Solved: 2960 Plus -- subnet to SGT mapping

erameh · ‎09-13-2017

Hello Team,

I see 2 contradictory information and I am reaching out to you to confirm which one is correct:

In the below recommended 2960 Plus release note (15.2.2E), they mentioned in the restrictions:

"You cannot statically map an IP-subnet to an SGT. You can only map IP addresses to an SGT. When you configure IP address-to-SGT mappings, the IP address prefix must be 32".

Release: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/15-2_2_e/configuration/guide/b_1522e_2960_2960c_2960s_2960sf_2960p_cg/b_1522e_2960_2960c_2960s_2960sf_2960p_cg_chapter_0100111.pdf

However, in the platforms compatibility matrix, subnet to SGT mapping is supported with the 2960 Plus release 15.2.2 E.( here below the link and snapshot )

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/platform-capability-matrix.pdf

So can you confirm which one is correct?

kilcreas · ‎09-15-2017

There is a difference in support between the products covered by the 15.2(2)E config guide as the vanilla C2960 does not have TrustSec capabilities. This raises the question of which part of the document applies to which C2960 models. We have confirmed the subnet to SGT commands exist in that C2960 software version , but I am waiting to hear back from the C2k PM as to whether they consider subnet to SGT supported on the 2960-Plus/S/SF models.

View solution in original post

hslai · ‎09-13-2017

I moved your inquiry to TrustSec, which is more appropriate.

kilcreas · ‎09-15-2017

There is a difference in support between the products covered by the 15.2(2)E config guide as the vanilla C2960 does not have TrustSec capabilities. This raises the question of which part of the document applies to which C2960 models. We have confirmed the subnet to SGT commands exist in that C2960 software version , but I am waiting to hear back from the C2k PM as to whether they consider subnet to SGT supported on the 2960-Plus/S/SF models.