Hi
I'm implementing static SGT TrustSec permissions within a particular VLAN - switches used are WS-C3650-48PD running 03.06.05E)
Configuration is below - VLAN 200 is classified with SGT 200 and all traffic between clients in the VLAN is dropped (I also have SGT propogation enabled on the switch uplinks)
cts sgt <SWITCH-SGT>
cts role-based sgt-map vlan-list 200 sgt 200
cts role-based enforcement
cts role-based enforcement vlan-list 200
cts role-based permissions from 200 to 200 DENY-ALL
The switches have device tracking enabled and the above configuration works fine on the WS-C3650-48PD - the output of the command "show cts role-based sgt-map all" shows the clients in VLAN 200 are being tagged with sgt 200.
When I try and apply this configuration to WS-C3650-48FQM switches running 16.3.3, SGT classification fails. These switches also have device tracking enabled but SGT classification still doesn't work - I can assign SGT successfully to a host IP but not to a VLAN.
Any ideas on why I can't classify SGTs with VLANS on WS-C3650-48FQM running 16.3.3?
Thanks
Andy
ps I can only use 16.3.3 on the WS-C3650-48FQM switches because of the bug CSCvc54604