Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2919
Views
10
Helpful
9
Replies

Cisco TrustSec Enforcement (2960 Switches)

Go to solution
chong.eric
Level 1
Level 1

‎07-23-2017 08:44 PM - edited ‎03-11-2019 12:52 AM

Understand 2960 switches are able to perform classification (Cisco TrustSec Security Secure Tag )

For example 

I have a PCI Server and non-PCI server (same VLAN) connect to same 2960 switch.  Is that possible to use Cisco TrustSec on 2960 Switch to control the access between the PCI server and non-PCI server?

Regards.,

Eric

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-24-2017 01:10 AM

Many 2960 switches are capable of Trustsec SGT segmentation and enforcement correction - marking. The complete matrix you should check can be found here:

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/platform-capability-matrix.pdf

You can manually configure it or (more commonly) use something like ISE to dynamically assign SGTs based on endpoint identity.

SGACLs would need to be on an upstream device that supports enforcement.

(Thanks to Rob for pointing ot the enforcement distinction.)

View solution in original post

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to chong.eric

‎07-24-2017 04:18 AM

Correct, the 2960 model switches do not support enforcement.You'd have to enable enforcement upstream on a device that supports enforcement SGACL/SG Firewall.

The 2960 switches do support trustsec SGT classfication, you'd have to use SXP to transport the SGT bindings to the device that will do the enforcement as the 2960's do not support inline tagging.

View solution in original post

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Paolo Bratti

‎03-21-2019 11:44 AM

Yes, if they are in different subnets and you force the SVI routing through the 3850. To make this work the 3850 needs to know the SGT's of the destination and source, either through static SGT IP mappings or via SXP.

The 3850 needs to know the SGT's as they relate to IP's, and have SGACL relationships for the SGT's.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-24-2017 01:10 AM

Many 2960 switches are capable of Trustsec SGT segmentation and enforcement correction - marking. The complete matrix you should check can be found here:

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/platform-capability-matrix.pdf

You can manually configure it or (more commonly) use something like ISE to dynamically assign SGTs based on endpoint identity.

SGACLs would need to be on an upstream device that supports enforcement.

(Thanks to Rob for pointing ot the enforcement distinction.)

0 Helpful

Go to solution
chong.eric
Level 1
Level 1
In response to Marvin Rhoads

‎07-24-2017 01:11 AM

Checked the complete matrix from the URL you provided.  Looks like non of Cisco 2960 switches support SGT enforcement.  Can you please confirm?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to chong.eric

‎07-24-2017 04:18 AM

Correct, the 2960 model switches do not support enforcement.You'd have to enable enforcement upstream on a device that supports enforcement SGACL/SG Firewall.

The 2960 switches do support trustsec SGT classfication, you'd have to use SXP to transport the SGT bindings to the device that will do the enforcement as the 2960's do not support inline tagging.

Go to solution
chong.eric
Level 1
Level 1
In response to Rob Ingram

‎07-26-2017 09:09 AM

ok, back to my example 

Is that possible to use Cisco TrustSec on 2960 Switch to control the access between the PCI server and non-PCI server?

I guess the answer is no.  Am I correct?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to chong.eric

‎07-26-2017 09:32 AM

If all you have is a 2960 then the answer is no.

You could use private VLANs.

Go to solution
Tim Glen
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎09-16-2017 11:47 AM

I believe the only 2960 only supports "Protected Port" and doesn't support PrivateVLAN fully.

0 Helpful

Go to solution
Paolo Bratti
Level 1
Level 1
In response to Marvin Rhoads

‎03-20-2019 10:25 AM

@Marvin Rhoads wrote:

If all you have is a 2960 then the answer is no.

You could use private VLANs.

ok, but if 2960 is connected to a 3850, can i use TrustSec on 3850 to control the access between the PCI server and non-PCI server that they are on 2960 Switch?

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Paolo Bratti

‎03-21-2019 11:44 AM

Yes, if they are in different subnets and you force the SVI routing through the 3850. To make this work the 3850 needs to know the SGT's of the destination and source, either through static SGT IP mappings or via SXP.

The 3850 needs to know the SGT's as they relate to IP's, and have SGACL relationships for the SGT's.
0 Helpful

Go to solution
Johnatan Dire
Level 1
Level 1

‎03-22-2019 12:36 AM

i cant install this prm...(

0 Helpful
Customers Also Viewed These Support Documents