I'm scratching using virtual switches.  I have a 3560C but as I'm learning this model doesn't support many of the features of trustsec. What desktop switch should i ask my employer to purchase so i can continue to study?  We want to do all things trustsec (only wired endpoints at this time), profiling, posture, web redirects, etc....  

I would recommend looking at the Catalyst 9200L. You always get what you pay for, but if you don't need 48 ports of UPoE etc. then a 9200L would do the trick. But also ready the spec sheet on what the SDA limitations are for this 9200L. I don't think it can do fabric in a box (FIAB).

The safest bet would be a Cat 9300 of some description. No major architectural limitations there. And it support FIAB.

Also keep an eye on the developments of the virtual Cat9000 - I have it on good authority that Cisco is improving this product. And I believe they want to make it good enough for students to use for their studies, and for customers to plan real upgrades, migrations etc. it's just a bit rough around the edges now. But IOS-XE 17.12 version is due this month some time.

Thanks Arne,

We were looking at the 9300 but as best we can tell it does not come in a desktop form factor (i.e. 12 ports).  I'm not looking to have a full 1 u switch in my home office.  for learning purposes i don't' need more than 12 ports and for sure don't need POE and FIAB.

There are no compact switches in the TrustSec Tier 1 category.

I most often use the Cat3560-CX switch for basic testing in my home lab as it falls into the Tier 2 category. It doesn't support inline tagging, but that's not something you would get any benefit from with a single switch anyway. Inline L2 tagging is something that's used less often these days anyway with the proliferation of SDA and VXLAN fabrics.

If you want Tier 1 switches (and will settle for non-compact models), your best bet would be to look for second-hand Cat 3650/3850 models.

Thank you.  I'm still wrapping my head around "Inline Tagging".  As you can tell and thanks for your replies on other threads i'm still trying to get up to speed on things.  One of the things we do want to do is to use SGT's as a source for identity in Palo.  Palo would get the SGTs via the panorama plugin from ISE via SXP (as you know) and would be dependent on receiving these tags to assign IP's to appropriate FW rules.  Would the 3560-CX support having the SGT carried through to the palo (in my lab I'll have the cisco switch directly connected to an interface on the Palo)?  I think this is where inline tagging comes in. 

The Panorama plugin uses pxGrid to learn IP-SGT mappings from ISE. This communication comes directly from ISE, so there is no directly support required on the switch.
https://www.youtube.com/watch?v=fWgmUGA7ZYU

Got ya (will watch the video).  So if the packet that comes to the Palo, it wont contain the SGT value.  ISE is constantly feeding (not sure if it's a push or pull) the Palo with updated info about what IP's are assigned what tag?  Thus as ip 1.2.3.4, comes to the palo, the palo should already know the Scalable Group that IP is a part of.  Correct? 

pxGrid is a Publisher/Subscriber bus. See the webinar on Introduction to the Cisco Platform Exchange Grid pxGrid in ISE for more details.

ISE send the IP/SGT mappings to Panorama via pxGrid (192.168.100.101 = SGT 10). When the Palo firewall sees traffic with that src/dest IP (192.168.100.101), it can enforce any policies defined using that security group (10).

There are additional webinars available on our YouTube channel (https://www.youtube.com/@CiscoISE) related to "Group-Based Segmentation" (a.k.a. TrustSec) that you might find useful.

Greg,

Started playing with the pxgrid plugin for panorama 10.2.x.  The 2.0 Cisco TrustSec plugin is the only supported version for the 10.2.x line.  Unfortunately the 10.2.x Palo plugin is not supported for 3.2.x ISE.  I'm told it will be sometime in the next 30-60 days.  Are there any additional method for sharing IP to SGT mappings from ISE to Panorama that you are aware of?

None that I am aware of. The only other option would be using SXP, but I don't think Palo Alto supports being an SXP listener either.

As an update to this the 2.0.0 plugin does work with ISE 3.2 patch 2 (what i've tested it with).  Had to blow the configs away and now it works...shrug.  

https://cs.co/trustsec-compatibility > Cisco Group Based Policy – Platform and Capability Matrix  

IMO, a 9200CX is ideal for all the latest TrustSec and SDA features without a fan for your desktop.