5-5
Cisco TrustSec Switch Configuration Guide
OL-22192-02
Chapter 5 Configuring SGACL Policies
Manually Configuring SGACL Policies
Configuration Examples for Manually Configuring SGACL Policies
Catalyst 3850 IPv4 Manual SGACL policy:
Switch(config)# ip access role allow_webtraff
Switch(config-rb-acl)# 10 permit tcp dst eq 80
Switch(config-rb-acl)# 20 permit tcp dst eq 443
Switch(config-rb-acl)# 30 permit icmp
Switch(config-rb-acl)# 40 deny ip
Switch(config-rb-acl)# exit
Switch(config)# cts role-based permissions from 55 to 66 allow_webtraff
Switch# show ip access allow_webtraff
Role-based IP access list allow_webtraff
10 permit tcp dst eq www
20 permit tcp dst eq 443
30 permit icmp
40 deny ip
Switch# show show cts role-based permissions from 50 to 70
XXX need output XX
Step 5
[no] cts role-based permissions {default
|[from {sgt_num | unknown} to {dgt_num |
unknown}]{rbacls | ipv4 rbacls}
Example:
Switch(config)# cts role-based
permissions from 55 to 66 allow_webtraff
Binds SGTs and DGTs to the RBACL. The
configuration is analogous to populating the
permission matrix configured on the Cisco ISE or the
Cisco Secure ACS.
• Default—Default permissions list
• sgt_num—0 to 65,519. Source Group Tag
• dgt_num—0 to 65,519. Destination Group Tag
• unknown—SGACL applies to packets where the
security group (source or destination) cannot be
determined.
• ipv4—Indicates the following RBACL is IPv4.
• rbacls—Name of RBACLs
Step 6
Switch(config)# end
Exits to Privileged Exec mode.
Step 7
Switch# show cts role-based permissions
Displays permission to RBACL configurations.
Step 8
Switch# show ip access-lists
allow_webtraff
Displays ACEs of all RBACLs or a specified RBACL.
Command Purpose
To Next Page
Loading...
