5-4
Cisco TrustSec Switch Configuration Guide
OL-22192-02
Chapter 5 Configuring SGACL Policies
Manually Configuring SGACL Policies
Manually Configuring SGACL Policies
A role-based access control list bound to a range of SGTs and DGTs forms an SGACL, a TrustSec policy
enforced on egress traffic. Configuration of SGACL policies are best done through the policy
management functions of the Cisco ISE or the Cisco Secure ACS. To manually (that is, locally)
configure SGACL policies, do the following:
1. Configure a role-based ACL.
2. Bind the role-based ACL to a range of SGTs.
Note An SGACL policy downloaded dynamically from the Cisco ISE or Cisco ACS overrides any conflicting
manually configured policy.
Manually Configuring and Applying IPv4 SGACL Policies
Detailed Steps for Catalyst 3850
Command Purpose
Step 1
Router# configure terminal
Enters global configuration mode.
Step 2
ip access-list role-based rbacl-name
Example:
Switch(config)# ip access-list
role-based allow_webtraff
Creates a Role-based ACL and enters Role-based ACL
configuration mode.
Step 3
{[sequence-number] | default | permit |
deny | remark}
Example:
Switch(config-rb-acl)#10 permit tcp dst
eq 80 dst eq 20
Specifies the access control entries (ACEs) for the
RBACL.
You can use most of the commands and options
allowed in extended named access list configuration
mode, with the source and destination fields omitted.
Press Enter to complete an ACE and begin the next.
For full explanations of ACL configuration, keywords,
and options, see, Security Configuration Guide:
Access Control Lists, Cisco IOS XE Release 3S.
The following ACE commands or keywords are not
supported:
• reflect
• evaluate
• time-range
Step 4
Switch(config-rb-acl)# exit
Exits to global configuration mode.
To Next Page
Loading...
