Name: Cisco TrustSec
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

3-19

Cisco TrustSec Configuration Guide

OL-22192-02

Chapter 3 Configuring Identities, Connections, and SGTs

Manually Configuring IP-Address-to-SGT Mapping

Verifying VLAN to SGT Mapping

To display VLAN to SGT configuration information, use the following show commands:

For detailed information about the fields in the output from these commands, refer to Chapter 7, “Cisco

TrustSec Command Summary,” or the “Cisco IOS 15.0SY Security and VPN Command Reference.”

Configuration Example for VLAN to SGT Mapping for a Single Host Over an Access Link

In the following example, a single host connects to VLAN 100 on an access switch. The access switch

has an access mode link to a Catalyst 6500 series TrustSec software-capable switch. A switched virtual

interface on the TrustSec switch is the default gateway for the VLAN 100 endpoint (IP Address

10.1.1.1). The TrustSec switch imposes Security Group Tag (SGT) 10 on packets from VLAN 100.

Step 1 Create VLAN 100 on an access switch.

access_switch# config t

access_switch(config)# vlan 100

access_switch(config-vlan)# no shutdown

access_switch(config-vlan)# exit

access_switch(config)#

Step 2 Configure the interface to the TrustSec switch as an access link. Configurations for the endpoint access

port are omitted in this example.

access_switch(config)# interface gigabitEthernet 6/3

access_switch(config-if)# switchport

access_switch(config-if)# switchport mode access

access_switch(config-if)# switchport access vlan 100

Step 3 Create VLAN 100 on the TrustSec switch.

TS_switch(config)# vlan 100

TS_switch(config-vlan)# no shutdown

TS_switch(config-vlan)# end

TS_switch#

Step 13

show ip device tracking {all|interface|ip|mac}

Example:

TS_switch# show ip device tracking all

(Optional) Verifies the operational status of IP

Device tracking.

Step 14

copy running-config startup-config

Example:

TS_switch# copy running-config

startup-config

(Optional) Copies the running configuration to the

startup configuration.

Command Purpose

show ip device tracking Displays the status of IP Device Tracking which

identifies the IP addresses of active hosts on a

VLAN.

show cts role-based sgt-map Displays IP address to SGT bindings.

Questions and Answers:

Need help?

Do you have a question about the Cisco TrustSec and is the answer not in the manual?

Cisco TrustSec Specifications

General

Category	Network Security
Functionality	Provides role-based access control, network segmentation, and policy enforcement.
Key Components	Security Group Tags (SGT), Security Exchange Protocol (SXP).
Authentication Methods	802.1X, MAC Authentication Bypass (MAB), Web Authentication
Security Group Tagging (SGT)	Assigns security group tags to users and devices for identity-based segmentation.
Security Exchange Protocol (SXP)	A protocol used to propagate SGT information across network devices.
Policy Enforcement	Enforces security policies based on SGTs and SGACLs.
Benefits	Enhanced security, simplified policy management, and improved compliance.
Encryption	Supports encryption for data in transit through IPsec and MACsec.
Scalability	Scalable to large enterprise networks with thousands of devices.
Compatibility	Compatible with a wide range of Cisco network devices.
Description	Cisco TrustSec is a security architecture framework designed to build secure networks. It uses identity-based access control to segment the network and enforce policies based on user roles and device types, rather than relying solely on IP addresses.