interface vlan X
  ip address 10.10.1.200 255.255.255.0
As Andrew mentioned above, the IP may not be required under the VLAN interface; add one if needed to get it to work

Customers Also Viewed These Support Documents