topic Re: If all you have is a 2960 in Network Access Control

Cisco TrustSec Enforcement (2960 Switches)

chong.eric — Mon, 11 Mar 2019 07:52:55 GMT

Understand 2960 switches are able to perform classification (Cisco TrustSec Security Secure Tag )

For example

I have a PCI Server and non-PCI server (same VLAN) connect to same 2960 switch. Is that possible to use Cisco TrustSec on 2960 Switch to control the access between the PCI server and non-PCI server?

Regards.,

Eric

Many 2960 switches are

Marvin Rhoads — Mon, 24 Jul 2017 08:10:59 GMT

Many 2960 switches are capable of Trustsec SGT segmentation and enforcement correction - marking. The complete matrix you should check can be found here:

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/platform-capability-matrix.pdf

You can manually configure it or (more commonly) use something like ISE to dynamically assign SGTs based on endpoint identity.

SGACLs would need to be on an upstream device that supports enforcement.

(Thanks to Rob for pointing ot the enforcement distinction.)

Checked the complete matrix

chong.eric — Mon, 24 Jul 2017 08:11:00 GMT

Checked the complete matrix from the URL you provided. Looks like non of Cisco 2960 switches support SGT enforcement. Can you please confirm?

Correct, the 2960 model

Rob Ingram — Mon, 24 Jul 2017 11:18:47 GMT

Correct, the 2960 model switches do not support enforcement.You'd have to enable enforcement upstream on a device that supports enforcement SGACL/SG Firewall.

The 2960 switches do support trustsec SGT classfication, you'd have to use SXP to transport the SGT bindings to the device that will do the enforcement as the 2960's do not support inline tagging.

ok, back to my example

chong.eric — Wed, 26 Jul 2017 16:09:12 GMT

ok, back to my example

Is that possible to use Cisco TrustSec on 2960 Switch to control the access between the PCI server and non-PCI server?

I guess the answer is no. Am I correct?

If all you have is a 2960

Marvin Rhoads — Wed, 26 Jul 2017 16:32:31 GMT

If all you have is a 2960 then the answer is no.

You could use private VLANs.

Re: If all you have is a 2960

Tim Glen — Sat, 16 Sep 2017 18:47:56 GMT

I believe the only 2960 only supports "Protected Port" and doesn't support PrivateVLAN fully.

Re: If all you have is a 2960

Paolo Bratti — Wed, 20 Mar 2019 17:25:55 GMT

@Marvin Rhoads wrote:

If all you have is a 2960 then the answer is no.

You could use private VLANs.

ok, but if 2960 is connected to a 3850, can i use TrustSec on 3850 to control the access between the PCI server and non-PCI server that they are on 2960 Switch?

Re: If all you have is a 2960

Damien Miller — Thu, 21 Mar 2019 18:44:54 GMT

Yes, if they are in different subnets and you force the SVI routing through the 3850. To make this work the 3850 needs to know the SGT's of the destination and source, either through static SGT IP mappings or via SXP.

The 3850 needs to know the SGT's as they relate to IP's, and have SGACL relationships for the SGT's.

Re: Cisco TrustSec Enforcement (2960 Switches)

Johnatan Dire — Fri, 22 Mar 2019 07:36:07 GMT

i cant install this prm...(