A network engineer is deploying Cisco SD-Access in a large enterprise campus. The design requires that all user traffic be segmented by Virtual Network (VN) and that the fabric edge nodes perform SGT-based enforcement. The engineer notices that traffic between two endpoints in the same IP subnet but different VNs is being forwarded directly at the fabric edge without any SGT inspection. What is the most likely cause?
Trap 1: The fabric edge nodes have not been configured with the proper SGT…
Incorrect because SGT mappings are used for SXP propagation, not for enforcement at the fabric edge. The issue is not about missing mappings.
Trap 2: The fabric edge nodes are operating in Layer 2 mode and do not…
Incorrect. Fabric edge nodes can perform SGT enforcement regardless of Layer 2 or Layer 3 mode. The mode affects how traffic is forwarded but not SGT enforcement capability.
Trap 3: The control plane node has not been configured with the correct…
Incorrect. IP-SGT mappings are used for SXP and policy enforcement, but the scenario describes traffic within the same subnet, which is intra-VN and does not trigger SGT enforcement.
- A
The fabric edge nodes have not been configured with the proper SGT mappings.
Why wrong: Incorrect because SGT mappings are used for SXP propagation, not for enforcement at the fabric edge. The issue is not about missing mappings.
- B
The endpoints are in the same IP subnet, so they must be in the same Virtual Network; SGT enforcement only applies to inter-VN traffic.
Correct. In SD-Access, endpoints in the same subnet belong to the same VN. SGT enforcement is only performed when traffic crosses VNs (inter-VN). Intra-VN traffic is bridged locally without SGT inspection.
- C
The fabric edge nodes are operating in Layer 2 mode and do not support SGT enforcement.
Why wrong: Incorrect. Fabric edge nodes can perform SGT enforcement regardless of Layer 2 or Layer 3 mode. The mode affects how traffic is forwarded but not SGT enforcement capability.
- D
The control plane node has not been configured with the correct IP-SGT mappings.
Why wrong: Incorrect. IP-SGT mappings are used for SXP and policy enforcement, but the scenario describes traffic within the same subnet, which is intra-VN and does not trigger SGT enforcement.