Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4307
Views
5
Helpful
2
Replies

Trustsec manual propagation between FTD 2120 and Catalyst 2960X

Go to solution
jay3
Level 1
Level 1

‎05-08-2019 03:05 AM

Hi everyone, 

Please may you assist me on how I would propagate SGT's between my FTD 2120 and Catalyst 2960X in the segment I highlighted in the attached snippet.The 2960X switch is classifying the traffic and the FTD 2120 should be enforcing the SGT policy.The challenge in propagation is that the 2960X supports SXP and does not support in-line tagging and the FTD supports in-line tagging, pxGrid and does not support SXP.

 

Regards,

Jay

 

Labels:
Preview file
12 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎05-08-2019 03:54 AM

Hi,
A couple of options that I can think of:-

Are you using ISE to classify and assign SGTs to the connected users on the 2960X switch? If so you can propagate these to the FTD using pxgrid.

Swapout the 2960X for a switch that does support inline tagging.

Alternatively put a ISR/ASR router between the 2960X and the FTD, peer the 2960X with the router to distribute the SGT bindings and then in-line tag from the router to the FTD.

HTH

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎05-08-2019 03:54 AM

Hi,
A couple of options that I can think of:-

Are you using ISE to classify and assign SGTs to the connected users on the 2960X switch? If so you can propagate these to the FTD using pxgrid.

Swapout the 2960X for a switch that does support inline tagging.

Alternatively put a ISR/ASR router between the 2960X and the FTD, peer the 2960X with the router to distribute the SGT bindings and then in-line tag from the router to the FTD.

HTH

Go to solution
jay3
Level 1
Level 1
In response to Rob Ingram

‎06-28-2019 01:15 AM

Hi,

Sorry for the delay.My environment does not have ISE at the moment so  i  used your second suggestion "Alternatively put a ISR/ASR router between the 2960X and the FTD, peer the 2960X with the router to distribute the SGT bindings and then in-line tag from the router to the FTD" and everything worked out fine.

Thanks a lot

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents