How it Works
Cisco
Loading...
SGACL
Configuration Manual
8 pgs367.47 Kb0

Cisco SGACL, TrustSec SGACL Configuration Manual

CHAP T E R
Configuring SGACL Policies
Revised: August 15, 2013, OL-22192-02
Cisco TrustSec SGACL Feature Histories, page 5-1
SGACL Policy Configuration Process, page 5-2
Enabling SGACL Policy Enforcement Globally, page 5-2
Enabling SGACL Policy Enforcement Per Interface, page 5-3
Enabling SGACL Policy Enforcement on VLANs, page 5-3
Manually Configuring SGACL Policies, page 5-4
Displaying SGACL Policies, page 5-6
Refreshing the Downloaded SGACL Policies, page 5-7
5
Cisco TrustSec SGACL Feature Histories
For a list of supported TrustSec features per platform and the minimum required IOS release, see the Cisco TrustSec Platform Support Matrix at the following URL:
http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
Otherwise, see product release notes for detailed feature introduction information.
OL-22192-02
Cisco TrustSec Switch Configuration Guide
5-1
SGACL Policy Configuration Process
SGACL Policy Configuration Process
Follow these steps to configure and enable Cisco TrustSec SGACL policies:
Step 1 Configuration of SGACL policies should be done primarily through the Policy Management function of
the Cisco Secure ACS or the Cisco Identity Services Engine (see the Configuration Guide for the Cisco
Secure ACS or the Cisco Identity Services Engine User Guide).
If you are not using AAA on a Cisco Secure ACS or a Cisco ISE to download the SGACL policy configuration, you can manually configure the SGACL mapping and policies (see the “Manually
Configuring SGACL Policies” section on page 5-4 and the “Manually Configuring SGACL Policies” section on page 5-4).
Note An SGACL policy downloaded dynamically from the Cisco Secure ACS or a Cisco ISE will
override any conflicting locally-defined policy.
Step 2 To enable SGACL policy enforcement on egress traffic on routed ports, enable SGACL policy
enforcement globally as described in the “Enabling SGACL Policy Enforcement Globally” section on
page 5-2.
Step 3 To enable SGACL policy enforcement on switched traffic within a VLAN, or on traffic that is forwarded
to an SVI associated with a VLAN, enable SGACL policy enforcement for specific VLANs as described in the “Enabling SGACL Policy Enforcement on VLANs” section on page 5-3.
Chapter 5 Configuring SGACL Policies
Enabling SGACL Policy Enforcement Globally
You must enable SGACL policy enforcement globally for Cisco TrustSec-enabled routed interfaces.
To enable SGACL policy enforcement on routed interfaces, perform this task:
Command Purpose
Step 1
Step 2
Configuration Examples for Enabling SGACL Policy Enforcement Globally
Router# configure terminal
Router(config)# cts role-based
enforcement
Catalyst 6500, Catalyst 3850:
Switch(config)# cts role-based enforcement
Enters global configuration mode.
Enables Cisco TrustSec SGACL policy enforcement on routed interfaces.
Cisco TrustSec Switch Configuration Guide
5-2
OL-22192-02
Chapter 5 Configuring SGACL Policies
Enabling SGACL Policy Enforcement Per Interface
Enabling SGACL Policy Enforcement Per Interface
You must first enable SGACL policy enforcement globally for Cisco TrustSec-enabled routed interfaces. This feature is not supported on Port Channel interfaces.
To enable SGACL policy enforcement on Layer 3 interfaces, perform this task:
Detailed Steps Catalyst 6500
Command Purpose
Step 1
Step 2
Step 3
Step 4
Router# configure terminal
Router(config)# interface gigabit 6/2
Router(config-if)# cts role-based enforcement
Router(config-if)# do show cts interface
Enters global configuration mode.
Specifies interface on which to enable or disable SGACL enforcement.
Enables Cisco TrustSec SGACL policy enforcement on routed interfaces.
Verifies that SGACL enforcement is enabled.
Configuration Examples for Enabling SGACL Policy Enforcement Per Interface
Catalyst 3850:
Switch# configure terminal Switch(config)# interface gigabit 1/0/2 Switch(config-if)# cts role-based enforcement Switch(config-if)# end
Enabling SGACL Policy Enforcement on VLANs
You must enable SGACL policy enforcement on specific VLANs to apply access control to switched traffic within a VLAN, or to traffic that is forwarded to an SVI associated with a VLAN.
To enable SGACL policy enforcement on a VLAN or a VLAN list, perform this task:
Detailed Steps Catalyst 6500
Command Purpose
Step 1
Step 2
Router# configure terminal
Router(config)# cts role-based
enforcement vlan-list vlan-list
Enters global configuration mode.
Enables Cisco TrustSec SGACL policy enforcement on the VLAN or VLAN list.
Configuration Examples for Enabling SGACL Policy Enforcement on VLANs
Catalyst 3850:
Switch# configure terminal Switch(config)# cts role-based enforcement vlan-list 31-35,41 Switch(config)# exit
OL-22192-02
Cisco TrustSec Switch Configuration Guide
5-3
Loading...
+ 5 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use