Solved: SGT limitation in 3750X

Antonio Macia · ‎12-11-2018

Hello,

Per the Trustsec documentation here, there is a restriction in the 3750X and SGT:

"Cisco TrustSec enforcement is supported on only eight or fewer VLANs on a VLAN-trunk link. If more than eight VLANs are configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be errordisabled"

So, I pressume that if I enable intra-vlan enforcement for more than 8 x VLANs spanning among different switches the trunk will go to errordisable, right? Anybody experimented this?

Regards.

jeaves@cisco.com · ‎12-12-2018

Hi,

yes, if you have a trunk between 2 3750x switches and you're enforcing on those VLAN's (to provide intra-VLAN enforcement), then you can only have up to 8 VLANs on that trunk otherwise you'll see err-disable.

Bear in mind that there is another limitation in that you can only have 1 SGT per VLAN per Port when enforcing on this platform. So you can have a PC behind a phone on a port because they will be on different VLAN's but you cannot have multi-auth with 2 PC's being assigned different SGT's.

View solution in original post

jeaves@cisco.com · ‎12-12-2018

Hi,

yes, if you have a trunk between 2 3750x switches and you're enforcing on those VLAN's (to provide intra-VLAN enforcement), then you can only have up to 8 VLANs on that trunk otherwise you'll see err-disable.

Bear in mind that there is another limitation in that you can only have 1 SGT per VLAN per Port when enforcing on this platform. So you can have a PC behind a phone on a port because they will be on different VLAN's but you cannot have multi-auth with 2 PC's being assigned different SGT's.