12-11-2018 03:58 AM - edited 03-11-2019 01:53 AM
Hello,
Per the Trustsec documentation here, there is a restriction in the 3750X and SGT:
"Cisco TrustSec enforcement is supported on only eight or fewer VLANs on a VLAN-trunk link. If more than eight VLANs are configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be errordisabled"
So, I pressume that if I enable intra-vlan enforcement for more than 8 x VLANs spanning among different switches the trunk will go to errordisable, right? Anybody experimented this?
Regards.
Solved! Go to Solution.
12-12-2018 03:45 AM
Hi,
yes, if you have a trunk between 2 3750x switches and you're enforcing on those VLAN's (to provide intra-VLAN enforcement), then you can only have up to 8 VLANs on that trunk otherwise you'll see err-disable.
Bear in mind that there is another limitation in that you can only have 1 SGT per VLAN per Port when enforcing on this platform. So you can have a PC behind a phone on a port because they will be on different VLAN's but you cannot have multi-auth with 2 PC's being assigned different SGT's.
12-12-2018 03:45 AM
Hi,
yes, if you have a trunk between 2 3750x switches and you're enforcing on those VLAN's (to provide intra-VLAN enforcement), then you can only have up to 8 VLANs on that trunk otherwise you'll see err-disable.
Bear in mind that there is another limitation in that you can only have 1 SGT per VLAN per Port when enforcing on this platform. So you can have a PC behind a phone on a port because they will be on different VLAN's but you cannot have multi-auth with 2 PC's being assigned different SGT's.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide