Solved: Trustsec and LAN topology

mnkojima · ‎04-16-2019

Hello

We have a customer that will implement Trustsec. Their LAN access switches are C2960X and core switches are C9300.

However, they have only one subnet 10.x.x.x/8. My question is: do we have to segment this network in smaller subnets to implement Trustsec or this is not necessary?

Thank you

Marcos

Damien Miller · ‎04-16-2019

TrustSec is VLAN and Ip agnostic, all that matters is what SGT an IP has. That said though, because the 2960 platform does not support inline tagging or SGACL's, you will not be able to enforce east west user traffic at the access layer like you could if you had 3650, 3850,or cat 9K's at the access layer.

You would have to use SXP in this environment to communicate the SGT to IP bindings to enforcement capable switches, limiting you to North South enforcement.

VLAN's could be used to force traffic through the distribution switch, sending SGT to IP mappings to the cat 9K from ise via SXP. This doesn't scale well when you have many SXP connections or mappings.

View solution in original post

Damien Miller · ‎04-16-2019

TrustSec is VLAN and Ip agnostic, all that matters is what SGT an IP has. That said though, because the 2960 platform does not support inline tagging or SGACL's, you will not be able to enforce east west user traffic at the access layer like you could if you had 3650, 3850,or cat 9K's at the access layer.

You would have to use SXP in this environment to communicate the SGT to IP bindings to enforcement capable switches, limiting you to North South enforcement.

VLAN's could be used to force traffic through the distribution switch, sending SGT to IP mappings to the cat 9K from ise via SXP. This doesn't scale well when you have many SXP connections or mappings.

mnkojima · ‎04-19-2019

Thank you Damien