Solved: Re: Default SGT Assignment on a switch port

scamarda · ‎04-16-2018

Is there a capability to give a switch port a default SGT assignment? Similar to how we can have a default-acl on a switch port in closed mode. Having trouble with a 50 line default-acl on a 2960 switch. Would like to use SGT to reduces the size of that ACL but need to have the port assign a default SGT.

jeaves@cisco.com · ‎04-16-2018

Hi, TrustSec works by classifying endpoints/users (ultimately IP's) into groups.

You can see our capability matrix to see what sort of classifications your version of 2960 supports:

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-platform-capability-matrix.pdf

As that platform doesn't support Port:SGT you could use IP:SGT, VLAN:SGT or Subnet:SGT to put traffic ingressing that port into a group.

That would be the default behaviour and if an endpoint were to be dynamically authenticated through that port instead then that would take precedence over the static IP, VLAN or Subnet mapping.

Hope that helps.

View solution in original post

jeaves@cisco.com · ‎04-16-2018