topic Re: TrustSec IP-SGT Binding Limitation in Network Access Control

TrustSec IP-SGT Binding Limitation

firefox — Wed, 05 Sep 2018 07:07:06 GMT

Hi Team,

As per the below table, there are limits on IP-SGT bindings for relevant switches. What i want to know is, how are the L2 and L3 limits calculated? What parameters does the TrustSec feature check in the 4500 series switch to build up this limit?

Thanks

Re: TrustSec IP-SGT Binding Limitation

umahar — Wed, 05 Sep 2018 14:15:36 GMT

As far as I remember the mappings are stored in ASICs in the switches.

Re: TrustSec IP-SGT Binding Limitation

firefox — Wed, 05 Sep 2018 15:02:54 GMT

Thanks unmahar, but my query is specific to how the switch classifies the IP-SGT binding as L2 or L3? Is it because of the way the switch has learned the IP details, or is it because of routes, vlans etc?

Re: TrustSec IP-SGT Binding Limitation

umahar — Wed, 05 Sep 2018 15:34:08 GMT

The way switches derive source SGTs and destination SGTs is different for L2 switched traffic and L3 routed traffic. L3 has scale than L2 and hence different values.

Re: TrustSec IP-SGT Binding Limitation

firefox — Wed, 05 Sep 2018 16:21:45 GMT

HI umahar, is there a document that you can point me to, which shows how switches derive source SGTs and destination SGTs ?

Re: TrustSec IP-SGT Binding Limitation

faylee — Wed, 05 Sep 2018 22:10:31 GMT

Please see attached. They are taken from the "Advanced Security Group Tags: The Detailed Walk Through - BRKSEC-3690" session at Cisco Live.

Re: TrustSec IP-SGT Binding Limitation

jeaves@cisco.com — Thu, 06 Sep 2018 08:41:58 GMT

Hi TJ,
In cat4K, the DGT derivation limit of 2000 entries applies to only ‘switched traffic’ as it uses 1 block of Input ACL (2K entries) for deriving DGT in case of switched traffic.
For L3 traffic, we use FIB to derive DGT and hence this limit doesn’t apply.
The limit is applicable to all Sup7, 8 and 9 Supervisors.