Re: Trustsec intra-vlan segmentation

Is101008 · ‎08-18-2019

i´m playing around with trustsec a little bit and wondering if segmentation inside the same VLAN on the same switch is possible. Lets say i have 2 clients assigned SGT5 by 802.1x in the same boardcast domain on the same switch. In ISE i blocked the client-to-client (5 to 5) traffic and configured enforcement in the vlan. Should then the clients be prevented to talk to each other ?

I read in the configuration guide that the enforcement is also done for switched traffic if it is enforced on the VLAN but I´m not sure if its working on the same switch. In my lab enforcement works between VLANs but not inside the same VLAN

Thanks in advance

Damien Miller · ‎08-19-2019

Yes this is possible and should be working assuming you are on the correct platform with the configuration for it. TrustSec is of course vlan/subnet independent, all that matters is the SGT to IP binding and the SGACL that would apply between the tag/tags. So your policy should be working if everything else is up to it.

When you are being enforced across VLANs, is that also on the same switch, just different vlans, or different switches?

If we cover the basics when you are trying same vlan enforcement, does it meet some basic criteria,
1. Is the switch model capable of SGACL enforcement
2. Is the vlan included in the "cts role-based enforcement vlan-list" of the switch(s)
3. Do the SGACL's show up in "sh cts role-based permissions"
4. Do both endpoints display their "local" mappings in "sh cts role-based sgt-map all"