EasyManuals Logo
Home>Cisco>Switch>TrustSec

Cisco TrustSec User Manual

Cisco TrustSec
208 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #27 background imageLoading...
Page #27 background image
1-15
Cisco TrustSec Configuration Guide
OL-22192-01
Chapter 1 Cisco TrustSec Overview
Using Cisco TrustSec-Incapable Devices and Networks in a Cisco TrustSec Network
Figure 1-7 Spanning a Non-TrustSec domain
To support Cisco TrustSec Layer 3 SGT Transport, any device that will act as a Cisco TrustSec ingress
or egress Layer 3 gateway must maintain a traffic policy database that lists eligible subnets in remote
Cisco TrustSec domains as well as any excluded subnets within those regions. You can configure this
database manually on each device if they cannot be downloaded automatically from the
Cisco Secure ACS.
A device can send Layer 3 SGT Transport data from one port and receive Layer 3 SGT Transport data
on another port, but both the ingress and egress ports must have Cisco TrustSec-capable hardware.
Note Cisco TrustSec does not encrypt the Layer 3 SGT Transport encapsulated packets. To protect the packets
traversing the non-TrustSec domain, you can configure other protection methods, such as IPsec.
Cisco TrustSec Reflector for Cisco TrustSec-Incapable Switching Modules
A Catalyst 6500 series switch in a Cisco TrustSec domain may contain any of these types of switching
modules:
Cisco TrustSec-capable—Hardware supports insertion and propagation of SGT.
Cisco TrustSec-aware—Hardware does not support insertion and propagation of SGT, but hardware
can perform a lookup to determine the source and destination SGTs for a packet.
Cisco TrustSec-incapable—Hardware does not support insertion and propagation of SGT and
cannot determine the SGT by a hardware lookup.
If your switch contains a Cisco TrustSec-capable supervisor engine, you can use the Cisco TrustSec
reflector feature to accommodate legacy Cisco TrustSec-incapable switching modules within the same
switch. Available in Cisco IOS Release 12.2(50)SY and later releases, Cisco TrustSec reflector uses
SPAN to reflect traffic from a Cisco TrustSec-incapable switching module to the supervisor engine for
SGT assignment and insertion.
Protected link
Unprotected link
Switch 2
TrustSec
domain
253097
Non-TrustSec
domain
Switch 1
TrustSec
domain

Table of Contents

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco TrustSec and is the answer not in the manual?

Cisco TrustSec Specifications

General IconGeneral
BrandCisco
ModelTrustSec
CategorySwitch
LanguageEnglish

Related product manuals