Name: Cisco TrustSec
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

5-5

Cisco TrustSec Switch Configuration Guide

OL-22192-02

Chapter 5 Configuring SGACL Policies

Manually Configuring SGACL Policies

Configuration Examples for Manually Configuring SGACL Policies

Catalyst 3850 IPv4 Manual SGACL policy:

Switch(config)# ip access role allow_webtraff

Switch(config-rb-acl)# 10 permit tcp dst eq 80

Switch(config-rb-acl)# 20 permit tcp dst eq 443

Switch(config-rb-acl)# 30 permit icmp

Switch(config-rb-acl)# 40 deny ip

Switch(config-rb-acl)# exit

Switch(config)# cts role-based permissions from 55 to 66 allow_webtraff

Switch# show ip access allow_webtraff

Role-based IP access list allow_webtraff

10 permit tcp dst eq www

20 permit tcp dst eq 443

30 permit icmp

40 deny ip

Switch# show show cts role-based permissions from 50 to 70

XXX need output XX

Step 5

[no] cts role-based permissions {default

|[from {sgt_num | unknown} to {dgt_num |

unknown}]{rbacls | ipv4 rbacls}

Example:

Switch(config)# cts role-based

permissions from 55 to 66 allow_webtraff

Binds SGTs and DGTs to the RBACL. The

configuration is analogous to populating the

permission matrix configured on the Cisco ISE or the

Cisco Secure ACS.

• Default—Default permissions list

• sgt_num—0 to 65,519. Source Group Tag

• dgt_num—0 to 65,519. Destination Group Tag

• unknown—SGACL applies to packets where the

security group (source or destination) cannot be

determined.

• ipv4—Indicates the following RBACL is IPv4.

• rbacls—Name of RBACLs

Step 6

Switch(config)# end

Exits to Privileged Exec mode.

Step 7

Switch# show cts role-based permissions

Displays permission to RBACL configurations.

Step 8

Switch# show ip access-lists

allow_webtraff

Displays ACEs of all RBACLs or a specified RBACL.

Command Purpose

Questions and Answers:

Need help?

Do you have a question about the Cisco TrustSec and is the answer not in the manual?

Cisco TrustSec Specifications

General

Category	Network Security
Functionality	Provides role-based access control, network segmentation, and policy enforcement.
Key Components	Security Group Tags (SGT), Security Exchange Protocol (SXP).
Authentication Methods	802.1X, MAC Authentication Bypass (MAB), Web Authentication
Security Group Tagging (SGT)	Assigns security group tags to users and devices for identity-based segmentation.
Security Exchange Protocol (SXP)	A protocol used to propagate SGT information across network devices.
Policy Enforcement	Enforces security policies based on SGTs and SGACLs.
Benefits	Enhanced security, simplified policy management, and improved compliance.
Encryption	Supports encryption for data in transit through IPsec and MACsec.
Scalability	Scalable to large enterprise networks with thousands of devices.
Compatibility	Compatible with a wide range of Cisco network devices.
Description	Cisco TrustSec is a security architecture framework designed to build secure networks. It uses identity-based access control to segment the network and enforce policies based on user roles and device types, rather than relying solely on IP addresses.