Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1818
Views
0
Helpful
1
Replies

TrustSec SGT supported platforms and modules

Go to solution
yosefshai
Level 1
Level 1

‎12-31-2014 12:03 AM - edited ‎03-10-2019 10:18 PM

Hi all,

 

I have a question regarding how to determine if a Cisco router/switch supports SGT inline tagging.

 

Although I found a link (below) that shows what platforms and modules are required to support inline SGT I still cannot surely determine if my switches do support inline SGT.

http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html

 

Here is the relevant sections of my 3750's 'show ver' (I know that the IOS should be version 15.X and of type 'ipbase')

Does the hardware support inline tagging?

 

Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE3,

System image file is "flash:/c3750-ipservicesk9-mz.122-55.SE3.bin"

cisco WS-C3750G-24TS-1U (PowerPC405) processor (revision 01) with 131072K bytes
of memory.
Processor board ID FOC0941U2TU
Last reset from power-on
3 Virtual Ethernet interfaces
28 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : 00:15:C6:F5:32:80
Motherboard assembly number     : 73-10219-03
Power supply part number        : 341-0098-01
Motherboard serial number       : FOC09400WB9
Power supply serial number      : AZS093800Q6
Model revision number           : 01
Motherboard revision number     : 04
Model number                    : WS-C3750G-24TS-S1U
System serial number            : FOC0941U2TU
Top Assembly Part Number        : 800-26859-01
Top Assembly Revision Number    : 06
Version ID                      : V03
Hardware Board Revision Number  : 0x02

 

===========================================

 

 

Here is the relevant sections of my 6500's 'show ver' (I know that the IOS should be version 15.X and of type 'ipbase')

Does the hardware support inline tagging?

 

Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Versio
n 12.2(33)SXI12, RELEASE SOFTWARE (fc2)

ROM: System Bootstrap, Version 12.2(14r)S9, RELEASE SOFTWARE (fc1)

System image file is "disk0:s72033-advipservicesk9_wan-mz.122-33.SXI12.bin"

cisco WS-C6506 (R7000) processor (revision 3.0) with 458720K/65536K bytes of mem
ory.
Processor board ID SAL08363E5J
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from power-on
7 Virtual Ethernet interfaces
50 Gigabit Ethernet interfaces
1917K bytes of non-volatile configuration memory.
8192K bytes of packet buffer memory.

65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102

 

 

TIA

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎01-20-2015 02:43 AM

Configuration Guidelines and Limitations

The following guidelines and limitations apply to configuring Cisco TrustSec SGT and SGACL on Catalyst 3750-X and Catalyst 3560-X switches:

  • You cannot statically map an IP-subnet to an SGT. You can only map IP addresses to an SGT. When you configure IP address-to-SGT mappings, the IP address prefix must be 32.
  • If a port is configured in Multi-Auth mode, all hosts connecting on that port must be assigned the same SGT. When a host tries to authenticate, its assigned SGT must be the same as the SGT assigned to a previously authenticated host. If a host tries to authenticate and its SGT is different from the SGT of a previously authenticated host, the VLAN port (VP) to which these hosts belong is error-disabled.
  • Cisco TrustSec enforcement is supported only on up to eight VLANs on a VLAN-trunk link. If there are more than eight VLANs configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be error-disabled.
  • The switch can assign SGT and apply corresponding SGACL to end-hosts based on SXP listening only if the end-hosts are Layer2 adjacent to the switch.
  • Port-to-SGT mapping can be configured only on Cisco TrustSec links (that is, switch-to-switch links). Port-to-SGT mapping cannot be configured on host-to-switch links.

When port-to-SGT mapping is configured on a port, an SGT is assigned to all ingress traffic on that port. There is no SGACL enforcement for egress traffic on the port.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎01-20-2015 02:43 AM

Configuration Guidelines and Limitations

The following guidelines and limitations apply to configuring Cisco TrustSec SGT and SGACL on Catalyst 3750-X and Catalyst 3560-X switches:

  • You cannot statically map an IP-subnet to an SGT. You can only map IP addresses to an SGT. When you configure IP address-to-SGT mappings, the IP address prefix must be 32.
  • If a port is configured in Multi-Auth mode, all hosts connecting on that port must be assigned the same SGT. When a host tries to authenticate, its assigned SGT must be the same as the SGT assigned to a previously authenticated host. If a host tries to authenticate and its SGT is different from the SGT of a previously authenticated host, the VLAN port (VP) to which these hosts belong is error-disabled.
  • Cisco TrustSec enforcement is supported only on up to eight VLANs on a VLAN-trunk link. If there are more than eight VLANs configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be error-disabled.
  • The switch can assign SGT and apply corresponding SGACL to end-hosts based on SXP listening only if the end-hosts are Layer2 adjacent to the switch.
  • Port-to-SGT mapping can be configured only on Cisco TrustSec links (that is, switch-to-switch links). Port-to-SGT mapping cannot be configured on host-to-switch links.

When port-to-SGT mapping is configured on a port, an SGT is assigned to all ingress traffic on that port. There is no SGACL enforcement for egress traffic on the port.

0 Helpful
Customers Also Viewed These Support Documents