5-2
Cisco TrustSec Switch Configuration Guide
OL-22192-02
Chapter 5 Configuring SGACL Policies
SGACL Policy Configuration Process
SGACL Policy Configuration Process
Follow these steps to configure and enable Cisco TrustSec SGACL policies:
Step 1 Configuration of SGACL policies should be done primarily through the Policy Management function of
the Cisco Secure ACS or the Cisco Identity Services Engine (see the Configuration Guide for the Cisco
Secure ACS or the Cisco Identity Services Engine User Guide).
If you are not using AAA on a Cisco Secure ACS or a Cisco ISE to download the SGACL policy
configuration, you can manually configure the SGACL mapping and policies (see the “Manually
Configuring SGACL Policies” section on page 5-4 and the “Manually Configuring SGACL Policies”
section on page 5-4).
Note An SGACL policy downloaded dynamically from the Cisco Secure ACS or a Cisco ISE will
override any conflicting locally-defined policy.
Step 2 To enable SGACL policy enforcement on egress traffic on routed ports, enable SGACL policy
enforcement globally as described in the “Enabling SGACL Policy Enforcement Globally” section on
page 5-2.
Step 3 To enable SGACL policy enforcement on switched traffic within a VLAN, or on traffic that is forwarded
to an SVI associated with a VLAN, enable SGACL policy enforcement for specific VLANs as described
in the “Enabling SGACL Policy Enforcement on VLANs” section on page 5-3.
Enabling SGACL Policy Enforcement Globally
You must enable SGACL policy enforcement globally for Cisco TrustSec-enabled routed interfaces.
To enable SGACL policy enforcement on routed interfaces, perform this task:
Configuration Examples for Enabling SGACL Policy Enforcement Globally
Catalyst 6500, Catalyst 3850:
Switch(config)# cts role-based enforcement
Command Purpose
Step 1
Router# configure terminal
Enters global configuration mode.
Step 2
Router(config)# cts role-based
enforcement
Enables Cisco TrustSec SGACL policy enforcement
on routed interfaces.
To Next Page
Loading...
Need help?
General