Cisco TrustSec Switch Configuration Guide
Considerations for Catalyst 3750 and 3560 Series Switches
Downloads: This chapterpdf (PDF - 312.0KB) The complete bookPDF (PDF - 2.77MB) | Feedback

Notes for Catalyst 3750, 3560, and 2960 Series Switches

Table Of Contents

Notes for Catalyst 3750, 3560, and 2960 Series Switches

Minimum Cisco IOS Release for Cisco TrustSec Features

TrustSec SGT and SGACL Configuration Guidelines and Limitations


Notes for Catalyst 3750, 3560, and 2960 Series Switches


Revised: October 11, 2012, OL-22192-02

Minimum Cisco IOS Release for Cisco TrustSec Features

TrustSec SGT and SGACL Configuration Guidelines and Limitations

Minimum Cisco IOS Release for Cisco TrustSec Features

Feature
Minimum Cisco IOS Release Required
Catalyst Switch Support

Cisco TrustSec SGA, SGT, and SGACL

15.0(2)SE

3750-X and 3650-X

Cisco TrustSec SXP version 2, syslog messages, and SNMP support

15.0(2)SE

15.0(1)SE

12.2(53)SE2

3560-C, 2960-S, 2960-C

3750 and 3560

3750-X and 3560-X


TrustSec SGT and SGACL Configuration Guidelines and Limitations

The following guidelines and limitations apply to configuring Cisco TrustSec SGT and SGACL on Catalyst 3750-X and Catalyst 3560-X switches:

You cannot statically map an IP-subnet to an SGT. You can only map IP addresses to an SGT. When you configure IP address-to-SGT mappings, the IP address prefix must be 32.

If a port is configured in Multi-Auth mode, all hosts connecting on that port must be assigned the same SGT. When a host tries to authenticate, its assigned SGT must be the same as the SGT assigned to a previously authenticated host. If a host tries to authenticate and its SGT is different from the SGT of a previously authenticated host, the VLAN port (VP) to which these hosts belong is error-disabled.

Cisco TrustSec enforcement is supported only on up to eight VLANs on a VLAN-trunk link. If there are more than eight VLANs configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be error-disabled.

The switch can assign SGT and apply corresponding SGACL to end-hosts based on SXP listening only if the end-hosts are Layer2 adjacent to the switch.

Port-to-SGT mapping can be configured only on Cisco TrustSec links (that is, switch-to-switch links). Port-to-SGT mapping cannot be configured on host-to-switch links.

When port-to-SGT mapping is configured on a port, an SGT is assigned to all ingress traffic on that port. There is no SGACL enforcement for egress traffic on the port.