Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1473
Views
0
Helpful
1
Replies

where is trustsec classification and enforcement occuring with cat 4510

mpeeters
Cisco Employee
Cisco Employee

‎06-28-2017 07:30 AM - edited ‎03-11-2019 12:48 AM

Modules in C4510 chassis:

WS-X45SUP7-E

WS-X4648 – RJ45V+E

Q:

Is the WS-X45SUP7-E the ingress and egress to the TrustSec domain for the entire switch with both stg tags and sxp peering or is this done at the line cards themselves ?

Is the SUP the classification and enforcement point for the line cards that do not perform inline SGT tagging?

Labels:
0 Helpful
1 Reply 1

mjessup
Cisco Employee
Cisco Employee

‎06-28-2017 08:59 AM

For SXP the source can be any L3 address on the 4500. Typically though, it would be highly recommended to use a loopback interface as the source. The SUP7/SUP8 will always make the enforcement decisions regardless of having receive tagged traffic or untagged traffic where SXP will be used to determine the SRC/DST SGT.


The Supervisor interfaces may also be configured and used for inline tagging. This is especially the case if there are no other TrustSec capable (for inline tagging) linecards in the chassis. Only the WS-X47XX linecards support inline tagging. They can be used in addition to the SUP interfaces or by themselves for inline tagging connectivity.


Note though that any other linecard may be used for host connectivity, and although they can't be used for inline tagging, intra-chassis SGACL enforcement is still possible between hosts connected to these ports.


The Platform Matrix can be found here:

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/platform-capability-matrix.pdf


Mike

0 Helpful
Customers Also Viewed These Support Documents