3-21
Cisco TrustSec Configuration Guide
OL-22192-02
Chapter 3 Configuring Identities, Connections, and SGTs
Manually Configuring IP-Address-to-SGT Mapping
Use the cts role-based sgt-map interface global configuration command to specify either a specific
SGT number, or a Security Group Name (whose SGT association is dynamically acquired from a Cisco
ISE or a Cisco ACS access server).
In cases where Identity Port Mapping (cts interface manual sub mode configuration) and L3IF-SGT
require different IP to SGT bindings, IPM takes precedence. All other conflicts among IP to SGT binding
are resolved according to the priorities listing in the “Binding Source Priorities” section on page 3-22.
Feature History for L3IF-SGT Mapping
Default Settings
There are no default settings.
Configuring L3IF to SGT Mapping
Detailed steps Catalyst 6500
Verifying L3IF to SGT Mapping
To display L3IF to SGT configuration information, use the following show commands:
Command Purpose
Step 1
Router# configure terminal
Enters global configuration mode.
Step 2
Router(config)# cts role-based sgt-map
interface type slot/port [security-group
name | sgt number]
Router(config)# cts role-based sgt-map
interface gigabitEthernet 1/1 sgt 77
An SGT is imposed on ingress traffic to the specified
interface.
• interface type slot/port—Displays list of
available interfaces.
• security-group name— Security Group name to
SGT pairings are configured on the Cisco ISE or
Cisco ACS.
• sgt number—(0 to 65,535). Specifies the Security
Group Tag (SGT) number.
Step 3
Router(config)# exit
Exits configuration mode.
Step 4
Router# show cts role-based sgt-map all
Verify that ingressing traffic is tagged with the
specified SGT.
Command Purpose
show cts role-based sgt-map all Displays all IP address to SGT bindings.
To Next Page
Loading...
