Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
995
Views
0
Helpful
1
Replies

Document Question : Cat 2960L / Cat 9K Compatibility

Go to solution
iurikura
Cisco Employee
Cisco Employee

‎10-26-2017 12:20 AM

Hi Team,

I think the Latest ISE Compatibility Matrix is missing recent catalyst series like Catalyst 2960L and Catalyst 9K.

Could you please update this or Should I file a new doc bug ?

Cisco Identity Services Engine Network Component Compatibility, Release 2.3 - Cisco

Thank you,

Itaru

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎10-26-2017 08:53 PM

Omissions like this typically mean that the switches have not gone through ISE QA testing even if individual product teams have validated security functions.  I do know the 9k series are being qualified but cannot provide date and specific release at this time.

The switches are certainly supported with ISE, but it becomes more of a question of which features will function based on the particular model and feature set.  For example, the 2960-L is based on LAN Lite.  This feature set does not include all of the Identity features of LAN Base, for example, but does support standard RADIUS and TACACS+ auth.  Per 2960-L data sheet:

  • Comprehensive 802.1X features to control access to the network, including flexible authentication, 802.1X monitor mode, and RADIUS change of authorization.
  • Multi-domain authentication allows an IP phone and a PC to authenticate on the same switch port while placing them on appropriate voice and data VLANs.
  • Access control lists (ACLs) for IPv6 and IPv4 for security and quality-of-service (QoS) ACL elements (ACEs):
  • Port-based ACLs for Layer 2 interfaces allow security policies to be applied on individual switch ports.

Past versions of LAN Lite did not include RADIUS CoA support, so that is a big plus for the 2960-L.

For both series of switches, I recommend the capabilities of the feature set to determine if they will meet your needs both now and in the future.  Another useful tool is Feature Navigator.

Craig

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Craig Hyps
Level 10
Level 10

‎10-26-2017 08:53 PM

Omissions like this typically mean that the switches have not gone through ISE QA testing even if individual product teams have validated security functions.  I do know the 9k series are being qualified but cannot provide date and specific release at this time.

The switches are certainly supported with ISE, but it becomes more of a question of which features will function based on the particular model and feature set.  For example, the 2960-L is based on LAN Lite.  This feature set does not include all of the Identity features of LAN Base, for example, but does support standard RADIUS and TACACS+ auth.  Per 2960-L data sheet:

  • Comprehensive 802.1X features to control access to the network, including flexible authentication, 802.1X monitor mode, and RADIUS change of authorization.
  • Multi-domain authentication allows an IP phone and a PC to authenticate on the same switch port while placing them on appropriate voice and data VLANs.
  • Access control lists (ACLs) for IPv6 and IPv4 for security and quality-of-service (QoS) ACL elements (ACEs):
  • Port-based ACLs for Layer 2 interfaces allow security policies to be applied on individual switch ports.

Past versions of LAN Lite did not include RADIUS CoA support, so that is a big plus for the 2960-L.

For both series of switches, I recommend the capabilities of the feature set to determine if they will meet your needs both now and in the future.  Another useful tool is Feature Navigator.

Craig

0 Helpful
Customers Also Viewed These Support Documents