06-22-2018 07:32 PM - last edited on 03-25-2019 05:36 PM by ciscomoderator
I'm configuring a 3560CX and I'm trying to get the switch to enforce the ip-to-sgt bindings.
There are two subnets 192.168.0.0/22 (vlan 500) and 192.168.4.0/22 (vlan 504). The 3560 is the default gateway between the subnets and cts enforces on vlan 504. I have verified that the IP-to-SGT bindings do exist via
show cts role-based sgt-map all
Active IPv4-SGT Bindings Information
IP Address SGT Source
============================================
192.168.0.20 16 SXP
192.168.0.21 17 SXP
192.168.6.17 16 LOCAL
IP-SGT Active Bindings Summary
============================================
Total number of SXP bindings = 2
Total number of LOCAL bindings = 1
Total number of active bindings = 3
And that the permissions are what are expected:
show cts role-based permissions from 16 to 17
IPv4 Role-based permissions from group 16:UserGroupA to group 17:UserGroupB:
Deny IP-00
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
But 192.168.6.17 remains able to communicate with 192.168.0.21.
I welcome help.
Solved! Go to Solution.
06-25-2018 02:43 AM
Yes, there are certain limitations with these platforms as Hsing has pointed out.
The endpoints MUST be L2 adjacent with the 3560CX - you must be able to see the client IP within the IP device tracking table.
Additionally, ensure global enforcement is configured 'cts role-based enforcement' as well as enforcement for the vlans.
06-23-2018 08:03 AM
“Configuration Guidelines and Limitations” section on Configuring Cisco TrustSec for 3750-X and 3560-X switch is also applicable to 3560CX. Please take a look.
06-25-2018 02:43 AM
Yes, there are certain limitations with these platforms as Hsing has pointed out.
The endpoints MUST be L2 adjacent with the 3560CX - you must be able to see the client IP within the IP device tracking table.
Additionally, ensure global enforcement is configured 'cts role-based enforcement' as well as enforcement for the vlans.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: