Cisco TrustSec - Page 119

208 pages

Save Page as PDF

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

7-33

Cisco TrustSec Configuration Guide

OL-22192-01

Chapter 7 Cisco TrustSec Command Summary

cts role-based

The vlan-ids argument can be a single VLAN ID, a list of VLAN IDs, or VLAN ID ranges. Separate

multiple entries with a hyphen “-” or a comma “,”.

The keyword all is equivalent to the full range of VLANs supported by the platform (For example, the

Catalyst 6500 VLAN range is 1–4094). Issuing multiple commands has an additive effect. SGACLs are

enforced on all the VLANs of all the lists specified. The keyword all is not preserved in the nonvolatile

generation (NVGEN) process.

Note SGACL enforcement is not enabled by default on VLANs. The cts role-based enforcement vlan-list

command must be issued to enable SGACL enforcement on VLANs.

Note When a VLAN in which a role-based access control (RBAC) is enforced has an active SVI, the RBAC

is enforced for both Layer 2 and Layer3 switched packets within that VLAN. Without an SVI, the RBAC

is enforced only for Layer 2 switched packets, because no Layer 3 switching is possible within a VLAN

without an SVI.

Flexible Net Flow

Flexible NetFlow can account for packets dropped by SGACL enforcement when SGT and DGT flow

objects are configured in the flow record with the standard 5-tuple flow objects

Use the flow record

and flow exporter global configuration commands to configure a flow record, and

a flow exporter, then use the flow monitor command add them to a flow monitor. Use the show flow

show commands to verify your configurations.

To collect only SGACL dropped packets, use the [no] cts role-based {ip | ipv6} flow monitor dropped

global configuration command.

For Flexible NetFlow overview and configuration information, see the following documents:

Getting Started with Configuring Cisco IOS Flexible NetFlow

http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/get_start_cfg_fnflow.html

Cisco IOS Flexible NetFlow Configuration Guide, Release 15.0SY

http://www.cisco.com/en/US/docs/ios-xml/ios/fnetflow/configuration/15-0sy/fnf-15-0sy-book.html

Examples In the following example, a Catalyst 4500 series switch binds host IP address 10.1.2.1 to SGT 3 and

10.1.2.2 to SGT 4, then verifies with a show command. These bindings will be forwarded by SXP to an

SGACL enforcement switch.

cat4k# (config)# cts role-based sgt-map host 10.1.2.1 sgt 3

cat4k(config)#cts role-based sgt-map host 10.1.2.2 sgt 4

cat4k# show cts role-based sgt-map all

Active IP-SGT Bindings Information

IP Address SGT Source

============================================

10.1.2.1 3 CLI

10.1.2.2 4 CLI

IP-SGT Active Bindings Summary

============================================

Total number of CLI bindings = 2

Total number of active bindings = 2

Table of Contents

Related product manuals

Cisco WS-C2948G-GE-TX

Preview: Cisco WS-X6148-GE-TX - Switch

Cisco WS-X6148-GE-TX - Switch

Preview: Cisco 500 Series

Cisco 500 Series

Preview: Cisco WS-C2950-12

Cisco WS-C2950-12

Preview: Cisco Catalyst 3560

Cisco Catalyst 3560

Preview: Cisco MDS 9000 Series

Cisco MDS 9000 Series

Preview: Cisco Nexus 3000 series

Cisco Nexus 3000 series

Preview: Cisco Nexus 7000 Series

Cisco Nexus 7000 Series

Preview: Cisco Catalyst 2960 Series

Cisco Catalyst 2960 Series

Preview: Cisco Catalyst 4500 Series

Cisco Catalyst 4500 Series

Preview: Cisco Catalyst 4900 Series

Cisco Catalyst 4900 Series

Preview: Cisco Catalyst 8500 Series

Cisco Catalyst 8500 Series