Ingress Reflector; Egress Reflector - Cisco TrustSec Configuration Manual

Using Cisco TrustSec-Incapable Devices and Networks in a Cisco TrustSec Network
Two mutually exclusive modes, ingress and egress, are supported for the Cisco TrustSec reflector. The
default is pure mode, in which neither reflector is enabled. A Cisco TrustSec ingress reflector is
configured on an access switch facing a distribution switch, while a Cisco TrustSec egress reflector is
configured on a distribution switch.
Supported TrustSec Reflector Hardware
For further discussion of the Cisco TrustSec Reflector feature and a list of supported hardware, see the
document, "Cisco Catalyst 6500 Series with Supervisor Engine 2T: Enabling Cisco TrustSec with
Investment Protection," at the following URL:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11-658388.html

Ingress Reflector

A Cisco TrustSec ingress reflector is implemented on an access switch, where the Cisco
TrustSec-incapable switching module is on the Cisco TrustSec domain edge and the Cisco
TrustSec-capable supervisor engine uplink port connects to a Cisco TrustSec-capable distribution
switch.
The following conditions must be met before the Cisco TrustSec ingress reflector configuration is
accepted:
•
•
•
•

Egress Reflector

A Cisco TrustSec egress reflector is implemented on a distribution switch with Layer 3 uplinks, where
the Cisco TrustSec-incapable switching module faces an access switch. The Cisco TrustSec egress
reflector is supported only on Layer 3 uplinks, and is not supported on Layer 2 interfaces, SVIs,
subinterfaces, or tunnels, and is not supported for NAT traffic.
The following conditions must be met before the Cisco TrustSec egress reflector configuration is
accepted:
•
•
•
•
Cisco TrustSec Configuration Guide
1-16
The supervisor engine must be Cisco TrustSec-capable.
Any Cisco TrustSec-incapable DFCs must be powered down.
A Cisco TrustSec egress reflector must not be configured on the switch.
Before disabling the Cisco TrustSec ingress reflector, you must remove power from the
Cisco TrustSec-incapable switching modules.
The supervisor engine or DFC switching module must be Cisco TrustSec-capable.
Cisco TrustSec must not be enabled on non-routed interfaces on the supervisor engine uplink ports
or on the Cisco TrustSec-capable DFC switching modules.
Before disabling the Cisco TrustSec egress reflector, you must remove power from the Cisco
TrustSec-incapable switching modules.
A Cisco TrustSec ingress reflector must not be configured on the switch.
Chapter 1 Cisco TrustSec Overview
OL-22192-01