6-24
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 6 ASA and Cisco TrustSec
Guidelines for Cisco TrustSec
Configure a Security Group Tag on an Interface
To configure a security group tag on an interface, perform the following steps:
Procedure
Step 1 Specify an interface and enter interface configuration mode.
interface id
Example:
ciscoasa(config)# interface gi0/0
Step 2 Enable Layer 2 SGT Imposition and enter cts manual interface configuration mode.
cts manual
Example:
hostname(config-if)# cts manual
Step 3 Enable propagation of a security group tag on an interface. Propagation is enabled by default.
propagate sgt
Example:
hostname(config-if-cts-manual)# propagate sgt
Step 4 Apply a policy to a manually configured CTS link.
policy static sgt sgt_number [trusted]
Example:
hostname(config-if-cts-manual)# policy static sgt 50 trusted
The static keyword specifies an SGT policy to incoming traffic on the link.
The sgt sgt_number keyword-argument pair specifies the SGT number to apply to incoming traffic from
the peer. Valid values are from 2-65519.
The trusted keyword indicates that ingress traffic on the interface with the SGT specified in the
command should not have its SGT overwritten. Untrusted is the default.
Examples
The following example enables an interface for Layer 2 SGT imposition and defines whether or not the
interface is trusted:
ciscoasa(config)# interface gi0/0
ciscoasa(config-if)# cts manual
ciscoasa(config-if-cts-manual)# propagate sgt
ciscoasa(config-if-cts-manual)# policy static sgt 50 trusted
To Next Page
Loading...
Need help?
General
