3-22
Cisco TrustSec Configuration Guide
OL-22192-02
Chapter 3 Configuring Identities, Connections, and SGTs
Manually Configuring IP-Address-to-SGT Mapping
Configuration Example for L3IF to SGT Mapping on an Ingress Port
In the following example a Layer 3 interface of a Catalyst 6500 series switch linecard is configured to
tag all ingressing traffic with SGT 3. Prefixes of attached subnets are already known.
Step 1 Configure the interface.
Switch# config t
Switch
(config)# interface gigabitEthernet 6/3 sgt 3
Switch(config)# exit
Step 2 Verify that the ingressing traffic to the interface is tagged appropriately.
Router# show cts role-based sgt-map all
IP Address SGT Source
============================================
15.1.1.15 4 INTERNAL
17.1.1.0/24 3 L3IF
21.1.1.2 4 INTERNAL
31.1.1.0/24 3 L3IF
31.1.1.2 4 INTERNAL
43.1.1.0/24 3 L3IF
49.1.1.0/24 3 L3IF
50.1.1.0/24 3 L3IF
50.1.1.2 4 INTERNAL
51.1.1.1 4 INTERNAL
52.1.1.0/24 3 L3IF
81.1.1.1 5 CLI
102.1.1.1 4 INTERNAL
105.1.1.1 3 L3IF
111.1.1.1 4 INTERNAL
IP-SGT Active Bindings Summary
============================================
Total number of CLI bindings = 1
Total number of L3IF bindings = 7
Total number of INTERNAL bindings = 7
Total number of active bindings = 15
Binding Source Priorities
TrustSec resolves conflicts among IP-SGT binding sources with a strict priority scheme. For example,
an SGT may be applied to an interface with the policy {dynamic identity peer-name | static sgt tag}
CTS Manual interface mode command (Identity Port Mapping).
The current priority enforcement order,
from lowest (1) to highest (7), is as follows:
1. VLAN—Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping
configured.
2. CLI— Address bindings configured using the IP-SGT form of the cts role-based sgt-map global
configuration command.
3. Layer 3 Interface—(L3IF) Bindings added due to FIB forwarding entries that have paths through
one or more interfaces with consistent L3IF-SGT mapping or Identity Port Mapping on routed ports.
4. SXP—Bindings learned from SXP peers.
5. IP_ARP—Bindings learned when tagged ARP packets are received on a CTS capable link.
To Next Page
Loading...
Need help?
General