Cisco TrustSec - Page 113

208 pages

Save Page as PDF

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

7-27

Cisco TrustSec Configuration Guide

OL-22192-01

Chapter 7 Cisco TrustSec Command Summary

cts role-based policy trace

Command Default There are no defaults.

Command Modes Privileged EXEC

Supported User Roles Administrator

Command History

Usage Guidelines The cts role-based policy trace procedure is summarized as follows:

1. Discover the network path.

Know the topology of the entire TrustSec network before executing the command. Standard network

discovery methods such as IP traceroute, CDP or other methods can be used to obtain this

information.

2. Starting from the host and continuing to the farthest node; log-in to each device in the path.

3. Execute the cts role-based policy trace command on each device.

Based on the input arguments, the command output reports the outgoing SGT value and SGACL

entry/ACE. Apply the SGT value from the output as the input SGT on the next switch in the path.

If you do not provide the (optional) SGT argument in the command line, the output reports the SGT

assigned to the packet along with any available binding information.

For example, a packet may be dropped because a device is blocking UDP packets, which may indicate a

problem with an SGACL configuration or SGACL refresh obtained from another device, such as the

Cisco Integrated Services Engine (Cisco ISE). The policy trace command would identify on which

device the SGACL was enforced and which ACE was blocking.

Examples The following example specifies a source interface on the source host for an xdmcp over UDP packet.

switch# cts role-based policy trace ipv4 udp host 10.2.2.1 eq 177 host 10.1.1.2 eq 80 int

giga 1/1

Input Qualifiers:

====================

Input Interface : Gi 1/1

Packet Parameters:

=====================

security-group

{sgname sg_name | sgt

sgt_num}

Optional. Specifies the Security Group name or the Security Group Tag

number.

vlan vlan_id Optional. 0 to 4094. Specifies the VLAN identifier.

vrf vrf_name Optional. Specifies the Virtual Routing and Forwarding instance name.

Release Modification

15.1(1)SY1 This feature was introduced on the Catalyst 6500 series switches.

Table of Contents

Related product manuals

Cisco WS-C2948G-GE-TX

Preview: Cisco WS-X6148-GE-TX - Switch

Cisco WS-X6148-GE-TX - Switch

Preview: Cisco 500 Series

Cisco 500 Series

Preview: Cisco WS-C2950-12

Cisco WS-C2950-12

Preview: Cisco Catalyst 3560

Cisco Catalyst 3560

Preview: Cisco MDS 9000 Series

Cisco MDS 9000 Series

Preview: Cisco Nexus 3000 series

Cisco Nexus 3000 series

Preview: Cisco Nexus 7000 Series

Cisco Nexus 7000 Series

Preview: Cisco Catalyst 2960 Series

Cisco Catalyst 2960 Series

Preview: Cisco Catalyst 4500 Series

Cisco Catalyst 4500 Series

Preview: Cisco Catalyst 4900 Series

Cisco Catalyst 4900 Series

Preview: Cisco Catalyst 8500 Series

Cisco Catalyst 8500 Series