Showing results for 
Search instead for 
Did you mean: 

Trustsec intra-vlan segmentation


i´m playing around with trustsec a little bit and wondering if segmentation inside the same VLAN on the same switch is possible. Lets say i have 2 clients assigned SGT5 by 802.1x in the same boardcast domain on the same switch. In ISE i blocked the client-to-client (5 to 5) traffic and configured enforcement in the vlan. Should then the clients be prevented to talk to each other ? 


I read in the configuration guide that the enforcement is also done for switched traffic if it is enforced on the VLAN but I´m not sure if its working on the same switch. In my lab enforcement works between VLANs but not inside the same VLAN


Thanks in advance

1 Reply 1

Damien Miller
VIP Advisor VIP Advisor
VIP Advisor
Yes this is possible and should be working assuming you are on the correct platform with the configuration for it. TrustSec is of course vlan/subnet independent, all that matters is the SGT to IP binding and the SGACL that would apply between the tag/tags. So your policy should be working if everything else is up to it.

When you are being enforced across VLANs, is that also on the same switch, just different vlans, or different switches?

If we cover the basics when you are trying same vlan enforcement, does it meet some basic criteria,
1. Is the switch model capable of SGACL enforcement
2. Is the vlan included in the "cts role-based enforcement vlan-list" of the switch(s)
3. Do the SGACL's show up in "sh cts role-based permissions"
4. Do both endpoints display their "local" mappings in "sh cts role-based sgt-map all"
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers