Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Trustsec intra-vlan segmentation

i´m playing around with trustsec a little bit and wondering if segmentation inside the same VLAN on the same switch is possible. Lets say i have 2 clients assigned SGT5 by 802.1x in the same boardcast domain on the same switch. In ISE i blocked the client-to-client (5 to 5) traffic and configured enforcement in the vlan. Should then the clients be prevented to talk to each other ? 


I read in the configuration guide that the enforcement is also done for switched traffic if it is enforced on the VLAN but I´m not sure if its working on the same switch. In my lab enforcement works between VLANs but not inside the same VLAN


Thanks in advance

VIP Advisor

Re: Trustsec intra-vlan segmentation

Yes this is possible and should be working assuming you are on the correct platform with the configuration for it. TrustSec is of course vlan/subnet independent, all that matters is the SGT to IP binding and the SGACL that would apply between the tag/tags. So your policy should be working if everything else is up to it.

When you are being enforced across VLANs, is that also on the same switch, just different vlans, or different switches?

If we cover the basics when you are trying same vlan enforcement, does it meet some basic criteria,
1. Is the switch model capable of SGACL enforcement
2. Is the vlan included in the "cts role-based enforcement vlan-list" of the switch(s)
3. Do the SGACL's show up in "sh cts role-based permissions"
4. Do both endpoints display their "local" mappings in "sh cts role-based sgt-map all"