cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

350
Views
0
Helpful
1
Replies
Antonio Macia
Participant

SGT limitation in 3750X

Hello,

 

Per the Trustsec documentation here, there is a restriction in the 3750X and SGT:

 

"Cisco TrustSec enforcement is supported on only eight or fewer VLANs on a VLAN-trunk link. If more than eight VLANs are configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be errordisabled"

 

So, I pressume that if I enable intra-vlan enforcement for more than 8 x VLANs spanning among different switches the trunk will go to errordisable, right? Anybody experimented this?

 

Regards.

1 ACCEPTED SOLUTION

Accepted Solutions
jeaves@cisco.com
Cisco Employee

Hi,

yes, if you have a trunk between 2 3750x switches and you're enforcing on those VLAN's (to provide intra-VLAN enforcement), then you can only have up to 8 VLANs on that trunk otherwise you'll see err-disable.

Bear in mind that there is another limitation in that you can only have 1 SGT per VLAN per Port when enforcing on this platform. So you can have a PC behind a phone on a port because they will be on different VLAN's but you cannot have multi-auth with 2 PC's being assigned different SGT's.

View solution in original post

1 REPLY 1
jeaves@cisco.com
Cisco Employee

Hi,

yes, if you have a trunk between 2 3750x switches and you're enforcing on those VLAN's (to provide intra-VLAN enforcement), then you can only have up to 8 VLANs on that trunk otherwise you'll see err-disable.

Bear in mind that there is another limitation in that you can only have 1 SGT per VLAN per Port when enforcing on this platform. So you can have a PC behind a phone on a port because they will be on different VLAN's but you cannot have multi-auth with 2 PC's being assigned different SGT's.

View solution in original post

Content for Community-Ad