Notes for Catalyst 3000 and 2000 Series Switches and Wireless LAN Controller 5700 Series

Revised: May 18, 2014, OL-22192-02

Supported Hardware and Software

For a complete table of features, platforms, and IOS images supported, see the latest Product Bulletins at the following URL:

http://www.cisco.com/en/US/netsol/ns1051/index.html

See also, the Matrix of Cisco TrustSec-Enabled Infrastructure at the following URL:

http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html

Configuration Guidelines and Restrictions

Global Catalyst 3000 Series

Catalyst 3850, Catalyst 3650 Switches, and Wireless LAN Controller 5700 Series

Catalyst 3750-X and Catalyst 3560-X switches

Global Catalyst 3000 Series

  • AAA for Cisco TrustSec requires RADIUS and is supported only by the Cisco Identity Services Engine (Cisco ISE), Release1.2 with patches or more recent, and Cisco Secure Access Control System (Cisco ACS), version 5.1 or more recent.
  • Default for Cisco Trustsec is disabled.
  • Default for SXP is disabled.

Catalyst 3850, Catalyst 3650 Switches, and Wireless LAN Controller 5700 Series

  • Cisco TrustSec can be configured only on physical interfaces, not on logical interfaces.
  • Cisco TrustSec for IPv6 is not supported.
  • Dynamic binding of IP-SGT is not supported for hosts on Layer 3 physical routed interfaces because the IP Device Tracking feature for Layer 3 physical interfaces is not supported.
  • If you configure an interface with Cisco TrustSec on Catalyst 3850 and Catalyst 3650 switches using cts manual command and disable the interface immediately, link flap occurs. It is recommended to disable the interface using the shut command before configuring Cisco TrustSec.
  • Cisco TrustSec cannot be configured on a pure bridging domain with the IPSG feature enabled. You must disable the IPSG feature in the bridging domain.
  • Cisco TrustSec on the switch or controller supports up to 255 security group destination tags for enforcing security group ACLs.
  • Cisco TrustSec MACSec for switch-to-switch security is supported only on switches running the IP base or IP services feature set. It is not supported on switches running the NPE or LAN base feature set.
  • For Cisco IOS Release 3.7E and later, Cisco TrustSec VLAN-to-SGT binding cannot be enabled in pure bridging domain. You have to either manually enable IP device tracking on the ports in the VLAN, or enable SVI interface for the VLAN.

Catalyst 3750-X and Catalyst 3560-X switches

The following guidelines and limitations apply to configuring Cisco TrustSec SGT and SGACL:

  • You cannot statically map an IP-subnet to an SGT. You can only map IP addresses to an SGT. When you configure IP address-to-SGT mappings, the IP address prefix must be 32.
  • If a port is configured in Multi-Auth mode, all hosts connecting on that port must be assigned the same SGT. When a host tries to authenticate, its assigned SGT must be the same as the SGT assigned to a previously authenticated host. If a host tries to authenticate and its SGT is different from the SGT of a previously authenticated host, the VLAN port (VP) to which these hosts belong is error-disabled.
  • Cisco TrustSec enforcement is supported only on up to eight VLANs on a VLAN-trunk link. If there are more than eight VLANs configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be error-disabled.
  • The switch can assign SGT and apply corresponding SGACL to end-hosts based on SXP listening only if the end-hosts are Layer 2 adjacent to the switch.
  • SGT and SGACL are supported on Catalyst 3750-X and Catalyst 3650-X switches only with C3KX-SM-10G service module. Network modules do not support SGT and SGACL.