Showing results for 
Search instead for 
Did you mean: 

2960XR vs 3650 TrustSec Support

Tim Glen
Cisco Employee
Cisco Employee

Hi All,


I’m in the process of recommending edge switches for the campus network I manage.  I’m considering 2960-XR and 3650.  We have ISE and hope to use it to control intra-VLAN movement with the new switches.


I’ve never implemented TrustSec or SGT so I don’t completely understand the technology.   With that said I’ve seen documents on Cisco’s website that show that the 2960-XR supports SXP and the 3650 fully supports SGT.  


Can someone help me understand what that means in real life?

What are the pro’s & cons of SXP vs Full TrustSec SGT support?


Thanks very much for any assistance.





3 Replies 3

Sxp protocol is used for devices that don't support sgt tagging in hardware such as 2960 to map ips-to-sgts and exchange the mapping with peer devices

While 3650 support sgt tagging in hardware as well as sxp.

Thank you, I have a follow up question if you don't mind.


If if I have users connected to a 2960 will I be able to apply SGT or SGACL to the traffic they are sending into the network? My objective is to keep users on the same switch/ same VLAN from communicating.  





Hi Tim,

You cannot do enforcement (apply an SGACL) on 2960 switches. On a 2960 switch you can only apply SGT's, transport them via SXP and enforce upstream on a device that does support SGACLs. Have a look at the Trustsec Matrix for a list of devices that do support SGACLs.


You could apply a DACL to the users/computers when connected to the 2960 to restrict local access.



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: