2960XR vs 3650 TrustSec Support

Tim Glen · ‎09-15-2017

Hi All,

I’m in the process of recommending edge switches for the campus network I manage. I’m considering 2960-XR and 3650. We have ISE and hope to use it to control intra-VLAN movement with the new switches.

I’ve never implemented TrustSec or SGT so I don’t completely understand the technology. With that said I’ve seen documents on Cisco’s website that show that the 2960-XR supports SXP and the 3650 fully supports SGT.

Can someone help me understand what that means in real life?

What are the pro’s & cons of SXP vs Full TrustSec SGT support?

Thanks very much for any assistance.

Tim

Mohammed al Baqari · ‎09-15-2017

Sxp protocol is used for devices that don't support sgt tagging in hardware such as 2960 to map ips-to-sgts and exchange the mapping with peer devices

While 3650 support sgt tagging in hardware as well as sxp.

Tim Glen · ‎09-16-2017

Thank you, I have a follow up question if you don't mind.

If if I have users connected to a 2960 will I be able to apply SGT or SGACL to the traffic they are sending into the network? My objective is to keep users on the same switch/ same VLAN from communicating.

Thanks!

Rob Ingram · ‎09-17-2017

Hi Tim,

You cannot do enforcement (apply an SGACL) on 2960 switches. On a 2960 switch you can only apply SGT's, transport them via SXP and enforce upstream on a device that does support SGACLs. Have a look at the Trustsec Matrix for a list of devices that do support SGACLs. https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/platform-capability-matrix.pdf.

You could apply a DACL to the users/computers when connected to the 2960 to restrict local access.

HTH