guidelines and limitations apply to configuring Cisco TrustSec SGT and SGACL:
statically map an IP-subnet to an SGT. You can only map IP addresses to an SGT.
When you configure IP address-to-SGT mappings, the IP address prefix must be
If a port is
configured in Multi-Auth mode, all hosts connecting on that port must be
assigned the same SGT. When a host tries to authenticate, its assigned SGT must
be the same as the SGT assigned to a previously authenticated host. If a host
tries to authenticate and its SGT is different from the SGT of a previously
authenticated host, the VLAN port (VP) to which these hosts belong is
When IPv6 end
host learning is enabled on the switch, we do not recommend using CTS dot1x
links on the same switch. If IPv6 learning and CTS dot1x are both configured on
the same switch, it might lead to inconsistent bindings in the IP-SGT bindings
If the CTS links
are in Critical Authentication mode and the master reloads, the policy where
SGT was configured on a device will not be available on the new master. This is
because the internal bindings will not be synced to the standby switch in a
3750-X switch stack.
enforcement is supported only on up to eight VLANs on a VLAN-trunk link. If
there are more than eight VLANs configured on a VLAN-trunk link and Cisco
TrustSec enforcement is enabled on those VLANs, the switch ports on those
VLAN-trunk links will be error-disabled.
The switch can
assign SGT and apply corresponding SGACL to end-hosts based on SXP listening
only if the end-hosts are Layer2 adjacent to the switch.
For SGACL, the maximum number of ACEs per ACL is 48.
mapping can be configured only on Cisco TrustSec links (that is,
switch-to-switch links). Port-to-SGT mapping cannot be configured on
port-to-SGT mapping is configured on a port, an SGT is assigned to all ingress
traffic on that port. There is no SGACL enforcement for egress traffic on the
uses AES-128 GCM and GMAC and is compliant with the 802.1AE standard. GCM is
not supported on switches running the NPE or the LAN base image.
NDAC SAP is supported on trunk ports because it is intended only for network
device to network device links, that is, switch-to-switch links. It is not
- Host facing access ports
(these ports support MKA MACsec)
- Switch virtual interfaces
- SPAN destination ports
The switch also
does not support security group ACLs.