Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2559
Views
0
Helpful
6
Replies

TrustSec IP-SGT Binding Limitation

Go to solution
firefox
Cisco Employee
Cisco Employee

‎09-05-2018 12:07 AM

Hi Team,

As per the below table, there are limits on IP-SGT bindings for relevant switches. What i want to know is, how are the L2 and L3 limits calculated? What parameters does the TrustSec feature check in the 4500 series switch to build up this limit?

IP-SGT Binding Limits.JPG

Thanks

TJ

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
faylee
Cisco Employee
Cisco Employee
In response to firefox

‎09-05-2018 03:10 PM

Please see attached.  They are taken from the "Advanced Security Group Tags: The Detailed Walk Through - BRKSEC-3690" session at Cisco Live.

 

View solution in original post

Preview file
117 KB
0 Helpful

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee

‎09-06-2018 01:41 AM

Hi TJ,
In cat4K, the DGT derivation limit of 2000 entries applies to only ‘switched traffic’ as it uses 1 block of Input ACL (2K entries) for deriving DGT in case of switched traffic.
For L3 traffic, we use FIB to derive DGT and hence this limit doesn’t apply.
The limit is applicable to all Sup7, 8 and 9 Supervisors.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
umahar
Cisco Employee
Cisco Employee

‎09-05-2018 07:15 AM

As far as I remember the mappings are stored in ASICs in the switches.

0 Helpful

Go to solution
firefox
Cisco Employee
Cisco Employee
In response to umahar

‎09-05-2018 08:02 AM

Thanks unmahar, but my query is specific to how the switch classifies the IP-SGT binding as L2 or L3? Is it because of the way the switch has learned the IP details, or is it because of routes, vlans etc?

 

0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to firefox

‎09-05-2018 08:34 AM

The way switches derive source SGTs and destination SGTs is different for L2 switched traffic and L3 routed traffic. L3 has scale than L2 and hence different values. 

 

0 Helpful

Go to solution
firefox
Cisco Employee
Cisco Employee
In response to umahar

‎09-05-2018 09:21 AM

HI umahar, is there a document that you can point me to, which shows how switches derive source SGTs and destination SGTs ?

0 Helpful

Go to solution
faylee
Cisco Employee
Cisco Employee
In response to firefox

‎09-05-2018 03:10 PM

Please see attached.  They are taken from the "Advanced Security Group Tags: The Detailed Walk Through - BRKSEC-3690" session at Cisco Live.

 

Preview file
117 KB
0 Helpful

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee

‎09-06-2018 01:41 AM

Hi TJ,
In cat4K, the DGT derivation limit of 2000 entries applies to only ‘switched traffic’ as it uses 1 block of Input ACL (2K entries) for deriving DGT in case of switched traffic.
For L3 traffic, we use FIB to derive DGT and hence this limit doesn’t apply.
The limit is applicable to all Sup7, 8 and 9 Supervisors.

0 Helpful
Customers Also Viewed These Support Documents