Name: Cisco TrustSec
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

5-4

Cisco TrustSec Switch Configuration Guide

OL-22192-02

Chapter 5 Configuring SGACL Policies

Manually Configuring SGACL Policies

A role-based access control list bound to a range of SGTs and DGTs forms an SGACL, a TrustSec policy

enforced on egress traffic. Configuration of SGACL policies are best done through the policy

management functions of the Cisco ISE or the Cisco Secure ACS. To manually (that is, locally)

configure SGACL policies, do the following:

1. Configure a role-based ACL.

2. Bind the role-based ACL to a range of SGTs.

Note An SGACL policy downloaded dynamically from the Cisco ISE or Cisco ACS overrides any conflicting

manually configured policy.

Manually Configuring and Applying IPv4 SGACL Policies

Detailed Steps for Catalyst 3850

Command Purpose

Step 1

Router# configure terminal

Enters global configuration mode.

Step 2

ip access-list role-based rbacl-name

Example:

Switch(config)# ip access-list

role-based allow_webtraff

Creates a Role-based ACL and enters Role-based ACL

configuration mode.

Step 3

{[sequence-number] | default | permit |

deny | remark}

Example:

Switch(config-rb-acl)#10 permit tcp dst

eq 80 dst eq 20

Specifies the access control entries (ACEs) for the

RBACL.

You can use most of the commands and options

allowed in extended named access list configuration

mode, with the source and destination fields omitted.

Press Enter to complete an ACE and begin the next.

For full explanations of ACL configuration, keywords,

and options, see, Security Configuration Guide:

Access Control Lists, Cisco IOS XE Release 3S.

The following ACE commands or keywords are not

supported:

• reflect

• evaluate

• time-range

Step 4

Switch(config-rb-acl)# exit

Exits to global configuration mode.

Questions and Answers:

Need help?

Do you have a question about the Cisco TrustSec and is the answer not in the manual?

Cisco TrustSec Specifications

General

Category	Network Security
Functionality	Provides role-based access control, network segmentation, and policy enforcement.
Key Components	Security Group Tags (SGT), Security Exchange Protocol (SXP).
Authentication Methods	802.1X, MAC Authentication Bypass (MAB), Web Authentication
Security Group Tagging (SGT)	Assigns security group tags to users and devices for identity-based segmentation.
Security Exchange Protocol (SXP)	A protocol used to propagate SGT information across network devices.
Policy Enforcement	Enforces security policies based on SGTs and SGACLs.
Benefits	Enhanced security, simplified policy management, and improved compliance.
Encryption	Supports encryption for data in transit through IPsec and MACsec.
Scalability	Scalable to large enterprise networks with thousands of devices.
Compatibility	Compatible with a wide range of Cisco network devices.
Description	Cisco TrustSec is a security architecture framework designed to build secure networks. It uses identity-based access control to segment the network and enforce policies based on user roles and device types, rather than relying solely on IP addresses.