Cisco TrustSec - Page 106

208 pages

Save Page as PDF

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

7-20

Cisco TrustSec Configuration Guide

OL-22192-01

Chapter 7 Cisco TrustSec Command Summary

cts policy layer3

Configure Cisco TrustSec Layer 3 SGT transport with these usage guidelines and restrictions:

• The Cisco TrustSec Layer 3 SGT transport feature can be configured only on ports that support

hardware encryption.

• Traffic and exception policies for Cisco TrustSec Layer 3 SGT transport have the following

restrictions:

–

The policies must be configured as IP extended or IP named extended ACLs.

–

The policies must not contain deny entries.

–

If the same ACE is present in both the traffic and exception policies, the exception policy takes

precedence. No Cisco TrustSec Layer 3 encapsulation will be performed on packets matching

that ACE.

• Traffic and exception policies can be downloaded from the authentication server (if supported by

your Cisco IOS Release) or manually configured on the device with the ip access-list global

configuration command. The policies will be applied based on these rules:

–

If a traffic policy or an exception policy is downloaded from the authentication server, it will

take precedence over any manually configured traffic or exception policy.

–

If the authentication server is not available but both a traffic policy and an exception policy have

been manually configured, the manually configured policies will be used.

–

If the authentication server is not available but a traffic policy has been configured with no

exception policy, no exception policy is applied. Cisco TrustSec Layer 3 encapsulation will be

applied on the interface based on the traffic policy.

–

If the authentication server is not available and no traffic policy has been manually configured,

no Cisco TrustSec Layer 3 encapsulation will be performed on the interface.

Examples The following example shows how to configure Layer 3 SGT Transport to a remote Cisco TrustSec

domain:

Router# configure terminal

Router(config)# ip access-list extended traffic-list

Router(config-ext-nacl)# permit ip any 10.1.1.0 0.0.0.255

Router(config-ext-nacl)# exit

Router(config)# ip access-list extended exception-list

Router(config-ext-nacl)# permit ip any 10.2.2.0 0.0.0.255

Router(config-ext-nacl)# exit

Router(config)# cts policy layer3 ipv4 traffic traffic-sgt

Router(config)# cts policy layer3 ipv4 exception exception-list

Router(config)# interface gi2/1

Router(config-if)# cts layer3 trustsec ipv4 forwarding

Router(config-if)# shutdown

Router(config-if)# no shutdown

Router(config-if)# exit

Router(config)# exit

Related Commands Command Description

cts layer3 Enables and applies traffic and exception policies to CTS

Layer 3 Transport gateway interfaces.

show cts policy layer3 Displays the traffic and exception policies used in CTS

Layer3 Transport.

Table of Contents

Related product manuals

Cisco WS-C2948G-GE-TX

Preview: Cisco WS-X6148-GE-TX - Switch

Cisco WS-X6148-GE-TX - Switch

Preview: Cisco 500 Series

Cisco 500 Series

Preview: Cisco WS-C2950-12

Cisco WS-C2950-12

Preview: Cisco Catalyst 3560

Cisco Catalyst 3560

Preview: Cisco MDS 9000 Series

Cisco MDS 9000 Series

Preview: Cisco Nexus 3000 series

Cisco Nexus 3000 series

Preview: Cisco Nexus 7000 Series

Cisco Nexus 7000 Series

Preview: Cisco Catalyst 2960 Series

Cisco Catalyst 2960 Series

Preview: Cisco Catalyst 4500 Series

Cisco Catalyst 4500 Series

Preview: Cisco Catalyst 4900 Series

Cisco Catalyst 4900 Series

Preview: Cisco Catalyst 8500 Series

Cisco Catalyst 8500 Series