- Understanding Cisco TrustSec
- Configuring the Cisco TrustSec Solution
- Configuring Identities and Connections
- Configuring SGACL Policies
- TrustSec SGACL High Availability
- SGT Exchange Protocol over TCP (SXP)
- VRF-Aware SGT
- IP-Prefix and SGT-Based SXP Filtering
- SGT Inline Tagging
- Configuring Cisco TrustSec Reflector and Caching
- Configuring Endpoint Admission Control
- Cisco TrustSec Command Summary
- Considerations for Catalyst 3000 and 2000 Series Switches and Wireless LAN Controller 5700 Series
- Considerations for Catalyst 4500 Series Switches
- Considerations for Catalyst 6500 Series Switches
- Glossary
Cisco TrustSec VRF-Aware SGT
The Cisco TrustSec VRF-Aware SGT feature binds a Security Group Tag (SGT) Exchange Protocol (SXP) connection with a specific virtual routing and forwarding (VRF) instance.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Cisco TrustSec VRF-Aware SGT
VRF-Aware SGT
Cisco TrustSec uses security group tags (SGTs) to ensure that packets passing through the Cisco TrustSec network can be properly identified and applied with security and other access control policies.
The SGT implementation of VRF binds a Security Group Tag (SGT) Exchange Protocol (SXP) connection to a specific VRF. The assumption is that the network topology is configured for Layer 2 or Layer 3 VPNs, with all VRFs configured before enabling Cisco TrustSec.
SXP VRF support can be summarized as follows:
- The same VRF can have multiple SXP connections, with different source and peer IP address. SXP has no limitation on the number of connections and number of IP–SGT mappings per VRF.
- Different VRFs may have overlapping SXP peer or source IP addresses.
- IP–SGT mappings learned (added or deleted) in one VRF can be updated only in the same VRF domain. The SXP connection cannot update a mapping bound to a different VRF. If no SXP connection exits for a VRF, IP–SGT mappings for that VRF is not updated by SXP.
- Multiple address families per VRF is supported. Therefore, one SXP connection in a VRF domain can forward both IPV4 and IPV6 IP-SGT mappings.
You can map an SGT to a VRF using the cts role-based sgt-map vrf vrf-name command.
VRF-to-Layer 2 VLAN assignments are specified with the cts role-based l2-vrf vrf-name vlan-list command. A VLAN is considered a Layer 2 VLAN when there is no switch virtual interface (SVI) with an IP address configured on the VLAN. The VLAN becomes a Layer 3 VLAN once an IP address is configured on its SVI.
VRF assignments configured by the cts role-based l2-vrf command are active as long as a VLAN remains a Layer 2 VLAN.
Note
Cisco IOS XE 3.9.2E on Catalyst 4500 Series Switch supports VRF aware SGT only for Layer 3 VLAN.
The IP–SGT bindings learned while a VRF assignment is active are also added to the Forwarding Information Base (FIB) table associated with the VRF and the IP protocol version. If an SVI becomes active for a VLAN, the VRF-to-VLAN assignment becomes inactive and all bindings learned on the VLAN are moved to the FIB table associated with the SVI’s VRF.
The VRF-to-VLAN assignment is retained even when the assignment becomes inactive. It is reactivated when the SVI is removed or when the SVI IP address is removed. When reactivated, the IP–SGT bindings are moved back from the FIB table associated with the SVI’s VRF to the FIB table associated with the VRF assigned by the cts role-based l2-vrf command.
Starting with Cisco IOS XE 3.9.2E, you can assign SGT to End-point IDs (EIDs) in LISP configuration, with the VRF aware SGT feature.
How to Configure VRF-Aware SGT
Configuring VRF-to-Layer-2-VLAN Assignments
Configuring VRF-to-SGT Mapping
Configuration Examples for Cisco TrustSec VRF-Aware SGT
Example: Configuring VRF-to-Layer2-VLAN Assignments
Example: Configuring VRF-to-SGT Mapping
Additional References for Configuring Cisco TrustSec VRF-Aware SGT
Related Documents
|
|
|
|---|---|
“ Managing Switch Stacks ” chapter in the Software Configuration Guide, Cisco IOS XE Denali 16.3.1 (Catalyst 3850 Switches) |
Standards & MIBs
|
|
|
|---|---|
|
|
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Feature Information for Cisco TrustSec VRF-Aware SGT
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Feedback