6-23
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 6 ASA and Cisco TrustSec
Guidelines for Cisco TrustSec
Note If there is no matched IP-SGT mapping from the IP-SGT Manager, then a reserved SGT value of “0x0”
for “Unknown” is used.
The following table describes the expected behavior for egress traffic when configuring this feature.
The following table describes the expected behavior for to-the-box and from-the-box traffic when
configuring this feature.
Note If there is no matched IP-SGT mapping from the IP-SGT Manager, then a reserved SGT value of “0x0”
for “Unknown” is used.
The cts manual command and the
policy static sgt sgt_number command
are both issued.
SGT value is from the policy static sgt
sgt_number command.
SGT value is from the policy static sgt
sgt_number command.
The cts manual command and the
policy static sgt sgt_number trusted
command are both issued.
SGT value is from the inline SGT in the
packet.
SGT value is from the policy static sgt
sgt_number command.
Table 6-3 Ingress Traffic
Interface Configuration Tagged Packet Received Untagged Packet Received
Table 6-4 Egress Traffic
Interface Configuration Tagged or Untagged Packet Sent
No command is issued. Untagged
The cts manual command is issued. Tagged
The cts manual command and the propagate sgt command are both issued. Tagged
The cts manual command and the no propagate sgt command are both issued. Untagged
Table 6-5 To-the-box and From-the-box Traffic
Interface Configuration Tagged or Untagged Packet Received
No command is issued on the ingress interface for to-the-box
traffic.
Packet is dropped.
The cts manual command is issued on the ingress interface
for to-the-box traffic.
Packet is accepted, but there is no policy enforcement or SGT
propagation.
The cts manual command is not issued or the cts manual
command and no propagate sgt command are both issued on
the egress interface for from-the-box traffic.
Untagged packet is sent, but there is no policy enforcement.
The SGT number is from the IP-SGT Manager.
The cts manual command is issued or the cts manual
command and the propagate sgt command are both issued on
the egress interface for from-the-box traffic.
Tagged packet is sent. The SGT number is from the IP-SGT
Manager.
To Next Page
Loading...
Need help?
General
