Cisco Bug: CSCvh71705 - Due to IP device tracking no longer available TrustSec cannot map IP SGT to MAC address without SVI
Aug 13, 2019
- Cisco MDS 9000 NX-OS and SAN-OS Software
Known Affected Releases
Symptom: Two servers with different SGTs are able to communicate with each other in the same VLAN though different SGTs assigned and when specifically should NOT be able to. Conditions: Because the servers are located on the same VLAN they are communicating directly on Layer 2 (MAC addresses) and we do not have MAC to SGT mapping. What we do have is IP to SGT map. And we lack IP to MAC map. When SVI configured CTS TrustSec enforcement works as expected. As per what i discovered that happens due to ARP populating IP to MAC entries that way SGT to IP mapping works because now we have MAC -> IP -> SGT map and we can enforce Policies. If we remove L3 interface it does not work because it cannot match IP to MAC and thus does not apply policies for that SGT and permit as Unknown tag (per policy) Previously we could have relied on the information from IP Device Tracking but it was discontinued and no longer available. Thus the feature is broken.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases