EasyManuals Logo
Home>Cisco>Switch>TrustSec

Cisco TrustSec User Manual

Cisco TrustSec
208 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #84 background imageLoading...
Page #84 background image
6-6
Cisco TrustSec Configuration Guide
OL-22192-01
Chapter 6 Configuring Endpoint Admission Control
DHCP Snooping and SGT Assignment
DHCP Snooping and SGT Assignment
After the authentication process, authorization of the device occurs (for example, dynamic VLAN
assignment, ACL programming, etc.). For TrustSec networks, a Security Group Tag (SGT) is assigned
per the user configuration in the Cisco ACS. The SGT is bound to traffic sent from that endpoint through
DHCP snooping and the IP device tracking infrastructure.
The following example enables DHCP snooping and IP device tracking on an access switch:
switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# ip dhcp snooping
switch(config)# ip dhcp snooping vlan 10
switch(config)# no ip dhcp snooping information option
switch(config)# ip device tracking
For more detailed information on DHCP snooping and IP device tracking configuration, see the
configuration guide for your access switch.
Verifying the SGT to Endpoint Host Binding
To verify that hosts are visible to DHCP Snooping and IP Device Tracking, use the
show ip dhcp snooping binding and show ip device tracking commands.
switch# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:0C:29:3A:04:8E 10.252.10.10 84814 dhcp-snooping 10 GigabitEthernet2/1
Total number of bindings: 1
switch# show ip device tracking all
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
--------------------------------------------------------------
IP Address MAC Address Interface STATE
--------------------------------------------------------------
10.252.10.10 000c.293a.048e GigabitEthernet2/1 ACTIVE
To verify that the correct SGT is bound to an endpoint IP address, use the show cts role-based sgt-map
command.
switch# show cts role-based sgt-map all
Active IP-SGT Bindings Information
IP Address SGT Source
============================================
1.1.1.1 7 INTERNAL
10.252.10.1 7 INTERNAL
10.252.10.10 3 LOCAL
10.252.100.1 7 INTERNAL
172.26.208.31 7 INTERNAL
IP-SGT Active Bindings Summary
============================================
Total number of LOCAL bindings = 1
Total number of INTERNAL bindings = 4
Total number of active bindings = 5

Table of Contents

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco TrustSec and is the answer not in the manual?

Cisco TrustSec Specifications

General IconGeneral
BrandCisco
ModelTrustSec
CategorySwitch
LanguageEnglish

Related product manuals