4-7
Cisco TrustSec Configuration Guide
OL-22192-01
Chapter 4 Configuring SGT Exchange Protocol over TCP (SXP) and Layer 3 Transport
Configuring Layer 3 SGT Transport Between Cisco TrustSec Domains
To configure Layer 3 SGT Transport, perform this task:
Detailed Steps for Catalyst 6500
When configuring Cisco TrustSec Layer 3 SGT transport, consider these usage guidelines and
restrictions:
• The Cisco TrustSec Layer 3 SGT transport feature can be configured only on ports that support
hardware encryption.
• Traffic and exception policies for Cisco TrustSec Layer 3 SGT transport have the following
restrictions:
–
The policies must be configured as IP extended or IP named extended ACLs.
–
The policies must not contain deny entries.
–
If the same ACE is present in both the traffic and exception policies, the exception policy takes
precedence. No Cisco TrustSec Layer 3 encapsulation will be performed on packets matching
that ACE.
Command Purpose
Step 1
Router# configure terminal
Enters global configuration mode.
Step 2
Router(config)# [no] cts policy layer3
{ipv4 | ipv6} traffic acl-name
(Optional) Specifies the fallback traffic policy to be
applied when the authentication server is not available
for downloading the traffic policy.
• acl-name—The name of a traditional interface
ACL already configured on the device.
See the additional usage notes following this task.
Step 3
Router(config)# [no] cts policy layer3
{ipv4 | ipv6} exception acl-name
(Optional) Specifies the fallback exception policy to
be applied when the authentication server is not
available for downloading the exception policy.
See the additional usage notes following this task.
Step 4
Router(config)# interface
type slot/port
Specifies an interface and enters interface
configuration mode.
Step 5
Router(config-if)# [no] cts layer3
{ipv4 | ipv6} trustsec forwarding
(Configured on a Cisco TrustSec-capable physical
port) Specifies that egress traffic on this interface will
use Cisco TrustSec Layer 3 SGT transport
encapsulation as determined by the traffic and
exception policies.
Router(config-if)# [no] cts layer3
{ipv4 | ipv6} policy
(Configured on a routed port or SVI) Specifies that
egress traffic on this interface will use Cisco TrustSec
Layer 3 SGT transport encapsulation as determined by
the traffic and exception policies.
Step 6
Router(config-if)# end
Router(config)# end
Exits interface configuration and global configuration
modes.
Step 7
Router# show cts policy layer3 {ipv4 |
ipv6}
(Optional) Displays the Layer 3 SGT transport
configuration on the interfaces.