Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4179
Views
0
Helpful
2
Replies

IP to SGT classification, enforcement configuration for 3560CX

Go to solution
tomc.pnnl
Level 1
Level 1

‎06-22-2018 07:32 PM - last edited on ‎03-25-2019 05:36 PM by Community Manager

I'm configuring a 3560CX and I'm trying to get the switch to enforce the ip-to-sgt bindings.

There are two subnets 192.168.0.0/22 (vlan 500) and 192.168.4.0/22 (vlan 504).  The 3560 is the default gateway between the subnets and cts enforces on vlan 504. I have verified that the IP-to-SGT bindings do exist via

show cts role-based sgt-map all

Active IPv4-SGT Bindings Information

IP Address              SGT     Source

============================================

192.168.0.20            16      SXP

192.168.0.21            17      SXP

192.168.6.17            16      LOCAL

IP-SGT Active Bindings Summary

============================================

Total number of SXP      bindings = 2

Total number of LOCAL    bindings = 1

Total number of active   bindings = 3

And that the permissions are what are expected:

show cts role-based permissions from 16 to 17

IPv4 Role-based permissions from group 16:UserGroupA to group 17:UserGroupB:

        Deny IP-00

RBACL Monitor All for Dynamic Policies : FALSE

RBACL Monitor All for Configured Policies : FALSE

But 192.168.6.17 remains able to communicate with 192.168.0.21.

I welcome help.

Labels:
running-config2.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee
In response to hslai

‎06-25-2018 02:43 AM

Yes, there are certain limitations with these platforms as Hsing has pointed out.

The endpoints MUST be L2 adjacent with the 3560CX - you must be able to see the client IP within the IP device tracking table.

Additionally, ensure global enforcement is configured 'cts role-based enforcement' as well as enforcement for the vlans.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-23-2018 08:03 AM

“Configuration Guidelines and Limitations” section on Configuring Cisco TrustSec for 3750-X and 3560-X switch is also applicable to 3560CX. Please take a look.

0 Helpful

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee
In response to hslai

‎06-25-2018 02:43 AM

Yes, there are certain limitations with these platforms as Hsing has pointed out.

The endpoints MUST be L2 adjacent with the 3560CX - you must be able to see the client IP within the IP device tracking table.

Additionally, ensure global enforcement is configured 'cts role-based enforcement' as well as enforcement for the vlans.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents