cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
210
Views
0
Helpful
1
Replies
Highlighted
Beginner

SGT limitation in 3750X

Hello,

 

Per the Trustsec documentation here, there is a restriction in the 3750X and SGT:

 

"Cisco TrustSec enforcement is supported on only eight or fewer VLANs on a VLAN-trunk link. If more than eight VLANs are configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be errordisabled"

 

So, I pressume that if I enable intra-vlan enforcement for more than 8 x VLANs spanning among different switches the trunk will go to errordisable, right? Anybody experimented this?

 

Regards.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: SGT limitation in 3750X

Hi,

yes, if you have a trunk between 2 3750x switches and you're enforcing on those VLAN's (to provide intra-VLAN enforcement), then you can only have up to 8 VLANs on that trunk otherwise you'll see err-disable.

Bear in mind that there is another limitation in that you can only have 1 SGT per VLAN per Port when enforcing on this platform. So you can have a PC behind a phone on a port because they will be on different VLAN's but you cannot have multi-auth with 2 PC's being assigned different SGT's.

1 REPLY 1
Cisco Employee

Re: SGT limitation in 3750X

Hi,

yes, if you have a trunk between 2 3750x switches and you're enforcing on those VLAN's (to provide intra-VLAN enforcement), then you can only have up to 8 VLANs on that trunk otherwise you'll see err-disable.

Bear in mind that there is another limitation in that you can only have 1 SGT per VLAN per Port when enforcing on this platform. So you can have a PC behind a phone on a port because they will be on different VLAN's but you cannot have multi-auth with 2 PC's being assigned different SGT's.