https://community.cisco.com/t5/network-access-control/cisco-ise-trustsec-guide/m-p/3333613#M550156 <P>Thank you so much RJ.</P> <P>&nbsp;</P> <P>I already saw the link and all C2960 is supported. Cisco TrustSec Guideline is very limited that's why is really hard for me on how to start the configuration <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 19 Feb 2018 14:02:06 GMT cammy.busto 2018-02-19T14:02:06Z https://community.cisco.com/t5/network-access-control/cisco-ise-trustsec-guide/m-p/3333565#M550150 <P>Hi,</P> <P>Is anyone can share the docs/guideline on how to configure Cisco TrustSec. Also, is Cisco 2960-x is supported with TrustSec? No "cts credentials id" in statement in C2960.</P> <P>&nbsp;</P> <P>Thanks</P> Fri, 21 Feb 2020 18:46:01 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-trustsec-guide/m-p/3333565#M550150 cammy.busto 2020-02-21T18:46:01Z https://community.cisco.com/t5/network-access-control/cisco-ise-trustsec-guide/m-p/3333581#M550151 <P>Hi,</P> <P>Check out the <A href="https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-platform-capability-matrix.pdf" target="_self">TrustSec matrix</A>, this will help you identify which devices support which features. The 2960x does not support enforcement or inline tagging, only SXP. I would have though the command "cts credentials" would not be available on this model.</P> <P>&nbsp;</P> <P>These <A href="https://communities.cisco.com/docs/DOC-64012#jive_content_id_Cisco_TrustSec" target="_self">links </A>are useful for TrustSec</P> Mon, 19 Feb 2018 13:32:52 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-trustsec-guide/m-p/3333581#M550151 Rob Ingram 2018-02-19T13:32:52Z https://community.cisco.com/t5/network-access-control/cisco-ise-trustsec-guide/m-p/3333586#M550152 <P>Hi RJI,</P> <P>&nbsp;</P> <P>Thanks for the reply. So the switch configuration is</P> <P>&nbsp;</P> <PRE><STRONG>SWITCH# cts sxp connection peer &lt;ISE PSN IP&gt; password default mode local speaker</STRONG></PRE> <P>&nbsp;</P> Mon, 19 Feb 2018 13:38:16 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-trustsec-guide/m-p/3333586#M550152 cammy.busto 2018-02-19T13:38:16Z https://community.cisco.com/t5/network-access-control/cisco-ise-trustsec-guide/m-p/3333598#M550153 <P>The 2960x has to send it's SXP bindings somewhere upstream in order for enforcement to take place, eg on a Distribution layer/WAN layer switch/router, not the ISE PSN (as per your example). The 2960x switch will learn the SGT's when a device/user is authenticated and assigned a SGT, SXP is used to transport the bindings over the network in order for enforcement to take place.</P> <P>&nbsp;</P> <P>HTH</P> Mon, 19 Feb 2018 13:44:53 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-trustsec-guide/m-p/3333598#M550153 Rob Ingram 2018-02-19T13:44:53Z https://community.cisco.com/t5/network-access-control/cisco-ise-trustsec-guide/m-p/3333603#M550154 <P>Thanks for the reply RJ.</P> <P>&nbsp;</P> <P>So meaning if this is my diagram</P> <P>&nbsp;</P> <P>C2960 --&gt;C4500x ---&gt;NXS9k &lt;--- ISE PSN</P> <P>&nbsp;</P> <P>C2960 is connected to 4500 - sxp connection peer is C4500</P> <P>C4500 will be the enforcer - role-base enforcement</P> <P>&nbsp;</P> <P>ISE is connected to Nexus 9k. Traditional nexus 9k is not supported.</P> Mon, 19 Feb 2018 13:51:48 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-trustsec-guide/m-p/3333603#M550154 cammy.busto 2018-02-19T13:51:48Z https://community.cisco.com/t5/network-access-control/cisco-ise-trustsec-guide/m-p/3333610#M550155 <P>Yes, the 4500x supports enforcement so you could peer all 2960x switches to it an enforce on the 4500x.</P> <P>&nbsp;</P> <P>Check out the platform scalability table in this <A href="https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-system-bulletin.pdf" target="_self">link </A>for the number of SXP connections and number of SGT bindings the 4500x supports and whether this will be suitable for your environment.</P> <P>&nbsp;</P> <P>Also make sure the 2960x/4500x are all running the recommended version in the links I provided.</P> <P>&nbsp;</P> Mon, 19 Feb 2018 13:58:23 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-trustsec-guide/m-p/3333610#M550155 Rob Ingram 2018-02-19T13:58:23Z https://community.cisco.com/t5/network-access-control/cisco-ise-trustsec-guide/m-p/3333613#M550156 <P>Thank you so much RJ.</P> <P>&nbsp;</P> <P>I already saw the link and all C2960 is supported. Cisco TrustSec Guideline is very limited that's why is really hard for me on how to start the configuration <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 19 Feb 2018 14:02:06 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-trustsec-guide/m-p/3333613#M550156 cammy.busto 2018-02-19T14:02:06Z