cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2922
Views
10
Helpful
9
Replies

Cisco TrustSec Enforcement (2960 Switches)

chong.eric
Level 1
Level 1

Understand 2960 switches are able to perform classification (Cisco TrustSec Security Secure Tag )

For example 

I have a PCI Server and non-PCI server (same VLAN) connect to same 2960 switch.  Is that possible to use Cisco TrustSec on 2960 Switch to control the access between the PCI server and non-PCI server?

Regards.,

Eric

3 Accepted Solutions

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Many 2960 switches are capable of Trustsec SGT segmentation and enforcement correction - marking. The complete matrix you should check can be found here:

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/platform-capability-matrix.pdf

You can manually configure it or (more commonly) use something like ISE to dynamically assign SGTs based on endpoint identity.

SGACLs would need to be on an upstream device that supports enforcement.

(Thanks to Rob for pointing ot the enforcement distinction.)

View solution in original post

Correct, the 2960 model switches do not support enforcement.You'd have to enable enforcement upstream on a device that supports enforcement SGACL/SG Firewall.

The 2960 switches do support trustsec SGT classfication, you'd have to use SXP to transport the SGT bindings to the device that will do the enforcement as the 2960's do not support inline tagging.

View solution in original post

Yes, if they are in different subnets and you force the SVI routing through the 3850. To make this work the 3850 needs to know the SGT's of the destination and source, either through static SGT IP mappings or via SXP.

The 3850 needs to know the SGT's as they relate to IP's, and have SGACL relationships for the SGT's.

View solution in original post

9 Replies 9

Marvin Rhoads
Hall of Fame
Hall of Fame

Many 2960 switches are capable of Trustsec SGT segmentation and enforcement correction - marking. The complete matrix you should check can be found here:

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/platform-capability-matrix.pdf

You can manually configure it or (more commonly) use something like ISE to dynamically assign SGTs based on endpoint identity.

SGACLs would need to be on an upstream device that supports enforcement.

(Thanks to Rob for pointing ot the enforcement distinction.)

Checked the complete matrix from the URL you provided.  Looks like non of Cisco 2960 switches support SGT enforcement.  Can you please confirm?

Correct, the 2960 model switches do not support enforcement.You'd have to enable enforcement upstream on a device that supports enforcement SGACL/SG Firewall.

The 2960 switches do support trustsec SGT classfication, you'd have to use SXP to transport the SGT bindings to the device that will do the enforcement as the 2960's do not support inline tagging.

ok, back to my example 

Is that possible to use Cisco TrustSec on 2960 Switch to control the access between the PCI server and non-PCI server?

I guess the answer is no.  Am I correct?

If all you have is a 2960 then the answer is no.

You could use private VLANs.

I believe the only 2960 only supports "Protected Port" and doesn't support PrivateVLAN fully.


@Marvin Rhoads wrote:

If all you have is a 2960 then the answer is no.

You could use private VLANs.


ok, but if 2960 is connected to a 3850, can i use TrustSec on 3850 to control the access between the PCI server and non-PCI server that they are on 2960 Switch?

Yes, if they are in different subnets and you force the SVI routing through the 3850. To make this work the 3850 needs to know the SGT's of the destination and source, either through static SGT IP mappings or via SXP.

The 3850 needs to know the SGT's as they relate to IP's, and have SGACL relationships for the SGT's.

Johnatan Dire
Level 1
Level 1

i cant install this prm...(