cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1191
Views
0
Helpful
1
Replies

TrustSec Enforcement ISR G2

shinnie1978
Level 1
Level 1

Grateful if someone could clarify TrustSec enforcement support on ISR G2.  As per the recently updated platform compatibility matrix 6.3 the routers show as SGFW enforcement support only but other routers such as CSR1000v, 4K and some ASR show support for SGACL and SGFW.  I notice the SGACL support has been added in the recent Denali or Everest XE releases.  Does anyone know if there are plans to add dynamic SGACL download from ISE support for ISR G2 or if the functionality is already available?  I am awaiting a change window to test but grateful for any input ahead of this.

I note there is also a change in license requirements between matrix versions 6.2 and 6.3.  Enforcement was previously marked as a SEC license feature but recent bulletin shows SGACL can now be used under IP Base/Services license.

Thanks for any responses in advance Scott

1 Accepted Solution

Accepted Solutions

shinnie1978
Level 1
Level 1

I managed to find a router to test this with, running latest available IOS from Cisco 15.7(3) and security technology package enabled the enforcement command is not available.

(config)#cts role-based ?

  sgt-caching  Enable SGT caching

  sgt-map      Assign Security Group Tag (SGT) to IP host or network address

I will proceed with license upgrade to enable the zone based firewall but useful to know if there are plans to enable SGACL enforcement on the 29XX and 39XX routers to ensure standard deployment in our environment.

Regards

Scott

View solution in original post

1 Reply 1

shinnie1978
Level 1
Level 1

I managed to find a router to test this with, running latest available IOS from Cisco 15.7(3) and security technology package enabled the enforcement command is not available.

(config)#cts role-based ?

  sgt-caching  Enable SGT caching

  sgt-map      Assign Security Group Tag (SGT) to IP host or network address

I will proceed with license upgrade to enable the zone based firewall but useful to know if there are plans to enable SGACL enforcement on the 29XX and 39XX routers to ensure standard deployment in our environment.

Regards

Scott

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: