hit counter script
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Switch
  5. TrustSec
  6. Configuration manual

Cisco Trustsec Reflector For Cisco Trustsec-Incapable Switching Modules - Cisco TrustSec Configuration Manual

Hide thumbs
Table of Contents

Advertisement

Chapter 1
Cisco TrustSec Overview
Figure 1-7
To support Cisco TrustSec Layer 3 SGT Transport, any device that will act as a Cisco TrustSec ingress
or egress Layer 3 gateway must maintain a traffic policy database that lists eligible subnets in remote
Cisco TrustSec domains as well as any excluded subnets within those regions. You can configure this
database manually on each device if they cannot be downloaded automatically from the
Cisco Secure ACS.
A device can send Layer 3 SGT Transport data from one port and receive Layer 3 SGT Transport data
on another port, but both the ingress and egress ports must have Cisco TrustSec-capable hardware.
Cisco TrustSec does not encrypt the Layer 3 SGT Transport encapsulated packets. To protect the packets
Note
traversing the non-TrustSec domain, you can configure other protection methods, such as IPsec.

Cisco TrustSec Reflector for Cisco TrustSec-Incapable Switching Modules

A Catalyst 6500 series switch in a Cisco TrustSec domain may contain any of these types of switching
modules:
If your switch contains a Cisco TrustSec-capable supervisor engine, you can use the Cisco TrustSec
reflector feature to accommodate legacy Cisco TrustSec-incapable switching modules within the same
switch. Available in Cisco IOS Release 12.2(50)SY and later releases, Cisco TrustSec reflector uses
SPAN to reflect traffic from a Cisco TrustSec-incapable switching module to the supervisor engine for
SGT assignment and insertion.
OL-22192-01
Spanning a Non-TrustSec domain
TrustSec
domain
Non-TrustSec
Cisco TrustSec-capable—Hardware supports insertion and propagation of SGT.
Cisco TrustSec-aware—Hardware does not support insertion and propagation of SGT, but hardware
can perform a lookup to determine the source and destination SGTs for a packet.
Cisco TrustSec-incapable—Hardware does not support insertion and propagation of SGT and
cannot determine the SGT by a hardware lookup.
Using Cisco TrustSec-Incapable Devices and Networks in a Cisco TrustSec Network
Switch 1
domain
Switch 2
Unprotected link
Protected link
TrustSec
domain
Cisco TrustSec Configuration Guide
1-15

Advertisement

Table of Contents
loading

Related Manuals for Cisco TrustSec

Related Content for Cisco TrustSec

Table of Contents