Page 1
CHAP T E R
Configuring SGACL Policies
Revised: August 15, 2013, OL-22192-02
This section includes the following topics:
• Cisco TrustSec SGACL Feature Histories, page 5-1
• SGACL Policy Configuration Process, page 5-2
• Enabling SGACL Policy Enforcement Globally, page 5-2
• Enabling SGACL Policy Enforcement Per Interface, page 5-3
• Enabling SGACL Policy Enforcement on VLANs, page 5-3
• Manually Configuring SGACL Policies, page 5-4
• Displaying SGACL Policies, page 5-6
• Refreshing the Downloaded SGACL Policies, page 5-7
5
Cisco TrustSec SGACL Feature Histories
For a list of supported TrustSec features per platform and the minimum required IOS release, see
the Cisco TrustSec Platform Support Matrix at the following URL:
http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
Otherwise, see product release notes for detailed feature introduction information.
OL-22192-02
Cisco TrustSec Switch Configuration Guide
5-1
Page 2
SGACL Policy Configuration Process
SGACL Policy Configuration Process
Follow these steps to configure and enable Cisco TrustSec SGACL policies:
Step 1 Configuration of SGACL policies should be done primarily through the Policy Management function of
the Cisco Secure ACS or the Cisco Identity Services Engine (see the Configuration Guide for the Cisco
Secure ACS or the Cisco Identity Services Engine User Guide).
If you are not using AAA on a Cisco Secure ACS or a Cisco ISE to download the SGACL policy
configuration, you can manually configure the SGACL mapping and policies (see the “Manually
Configuring SGACL Policies” section on page 5-4 and the “Manually Configuring SGACL Policies”
section on page 5-4).
Note An SGACL policy downloaded dynamically from the Cisco Secure ACS or a Cisco ISE will
override any conflicting locally-defined policy.
Step 2 To enable SGACL policy enforcement on egress traffic on routed ports, enable SGACL policy
enforcement globally as described in the “Enabling SGACL Policy Enforcement Globally” section on
page 5-2.
Step 3 To enable SGACL policy enforcement on switched traffic within a VLAN, or on traffic that is forwarded
to an SVI associated with a VLAN, enable SGACL policy enforcement for specific VLANs as described
in the “Enabling SGACL Policy Enforcement on VLANs” section on page 5-3.
Chapter 5 Configuring SGACL Policies
Enabling SGACL Policy Enforcement Globally
You must enable SGACL policy enforcement globally for Cisco TrustSec-enabled routed interfaces.
To enable SGACL policy enforcement on routed interfaces, perform this task:
Command Purpose
Step 1
Step 2
Configuration Examples for Enabling SGACL Policy Enforcement Globally
Router# configure terminal
Router(config)# cts role-based
enforcement
Catalyst 6500, Catalyst 3850:
Switch(config)# cts role-based enforcement
Enters global configuration mode.
Enables Cisco TrustSec SGACL policy enforcement
on routed interfaces.
Cisco TrustSec Switch Configuration Guide
5-2
OL-22192-02
Page 3
Chapter 5 Configuring SGACL Policies
Enabling SGACL Policy Enforcement Per Interface
Enabling SGACL Policy Enforcement Per Interface
You must first enable SGACL policy enforcement globally for Cisco TrustSec-enabled routed interfaces.
This feature is not supported on Port Channel interfaces.
To enable SGACL policy enforcement on Layer 3 interfaces, perform this task:
Detailed Steps Catalyst 6500
Command Purpose
Step 1
Step 2
Step 3
Step 4
Router# configure terminal
Router(config)# interface gigabit 6/2
Router(config-if)# cts role-based enforcement
Router(config-if)# do show cts interface
Enters global configuration mode.
Specifies interface on which to enable or
disable SGACL enforcement.
Enables Cisco TrustSec SGACL policy
enforcement on routed interfaces.
Verifies that SGACL enforcement is enabled.
Configuration Examples for Enabling SGACL Policy Enforcement Per Interface
Catalyst 3850:
Switch# configure terminal
Switch(config)# interface gigabit 1/0/2
Switch(config-if)# cts role-based enforcement
Switch(config-if)# end
Enabling SGACL Policy Enforcement on VLANs
You must enable SGACL policy enforcement on specific VLANs to apply access control to switched
traffic within a VLAN, or to traffic that is forwarded to an SVI associated with a VLAN.
To enable SGACL policy enforcement on a VLAN or a VLAN list, perform this task:
Detailed Steps Catalyst 6500
Command Purpose
Step 1
Step 2
Router# configure terminal
Router(config)# cts role-based
enforcement vlan-list vlan-list
Enters global configuration mode.
Enables Cisco TrustSec SGACL policy enforcement
on the VLAN or VLAN list.
Configuration Examples for Enabling SGACL Policy Enforcement on VLANs
Catalyst 3850:
Switch# configure terminal
Switch(config)# cts role-based enforcement vlan-list 31-35,41
Switch(config)# exit
OL-22192-02
Cisco TrustSec Switch Configuration Guide
5-3
Page 4
Manually Configuring SGACL Policies
Manually Configuring SGACL Policies
A role-based access control list bound to a range of SGTs and DGTs forms an SGACL, a TrustSec policy
enforced on egress traffic. Configuration of SGACL policies are best done through the policy
management functions of the Cisco ISE or the Cisco Secure ACS. To manually (that is, locally)
configure SGACL policies, do the following:
1. Configure a role-based ACL.
2. Bind the role-based ACL to a range of SGTs.
Note An SGACL policy downloaded dynamically from the Cisco ISE or Cisco ACS overrides any conflicting
manually configured policy.
Manually Configuring and Applying IPv4 SGACL Policies
Detailed Steps for Catalyst 3850
Chapter 5 Configuring SGACL Policies
Step 1
Step 2
Step 3
Step 4
Command Purpose
Router# configure terminal
ip access-list role-based rbacl-name
Enters global configuration mode.
Creates a Role-based ACL and enters Role-based ACL
configuration mode.
Example:
Switch(config)# ip access-list
role-based allow_webtraff
{[sequence-number] | default | permit |
deny | remark}
Specifies the access control entries (ACEs) for the
RBACL.
You can use most of the commands and options
allowed in extended named access list configuration
mode, with the source and destination fields omitted.
Press Enter to complete an ACE and begin the next.
For full explanations of ACL configuration, keywords,
and options, see, Security Configuration Guide:
Access Control Lists, Cisco IOS XE Release 3S.
The following ACE commands or keywords are not
supported:
Example:
Switch(config-rb-acl)#10 permit tcp dst
eq 80 dst eq 20
Switch(config-rb-acl)# exit
• reflect
• evaluate
• time-range
Exits to global configuration mode.
Cisco TrustSec Switch Configuration Guide
5-4
OL-22192-02
Page 5
Chapter 5 Configuring SGACL Policies
Command Purpose
Step 5
[no] cts role-based permissions {default
|[from {sgt_num | unknown} to {dgt_num |
unknown}]{rbacls | ipv4 rbacls}
Example:
Switch(config)# cts role-based
permissions from 55 to 66 allow_webtraff
Step 6
Step 7
Step 8
Switch(config)# end
Switch# show cts role-based permissions
Switch# show ip access-lists
allow_webtraff
Manually Configuring SGACL Policies
Binds SGTs and DGTs to the RBACL. The
configuration is analogous to populating the
permission matrix configured on the Cisco ISE or the
Cisco Secure ACS.
• Default—Default permissions list
• sgt_num—0 to 65,519. Source Group Tag
• dgt_num—0 to 65,519. Destination Group Tag
• unknown—SGACL applies to packets where the
security group (source or destination) cannot be
determined.
• ipv4—Indicates the following RBACL is IPv4.
• rbacls—Name of RBACLs
Exits to Privileged Exec mode.
Displays permission to RBACL configurations.
Displays ACEs of all RBACLs or a specified RBACL.
Configuration Examples for Manually Configuring SGACL Policies
Catalyst 3850 IPv4 Manual SGACL policy:
Switch(config)# ip access role allow_webtraff
Switch(config-rb-acl)# 10 permit tcp dst eq 80
Switch(config-rb-acl)# 20 permit tcp dst eq 443
Switch(config-rb-acl)# 30 permit icmp
Switch(config-rb-acl)# 40 deny ip
Switch(config-rb-acl)# exit
Switch(config)# cts role-based permissions from 55 to 66 allow_webtraff
Switch# show ip access allow_webtraff
Role-based IP access list allow_webtraff
10 permit tcp dst eq www
20 permit tcp dst eq 443
30 permit icmp
40 deny ip
Switch# show show cts role-based permissions from 50 to 70
XXX need output XX
OL-22192-02
Cisco TrustSec Switch Configuration Guide
5-5
Page 6
Displaying SGACL Policies
Displaying SGACL Policies
After configuring the Cisco TrustSec device credentials and AAA, you can verify the Cisco TrustSec
SGACL policies downloaded from the authentication server or configured manually. Cisco TrustSec
downloads the SGACL policies when it learns of a new SGT through authentication and authorization
on an interface, from SXP, or from manual IP address to SGT mapping.
To display the contents of the SGACL policies permissions matrix, perform this task:
Detailed Steps for Catalyst 6500
Command Purpose
Step 1
Router# show cts role-based permissions
default [ipv4 | ipv6 | details]
Router# show cts role-based permissions
[from {source-sgt | unknown}] [to {dest-sg
| unknown}] [ipv4 | ipv6] [details]
Chapter 5 Configuring SGACL Policies
Displays the list of SGACL of the default policy.
Displays the contents of the permissions matrix,
including SGACLs downloaded from the
authentication server and manually configured on
the switch.
Using the keywords, you can display all or part of the permissions matrix:
• If the from keyword is omitted, a column from the permissions matrix is displayed.
• If the to keyword is omitted, a row from the permissions matrix is displayed.
• If the from and to keywords are omitted, the entire permissions matrix is displayed.
• If the from and to keywords are specified, a single cell from the permissions matrix is displayed and
the details keyword is available. When details is entered, the ACEs of the SGACL of the single cell
are displayed.
This example shows how to display the content of the SGACL policies permissions matrix for traffic
sourced from security group 3:
Router# show cts role-based permissions from 3
Role-based permissions from group 3 to group 5:
SRB3
SRB5
Role-based permissions from group 3 to group 7:
SRB4
Cisco TrustSec Switch Configuration Guide
5-6
OL-22192-02
Page 7
Chapter 5 Configuring SGACL Policies
Refreshing the Downloaded SGACL Policies
Detailed Steps for Catalyst 6500, Catalyst 3850, Catalyst 3650
Command Purpose
Step 1
cts refresh policy {peer [peer-id]
| sgt [sgt_number|
default|unknown]}
Switch3850# cts refresh policy
peer my_cisco_ise
Performs an immediate refresh of the SGACL policies from
the authentication server.
• If a peer-id is specified, only the policies related to the
specified peer connection are refreshed. To refresh all
peer policies, press Enter without specifying an ID.
• If an SGT number is specified, only the policies related
to that SGT are refreshed. To refresh all security group
tag policies, press Enter without specifying an SGT
number. Select default to refresh the default policy.
Select unknown to refresh unknown policy.
Refreshing the Downloaded SGACL Policies
OL-22192-02
Cisco TrustSec Switch Configuration Guide
5-7
Page 8
Refreshing the Downloaded SGACL Policies
Chapter 5 Configuring SGACL Policies
Cisco TrustSec Switch Configuration Guide
5-8
OL-22192-02
Loading...