3-20
Cisco TrustSec Configuration Guide
OL-22192-02
Chapter 3 Configuring Identities, Connections, and SGTs
Manually Configuring IP-Address-to-SGT Mapping
Step 4 Create an SVI as the gateway for incoming VLAN 100.
TS_switch(config)# interface vlan 100
TS_switch(config-if)# ip address 10.1.1.2 255.0.0.0
TS_switch(config-if)# no shutdown
TS_switch(config-if)# end
TS_switch(config)#
Step 5 Assign Security Group Tag (SGT) 10 to hosts on VLAN 100.
TS_switch(config)# cts role-based sgt-map vlan 100 sgt 10
Step 6 Enable IP Device Tracking on the TrustSec switch. Verify that it is operating.
TS_switch(config)# ip device tracking
TS_switch# show ip device tracking all
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 100
---------------------------------------------------------------------
IP Address MAC Address Vlan Interface STATE
---------------------------------------------------------------------
Total number interfaces enabled: 1
Vlan100
Step 7 (Optional). PING the default gateway from an endpoint (in this example, host IP Address 10.1.1.1).
Verify that SGT 10 is being mapped to VLAN 100 hosts.
TS_switch# show cts role-based sgt-map all
Active IP-SGT Bindings Information
IP Address SGT Source
============================================
10.1.1.1 10 VLAN
IP-SGT Active Bindings Summary
============================================
Total number of VLAN bindings = 1
Total number of CLI bindings = 0
Total number of active bindings = 1
Layer 3 Logical Interface to SGT Mapping (L3IF–SGT Mapping)
L3IF-SGT mapping can directly map SGTs to traffic of any of the following Layer 3 interfaces
regardless of the underlying physical interface:
• Routed port
• SVI (VLAN interface)
• Layer3 subinterface of a Layer2 port
• Tunnel interface
To Next Page
Loading...
