cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
448
Views
10
Helpful
5
Replies

3750x crashes when enabling Trustsec

infotechfl
Beginner
Beginner

Any reason why my 3750x would crash when I use the command cts role-based enforcement vlan-list?  This is a lab environment for testing trustsec.  This happens every time I use the command.  I already tested another 3750x and I get the same results.  Code version is 15.2(4)E8

Aug 2 08:12:22 EST: %SYS-2-INTSCHED: 'idle' at level 4 -Process= "CTS CORE", ipl= 4, pid= 51
-Traceback= 6D4DECz 324E628z 270E0F8z 20B9508z 20B9DD8z 2124C6Cz 2124E4Cz 216C670z 2132058z 3478F98z 34790B0z 2132778z 2132700z B24768z B240FCz B249A0z
Aug 2 08:12:22 EST: %SYS-2-INTSCHED: 'idle' at level 4 -Process= "CTS CORE", ipl= 4, pid= 51

08:15:18 EST Tue Aug 2 2022: Unexpected exception to CPUvector 200, PC = 2F2AEB0
-Traceback= 0x2F2AEB0z 0x30BE604z

 

1 Accepted Solution

Accepted Solutions

MHM Cisco World
Advisor
Advisor

TrustSec

The following guidelines and limitations apply to configuring Cisco TrustSec SGT and SGACL on the Catalyst 3750-X switch:

  • You cannot statically map an IP-subnet to an SGT. You can only map IP addresses to an SGT. When you configure IP address-to-SGT mappings, the IP address prefix must be 32.
  • If a port is configured in Multi-Auth mode, all hosts connecting on that port must be assigned the same SGT. When a host tries to authenticate, its assigned SGT must be the same as the SGT assigned to a previously authenticated host. If a host tries to authenticate and its SGT is different from the SGT of a previously authenticated host, the VLAN port (VP) to which these hosts belong is error-disabled.
  • Cisco TrustSec enforcement is supported only on up to eight VLANs on a VLAN-trunk link. If there are more than eight VLANs configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be error-disabled.
  • The switch cannot assign an SGT based on SXP listening; it can only forward the SXP bindings through the SXP protocol.
  • Port-to-SGT mapping should be configured only on Cisco TrustSec links (that is, switch-to-switch links).

When port-to-SGT mapping is configured on a port, an SGT is assigned to all ingress traffic on that port. There is no SGACL enforcement for egress traffic on the port.

  • SGT and SGACL are supported on Cisco Catalyst 3750-X and Catalyst 3650-X switches with service module C3KX-SM-10G. The C3KX-SM-10G is required for MACsec on the uplinks.
  • TrustSec Layer-3 Identity Port Mapping (L3IPM) is not supported on Catalyst 3750-X and 3650-X series switches.

View solution in original post

5 Replies 5

iamakk
Beginner
Beginner

It looks like IOS bugs.

,,
Ashish K
***Please Rate Helpful Responses***

ahollifield
Rising star
Rising star

Agree with @iamakk .  You should upgrade to the current gold-star release IOS 15.2.4E10

I already tried the lasted IOS version as well as a few others.  Same issue unfortunately.

Damien Miller
VIP Advisor VIP Advisor
VIP Advisor

Do you have more than 8 vlans on a trunk port? 

Crashing when enabling enforcement has had a number of bugs that persisted in to ios-xe software trains as late as 16.6.4, 16.9.5, and even 16.12.3. Given that the 3750x is past tac support, it's unlikely you'll get a root cause. My suggestion would be to start experimenting with removing config, see if it works with a factory reset + base ip config, go from there. 

MHM Cisco World
Advisor
Advisor

TrustSec

The following guidelines and limitations apply to configuring Cisco TrustSec SGT and SGACL on the Catalyst 3750-X switch:

  • You cannot statically map an IP-subnet to an SGT. You can only map IP addresses to an SGT. When you configure IP address-to-SGT mappings, the IP address prefix must be 32.
  • If a port is configured in Multi-Auth mode, all hosts connecting on that port must be assigned the same SGT. When a host tries to authenticate, its assigned SGT must be the same as the SGT assigned to a previously authenticated host. If a host tries to authenticate and its SGT is different from the SGT of a previously authenticated host, the VLAN port (VP) to which these hosts belong is error-disabled.
  • Cisco TrustSec enforcement is supported only on up to eight VLANs on a VLAN-trunk link. If there are more than eight VLANs configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be error-disabled.
  • The switch cannot assign an SGT based on SXP listening; it can only forward the SXP bindings through the SXP protocol.
  • Port-to-SGT mapping should be configured only on Cisco TrustSec links (that is, switch-to-switch links).

When port-to-SGT mapping is configured on a port, an SGT is assigned to all ingress traffic on that port. There is no SGACL enforcement for egress traffic on the port.

  • SGT and SGACL are supported on Cisco Catalyst 3750-X and Catalyst 3650-X switches with service module C3KX-SM-10G. The C3KX-SM-10G is required for MACsec on the uplinks.
  • TrustSec Layer-3 Identity Port Mapping (L3IPM) is not supported on Catalyst 3750-X and 3650-X series switches.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: