My question has two parts to it. Think of what I’m doing as a lazy approach to SGT’s because I’m trying to avoid configuration on anything except my 3850 switches…. If that’s even possible.
The questions:
- Can I do SGT enforcement at the trunk port connected to the router?
- Can I tag Internet traffic ON the 3850 DYNAMICALLY for use for SGT enforcement?
Let me elaborate while trying not to muddy the waters.
Can I do SGT enforcement at the trunk port connected to the router?
The idea here is pretty simple. Can I enforce my SGT on my 3850 as they are leaving the trunk port (connected to the router) or before they leave the trunk port? In other words can I enforce traffic leaving or attempting to leave the switch so it can’t even get as far as the router?
The reason for this question is because if I could do this you can imagine traffic could be cut off early on its travels through the network and save me from additional configuration on the routers or the cores or the firewalls.
Next Question.
Can I tag Internet traffic ON the 3850 DYNAMICALLY for use for SGT enforcement?
This one is tricky. But can I tag traffic from, say, Google as it enters the 3850 for use in enforcement? To elaborate, I understand I could tag this traffic at the core or at the offsite router or at the firewall. But can I tag it right at the switch to use to block Google from, say, my PCI devices?
The purpose of this question is kind of the same as the one above in the sense that I’m trying to save from configuration on other devices and keep it all at the switches.
I really hope that makes sense!
For the record I THINK the answer to both my questions is “no” but I just wanted to throw it out there to see what people thought.
