- Understanding Cisco TrustSec
- Configuring the Cisco TrustSec Solution
- Configuring Identities and Connections
- Configuring SGACL Policies
- TrustSec SGACL High Availability
- SGT Exchange Protocol over TCP (SXP)
- VRF-Aware SGT
- IP-Prefix and SGT-Based SXP Filtering
- SGT Inline Tagging
- Configuring Cisco TrustSec Reflector and Caching
- Configuring Endpoint Admission Control
- Cisco TrustSec Command Summary
- Considerations for Catalyst 3000 and 2000 Series Switches and Wireless LAN Controller 5700 Series
- Considerations for Catalyst 4500 Series Switches
- Considerations for Catalyst 6500 Series Switches
- Glossary
Notes for Catalyst 3000 and 2000 Series Switches and Wireless LAN Controller 5700 Series
Supported Hardware and Software
For a complete table of features, platforms, and IOS images supported, see the latest Product Bulletins at the following URL:
http://www.cisco.com/en/US/netsol/ns1051/index.html
See also, the Matrix of Cisco TrustSec-Enabled Infrastructure at the following URL:
http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
Configuration Guidelines and Restrictions
Catalyst 3850, Catalyst 3650 Switches, and Wireless LAN Controller 5700 Series
Catalyst 3750-X and Catalyst 3560-X switches
Global Catalyst 3000 Series
- AAA for Cisco TrustSec requires RADIUS and is supported only by the Cisco Identity Services Engine (Cisco ISE), Release1.2 with patches or more recent, and Cisco Secure Access Control System (Cisco ACS), version 5.1 or more recent.
- Default for Cisco Trustsec is disabled.
- Default for SXP is disabled.
Catalyst 3850, Catalyst 3650 Switches, and Wireless LAN Controller 5700 Series
- Cisco TrustSec can be configured only on physical interfaces, not on logical interfaces.
- Cisco TrustSec for IPv6 is not supported.
- Dynamic binding of IP-SGT is not supported for hosts on Layer 3 physical routed interfaces because the IP Device Tracking feature for Layer 3 physical interfaces is not supported.
- If you configure an interface with Cisco TrustSec on Catalyst 3850 and Catalyst 3650 switches using cts manual command and disable the interface immediately, link flap occurs. It is recommended to disable the interface using the shut command before configuring Cisco TrustSec.
- Cisco TrustSec cannot be configured on a pure bridging domain with the IPSG feature enabled. You must disable the IPSG feature in the bridging domain.
- Cisco TrustSec on the switch or controller supports up to 255 security group destination tags for enforcing security group ACLs.
- Cisco TrustSec MACSec for switch-to-switch security is supported only on switches running the IP base or IP services feature set. It is not supported on switches running the NPE or LAN base feature set.
- For Cisco IOS Release 3.7E and later, Cisco TrustSec VLAN-to-SGT binding cannot be enabled in pure bridging domain. You have to either manually enable IP device tracking on the ports in the VLAN, or enable SVI interface for the VLAN.
Catalyst 3750-X and Catalyst 3560-X switches
The following guidelines and limitations apply to configuring Cisco TrustSec SGT and SGACL:
- You cannot statically map an IP-subnet to an SGT. You can only map IP addresses to an SGT. When you configure IP address-to-SGT mappings, the IP address prefix must be 32.
- If a port is configured in Multi-Auth mode, all hosts connecting on that port must be assigned the same SGT. When a host tries to authenticate, its assigned SGT must be the same as the SGT assigned to a previously authenticated host. If a host tries to authenticate and its SGT is different from the SGT of a previously authenticated host, the VLAN port (VP) to which these hosts belong is error-disabled.
- Cisco TrustSec enforcement is supported only on up to eight VLANs on a VLAN-trunk link. If there are more than eight VLANs configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be error-disabled.
- The switch can assign SGT and apply corresponding SGACL to end-hosts based on SXP listening only if the end-hosts are Layer 2 adjacent to the switch.
- SGT and SGACL are supported on Catalyst 3750-X and Catalyst 3650-X switches only with C3KX-SM-10G service module. Network modules do not support SGT and SGACL.