In the last article, Learning TrustSec, An Introduction to Inline Tagging, we took a quick look at manual configuration of SGT Inline Tagging in a manual configuration. We also performed some validation with show commands and proved the operation by enabling enforcement.
In today’s article, we will perform slightly deeper validation of the inline imposition itself. For this process, we will use Netflow and Embedded Packet Capture. I happen to know that there is already EIGRP traversing the link that will help produce some output. Let’s just jump right in with a very basic Netflow configuration.
//you could additionally configure and exporter //if there is a proper netflow collector flow record my_record_output match flow cts source group-tag match flow cts destination group-tag match ipv4 source address match ipv4 destination address match ipv4 protocol match transport source-port match transport destination-port flow monitor my_monitor_output record my_record_output ! interface GigabitEthernet1/0/1 description trunk to c9kSW2 switchport mode trunk ip flow monitor my_monitor_output output cts manual policy static sgt 100 trusted
Verification Using Netflow
c9kSW1#show flow monitor my_monitor_output cache Cache type: Normal (Platform cache) Cache size: 10000 Current entries: 1 Flows added: 9 Flows aged: 8 - Active timeout ( 1800 secs) 2 - Inactive timeout ( 15 secs) 6 IPV4 SOURCE ADDRESS: 192.168.254.11 IPV4 DESTINATION ADDRESS: 126.96.36.199 TRNS SOURCE PORT: 0 TRNS DESTINATION PORT: 0 FLOW CTS SOURCE GROUP TAG: 2 <<<<<<--This is the SGT FLOW CTS DESTINATION GROUP TAG: 0 IP PROTOCOL: 88
I also wanted to show the output of a quick packet capture. For that, we will configure Embedded Packet Capture on the switch.
//define an ACL to match the desired traffic (I know I have EIGRP) ip access-list extended EIGRP permit eigrp any any //set the monitor session up--Note this is //done at the privilege exec (#) prompt monitor capture MYCAPT interface gigabitEthernet 1/0/1 both access-list EIGRP //start the capture monitor capture MYCAPT start //stop the capture monitor capture MYCAPT stop
Validate by Viewing the Packet Capture
//this assumes the capture is stopped (last step of previous section) c9kSW1#show monitor capture MYCAPT buffer detailed Starting the packet display ........ Press Ctrl + Shift + 6 to exit Frame 1: 82 bytes on wire (656 bits), 82 bytes captured (656 bits) on interface 0 Interface id: 0 (/tmp/epc_ws/wif_to_ts_pipe) Encapsulation type: Ethernet (1) Arrival Time: May 8, 2018 00:57:08.845447000 UTC [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1525741028.845447000 seconds [Time delta from previous captured frame: 0.000000000 seconds] [Time delta from previous displayed frame: 0.000000000 seconds] [Time since reference or first frame: 0.000000000 seconds] Frame Number: 1 Frame Length: 82 bytes (656 bits) Capture Length: 82 bytes (656 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:cmd:ethertype:ip:eigrp] Ethernet II, Src: 00:1b:2a:1e:de:37 (00:1b:2a:1e:de:37), Dst: 01:00:5e:00:00:0a (01:00:5e:00:00:0a) Destination: 01:00:5e:00:00:0a (01:00:5e:00:00:0a) Address: 01:00:5e:00:00:0a (01:00:5e:00:00:0a) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast) Source: 00:1b:2a:1e:de:37 (00:1b:2a:1e:de:37) Address: 00:1b:2a:1e:de:37 (00:1b:2a:1e:de:37) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: CiscoMetaData (0x8909) Cisco MetaData Version: 1 Length: 1 Options: 0x0001 SGT: 3 <<<<<<<<<------This is the SGT Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 192.168.254.100, Dst: 188.8.131.52 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT) 1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) <-- snip -->
As we can see here, Netflow and Embedded Packet Capture are two quick and dirty ways to get deeper knowledge about what is traversing a link. In this case, we have reinforced the fact that we are imposing SGTs as additional metadata on our ethernet frames.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This
may or may does not reflect the position of past, present or future employers.