We have Cisco 3560X and 6500 Sup2T in the distribution and the datacenter, they are both TrustSec-capable. But we got Cisco 6500 Sup720 in the core, which is only able to do the SXP, so I was wondering how we can implement Trustsec in this type of enviroment.
Hi Brian, curious what you want to achieve with Security Group Tagging. For example, is it network segmentation, quick on-boarding or migration of servers, or the wider end-to-end piece for role-based access to data centre services?
Yes, the Sup720 cannot perform inline propagation of tags. Whilst SXP is more complex, it shouldn't in itself prevent the use of TrustSec. The other switches you mention support SXP (both Speaker & Listener), so I can't see an issue in terms of tag propagation. The 3560-X needs 'IP Base', but I guess they already have that. Do you have inline DC firewalls? If so, then you'll need to use SXP to propagate tags across them anyway. If they are ASAs, then they do not support inline tagging. If they are non-Cisco firewalls, then you'll need to pass tags across them using multi-hop SXP.
Be careful with the 3560-X/3750-X Series since they are very limited when it comes to enforcement capabilities. They can only by used to enforce local switchport p2p communication and only within the same layer-2 domain, so can prevent the spread of Malware between clients within the same VLAN on the same switch, but that's about the only practical use I can think of. Therefore, you'll need to perform the majority of your enforcement elsewhere, such as one of your 6500s. Also, the 3560-X/3750-X only support TrustSec enforcement on up to 8 VLANs on an uplink. Any more and the switchports for the additional VLANs will go into err-disable.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...