Published On: August 3ʳᵈ, 2020 08:22

Cisco TrustSec Configuration Guide, Cisco IOS XE Amsterdam 17.3.x (Catalyst 9500 Switches)

The Cisco TrustSec VRF-Aware SGT feature binds a Security Group Tag (SGT) Exchange Protoco (SXP) connection with a specific virtual routing and forwarding (VRF) instance.

VRF-Aware SXP

The SXP implementation of Virtual Routing and Forwarding (VRF) binds an SXP connection with a specific VRF. It is assumed that the network topology is correctly configured for Layer 2 or Layer 3 VPNs, with all VRFs configured before enabling Cisco TrustSec.

SXP VRF support can be summarized as follows:

  • Only one SXP connection can be bound to one VRF.

  • Different VRFs may have overlapping SXP peer or source IP addresses.

  • IP–SGT mappings learned (added or deleted) in one VRF can be updated only in the same VRF domain. The SXP connection cannot update a mapping bound to a different VRF. If no SXP connection exits for a VRF, IP–SGT mappings for that VRF won’t be updated by SXP.

  • Multiple address families per VRF is supported. Therefore, one SXP connection in a VRF domain can forward both IPV4 and IPV6 IP-SGT mappings.

  • SXP has no limitation on the number of connections and number of IP–SGT mappings per VRF.

How to Configure Cisco TrustSec VRF-Aware SGT

This section describes how to configure Cisco TrustSec VRF-Aware SGT.

Configuring VRF-to-Layer-2-VLAN Assignments

Procedure

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

interface type number

Example:


Device(config)# interface vlan 101

Enables an interface and enters interface configuration mode.

Step 4

vrf forwarding vrf-name

Example:


Device(config-if)# vrf forwarding vrf-intf

Associates a VRF instance or a virtual network with an interface or subinterface.

Note 

Do not configure VRFs on the management interface.

Step 5

exit

Example:


Device(config-if)# end

Exits interface configuration mode and returns to global configuration mode.

Step 6

cts role-based l2-vrf vrf1 vlan-list 20

Example:


Device(config)# cts role-based l2-vrf vrf1 vlan-list 20

Selects a VRF instance for Layer 2 VLANs.

Step 7

end

Example:


Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Configuring VRF-to-SGT Mapping

Procedure

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

cts role-based sgt-map vrf vrf-name {ip4_netaddress | ipv6_netaddress | host {ip4_address | ip6_address}}] sgt sgt_number

Example:


Device(config)# cts role-based sgt-map vrf red 10.0.0.3 sgt 23

Applies the SGT to packets in the specified VRF.

The IP-SGT binding is entered into the IP-SGT table associated with the specified VRF and the IP protocol version implied by the type of IP address.

Step 4

end

Example:


Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Configuration Examples for Cisco TrustSec VRF-Aware SGT

The following sections show configuration examples of Cisco TrustSec VRF-Aware SGT:

Example: Configuring VRF-to-Layer2-VLAN Assignments

Device> enable
Device# configure terminal
Device(config)# interface vlan 101
Device(config-if)# vrf forwarding vrf-intf
Device(config-if)# exit
Device(config)# cts role-based l2-vrf vrf1 vlan-list 20
Device(config)# end

Example: Configuring VRF-to-SGT Mapping

Device> enable
Device# configure terminal
Device(config)# cts role-based sgt-map vrf red 23.1.1.2 sgt 23
Device(config)# end

Additional References for Configuring Cisco TrustSec VRF-Aware SGT

Related Documents

Related Topic Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

Feature History for Cisco TrustSec VRF-Aware SGT

This table provides release and related information for features explained in this module.

These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.

Release

Feature

Feature Information

Cisco IOS XE Everest 16.5.1a

Cisco TrustSec VRF-Aware SGT

The Cisco TrustSec VRF-Aware SGT feature binds a SGT SXP connection with a specific VRF instance.

Support for this feature was introduced only on the C9500-12Q, C9500-16X, C9500-24Q, C9500-40X models of the Cisco Catalyst 9500 Series Switches.

Cisco IOS XE Fuji 16.8.1a

Cisco TrustSec VRF-Aware SGT

Support for this feature was introduced on the C9500-32C, C9500-32QC, C9500-48Y4C, and C9500-24Y4C models of the Cisco Catalyst 9500 Series Switches.

Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.