Name: Cisco TrustSec
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

C-2

Cisco TrustSec Configuration Guide

OL-22192-01

Appendix C Notes for Catalyst 6500 Series Switches

Flexible NetFlow Support

Flexible NetFlow can account for packets dropped by SGACL enforcement when SGT and DGT flow

objects are configured in the flow record with the standard 5-tuple flow objects

Use the flow record

and flow exporter global configuration commands to configure a flow record, and

a flow exporter, then use the flow monitor command to add them to a flow monitor. Use the show flow

show commands to verify your configurations.

To collect only SGACL dropped packets, use the [no] cts role-based {ip | ipv6} flow monitor dropped

global configuration command.

For Flexible NetFlow overview and configuration information, see the following documents:

Flexible NetFlow Configuration Guide, Cisco IOS Release 15S

http://www.cisco.com/en/US/docs/ios-xml/ios/fnetflow/configuration/15-s/fnf-15-s-book.html

Catalyst 6500 Release 15.0SY Software Configuration Guide

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/15_0_sy_

swcg.html

Sample Configurations

Configuration Excerpt of an IPV4 Flow Record (5-tuple, direction, SGT, DGT)

router(config)# flow record cts-record-ipv4

router(config-flow-record)# match ipv4 protocol

router(config-flow-record)# match ipv4 source address

router(config-flow-record)# match ipv4 destination address

router(config-flow-record)# match transport source-port

router(config-flow-record)# match transport destination-port

router(config-flow-record)# match flow direction

router(config-flow-record)# match flow cts source group-tag

router(config-flow-record)# match flow cts destination group-tag

router(config-flow-record)# collect counter packets

Configuration Excerpt of an IPV6 Flow Record (5-tuple, direction, SGT, DGT)

router(config)# flow record cts-record-ipv6

router(config-flow-record)# match ipv6 protocol

router(config-flow-record)# match ipv6 source address

router(config-flow-record)# match ipv6 destination address

router(config-flow-record)# match transport source-port

router(config-flow-record)# match transport destination-port

router(config-flow-record)# match flow direction

router(config-flow-record)# match flow cts source group-tag

router(config-flow-record)# match flow cts destination group-tag

router(config-flow-record)# collect counter packets

Configuration Excerpt of an IPv4 Flow Monitor

router(config)# flow monitor cts-monitor-ipv4

router(config-flow-monitor)# record cts-record-ipv4

Questions and Answers:

Need help?

Do you have a question about the Cisco TrustSec and is the answer not in the manual?

Cisco TrustSec Specifications

General

Category	Network Security
Functionality	Provides role-based access control, network segmentation, and policy enforcement.
Key Components	Security Group Tags (SGT), Security Exchange Protocol (SXP).
Authentication Methods	802.1X, MAC Authentication Bypass (MAB), Web Authentication
Security Group Tagging (SGT)	Assigns security group tags to users and devices for identity-based segmentation.
Security Exchange Protocol (SXP)	A protocol used to propagate SGT information across network devices.
Policy Enforcement	Enforces security policies based on SGTs and SGACLs.
Benefits	Enhanced security, simplified policy management, and improved compliance.
Encryption	Supports encryption for data in transit through IPsec and MACsec.
Scalability	Scalable to large enterprise networks with thousands of devices.
Compatibility	Compatible with a wide range of Cisco network devices.
Description	Cisco TrustSec is a security architecture framework designed to build secure networks. It uses identity-based access control to segment the network and enforce policies based on user roles and device types, rather than relying solely on IP addresses.