cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2557
Views
0
Helpful
6
Replies

TrustSec IP-SGT Binding Limitation

firefox
Cisco Employee
Cisco Employee

Hi Team,

As per the below table, there are limits on IP-SGT bindings for relevant switches. What i want to know is, how are the L2 and L3 limits calculated? What parameters does the TrustSec feature check in the 4500 series switch to build up this limit?

IP-SGT Binding Limits.JPG

Thanks

TJ

2 Accepted Solutions

Accepted Solutions

Please see attached.  They are taken from the "Advanced Security Group Tags: The Detailed Walk Through - BRKSEC-3690" session at Cisco Live.

 

View solution in original post

jeaves@cisco.com
Cisco Employee
Cisco Employee

Hi TJ,
In cat4K, the DGT derivation limit of 2000 entries applies to only ‘switched traffic’ as it uses 1 block of Input ACL (2K entries) for deriving DGT in case of switched traffic.
For L3 traffic, we use FIB to derive DGT and hence this limit doesn’t apply.
The limit is applicable to all Sup7, 8 and 9 Supervisors.

View solution in original post

6 Replies 6

umahar
Cisco Employee
Cisco Employee

As far as I remember the mappings are stored in ASICs in the switches.

Thanks unmahar, but my query is specific to how the switch classifies the IP-SGT binding as L2 or L3? Is it because of the way the switch has learned the IP details, or is it because of routes, vlans etc?

 

The way switches derive source SGTs and destination SGTs is different for L2 switched traffic and L3 routed traffic. L3 has scale than L2 and hence different values. 

 

HI umahar, is there a document that you can point me to, which shows how switches derive source SGTs and destination SGTs ?

Please see attached.  They are taken from the "Advanced Security Group Tags: The Detailed Walk Through - BRKSEC-3690" session at Cisco Live.

 

jeaves@cisco.com
Cisco Employee
Cisco Employee

Hi TJ,
In cat4K, the DGT derivation limit of 2000 entries applies to only ‘switched traffic’ as it uses 1 block of Input ACL (2K entries) for deriving DGT in case of switched traffic.
For L3 traffic, we use FIB to derive DGT and hence this limit doesn’t apply.
The limit is applicable to all Sup7, 8 and 9 Supervisors.