Validating SGT Inline with Netflow and Embedded Packet Capture

In the last article, Learning TrustSec, An Introduction to Inline Tagging, we took a quick look at manual configuration of SGT Inline Tagging in a manual configuration. We also performed some validation with show commands and proved the operation by enabling enforcement.

In today’s article, we will perform slightly deeper validation of the inline imposition itself. For this process, we will use Netflow and Embedded Packet Capture. I happen to know that there is already EIGRP traversing the link that will help produce some output. Let’s just jump right in with a very basic Netflow configuration.

Netflow Configuration

//you could additionally configure and exporter
//if there is a proper netflow collector

flow record my_record_output
 match flow cts source group-tag
 match flow cts destination group-tag
 match ipv4 source address
 match ipv4 destination address
 match ipv4 protocol
 match transport source-port
 match transport destination-port
flow monitor my_monitor_output
 record my_record_output
interface GigabitEthernet1/0/1
 description trunk to c9kSW2
 switchport mode trunk
 ip flow monitor my_monitor_output output
 cts manual
  policy static sgt 100 trusted

Verification Using Netflow

c9kSW1#show flow monitor my_monitor_output cache
  Cache type:                               Normal (Platform cache)
  Cache size:                                10000
  Current entries:                               1

  Flows added:                                   9
  Flows aged:                                    8
    - Active timeout      (  1800 secs)          2
    - Inactive timeout    (    15 secs)          6

TRNS SOURCE PORT:                0
FLOW CTS SOURCE GROUP TAG:       2   <<<<<<--This is the SGT
IP PROTOCOL:                     88

I also wanted to show the output of a quick packet capture. For that, we will configure Embedded Packet Capture on the switch.

Capture Configuration

//define an ACL to match the desired traffic (I know I have EIGRP)
ip access-list extended EIGRP
 permit eigrp any any

//set the monitor session up--Note this is
//done at the privilege exec (#) prompt
monitor capture MYCAPT interface gigabitEthernet 1/0/1 both access-list EIGRP

//start the capture
monitor capture MYCAPT start

//stop the capture
monitor capture MYCAPT stop

Validate by Viewing the Packet Capture

//this assumes the capture is stopped (last step of previous section)
c9kSW1#show monitor capture MYCAPT buffer detailed
Starting the packet display ........ Press Ctrl + Shift + 6 to exit

Frame 1: 82 bytes on wire (656 bits), 82 bytes captured (656 bits) on interface 0
    Interface id: 0 (/tmp/epc_ws/wif_to_ts_pipe)
    Encapsulation type: Ethernet (1)
    Arrival Time: May  8, 2018 00:57:08.845447000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1525741028.845447000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 82 bytes (656 bits)
    Capture Length: 82 bytes (656 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:cmd:ethertype:ip:eigrp]
Ethernet II, Src: 00:1b:2a:1e:de:37 (00:1b:2a:1e:de:37), Dst: 01:00:5e:00:00:0a (01:00:5e:00:00:0a)
    Destination: 01:00:5e:00:00:0a (01:00:5e:00:00:0a)
        Address: 01:00:5e:00:00:0a (01:00:5e:00:00:0a)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: 00:1b:2a:1e:de:37 (00:1b:2a:1e:de:37)
        Address: 00:1b:2a:1e:de:37 (00:1b:2a:1e:de:37)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: CiscoMetaData (0x8909)
Cisco MetaData
    Version: 1
    Length: 1
    Options: 0x0001
    SGT: 3         <<<<<<<<<------This is the SGT
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src:, Dst:
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
        1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)

<-- snip -->

As we can see here, Netflow and Embedded Packet Capture are two quick and dirty ways to get deeper knowledge about what is traversing a link. In this case, we have reinforced the fact that we are imposing SGTs as additional metadata on our ethernet frames.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To. Bookmark the permalink.