Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Trustsec question

We have Cisco 3560X and 6500 Sup2T in the distribution and the datacenter, they are both TrustSec-capable. But we got Cisco 6500 Sup720 in the core, which is only able to do the SXP, so I was wondering how we can implement Trustsec in this type of enviroment.




Everyone's tags (1)

Hi Brian, what do you want to

Hi Brian, curious what you want to achieve with Security Group Tagging. For example, is it network segmentation, quick on-boarding or migration of servers, or the wider end-to-end piece for role-based access to data centre services?

Yes, the Sup720 cannot perform inline propagation of tags. Whilst SXP is more complex, it shouldn't in itself prevent the use of TrustSec. The other switches you mention support SXP (both Speaker & Listener), so I can't see an issue in terms of tag propagation. The 3560-X needs 'IP Base', but I guess they already have that. Do you have inline DC firewalls? If so, then you'll need to use SXP to propagate tags across them anyway. If they are ASAs, then they do not support inline tagging. If they are non-Cisco firewalls, then you'll need to pass tags across them using multi-hop SXP.

Be careful with the 3560-X/3750-X Series since they are very limited when it comes to enforcement capabilities. They can only by used to enforce local switchport p2p communication and only within the same layer-2 domain, so can prevent the spread of Malware between clients within the same VLAN on the same switch, but that's about the only practical use I can think of. Therefore, you'll need to perform the majority of your enforcement elsewhere, such as one of your 6500s. Also, the 3560-X/3750-X only support TrustSec enforcement on up to 8 VLANs on an uplink. Any more and the switchports for the additional VLANs will go into err-disable.

Hope that helps.

CreatePlease to create content