https://community.cisco.com/t5/network-access-control/cisco-trustsec-implmentation/m-p/3188245#M553729 <P>Are you planning to use ISE to propagate the SGT Mappings/SGACL or are you just going to statically define them on the switch?</P> Fri, 22 Sep 2017 18:47:14 GMT Rob Ingram 2017-09-22T18:47:14Z https://community.cisco.com/t5/network-access-control/cisco-trustsec-implmentation/m-p/3186489#M553725 <P>Hi,</P><P>&nbsp;</P><P>I would like to implement Cisco Trustsec on Catalyst 6500 Series Supervisor Engine 2T to control access between the PCI system and non PCI system in the same subnet/VLAN.</P><P>&nbsp;</P><P>Question: Can you configure classfication/progatation/enforcement in a single device?&nbsp;</P><P>&nbsp;</P><P>Please refer to attached diagram.</P><P>&nbsp;</P><P>Regards,</P><P>Eric</P> Fri, 21 Feb 2020 18:34:28 GMT https://community.cisco.com/t5/network-access-control/cisco-trustsec-implmentation/m-p/3186489#M553725 chong.eric 2020-02-21T18:34:28Z https://community.cisco.com/t5/network-access-control/cisco-trustsec-implmentation/m-p/3187600#M553726 <P>Hi Eric,</P><P>Yes, I don't see why not. As long as the 6500 has the IP to SGT bindings and an SGACL then yes you can enforce. You'd probably want to confirm you are running a validated firmware as per the trustsec matrix <A href="https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/platform-capability-matrix.pdf" target="_self">https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/platform-capability-matrix.pdf</A></P><P>&nbsp;</P><P>HTH</P> Thu, 21 Sep 2017 18:03:23 GMT https://community.cisco.com/t5/network-access-control/cisco-trustsec-implmentation/m-p/3187600#M553726 Rob Ingram 2017-09-21T18:03:23Z https://community.cisco.com/t5/network-access-control/cisco-trustsec-implmentation/m-p/3187866#M553728 <P>Will you able to share the configuration please?</P> Fri, 22 Sep 2017 05:13:20 GMT https://community.cisco.com/t5/network-access-control/cisco-trustsec-implmentation/m-p/3187866#M553728 chong.eric 2017-09-22T05:13:20Z https://community.cisco.com/t5/network-access-control/cisco-trustsec-implmentation/m-p/3188245#M553729 <P>Are you planning to use ISE to propagate the SGT Mappings/SGACL or are you just going to statically define them on the switch?</P> Fri, 22 Sep 2017 18:47:14 GMT https://community.cisco.com/t5/network-access-control/cisco-trustsec-implmentation/m-p/3188245#M553729 Rob Ingram 2017-09-22T18:47:14Z https://community.cisco.com/t5/network-access-control/cisco-trustsec-implmentation/m-p/3188368#M553730 <P>Hi</P><P>&nbsp;</P><P>I am planning to configure in switch statically&nbsp;</P> Sat, 23 Sep 2017 01:44:29 GMT https://community.cisco.com/t5/network-access-control/cisco-trustsec-implmentation/m-p/3188368#M553730 chong.eric 2017-09-23T01:44:29Z https://community.cisco.com/t5/network-access-control/cisco-trustsec-implmentation/m-p/3188431#M553731 <P>I don't have a 6500 to verify this configuration, but the following commands work on a CSR with Loopback interfaces. Note the ACL below is not a standard/extended ACL but rather a role-based ACL.</P><P>&nbsp;</P><P>ip access-list role-based DENY<BR />&nbsp;deny ip<BR /><BR />cts role-based sgt-map 192.168.1.10 sgt 10<BR />cts role-based sgt-map 192.168.1.20 sgt 20<BR />cts role-based sgt-map 192.168.1.30 sgt 30<BR />cts role-based permissions from 10 to 20 DENY<BR />cts role-based permissions from 10 to 30 DENY<BR />cts role-based enforcement</P><P>&nbsp;</P><P>Use the commands "show cts role-based counters" to verify hits increase for denies.</P><P>&nbsp;</P><P>Any traffic not explictly denied is permitted.</P><P>&nbsp;</P><P>I'd suggest obviously to test the commands in the lab before implementing in production.</P> Sat, 23 Sep 2017 10:00:11 GMT https://community.cisco.com/t5/network-access-control/cisco-trustsec-implmentation/m-p/3188431#M553731 Rob Ingram 2017-09-23T10:00:11Z https://community.cisco.com/t5/network-access-control/cisco-trustsec-implmentation/m-p/3188868#M553732 <P>Thanks. It works on 6506 too.</P> Mon, 25 Sep 2017 09:07:40 GMT https://community.cisco.com/t5/network-access-control/cisco-trustsec-implmentation/m-p/3188868#M553732 chong.eric 2017-09-25T09:07:40Z