The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the Cisco NX-OS TrustSec commands that begin with P.
To configure a permit action in a security group access control list (SGACL), use the permit command. To remove the action, use the no form of this command.
permit {all | icmp | igmp | ip | {{tcp | udp} [{dest | dst | src} {{eq | gt | lt | neq} port-number} | range port-number1 port-number2}]} [log]
no permit {all | icmp | igmp | ip | {{tcp | udp} [{dest | dst | src} {{eq | gt | lt | neq} port-number} | range port-number1 port-number2}]} [log]
None
role-based access control list (RBACL)
|
|
5.1(3)N1(1) |
This command was introduced. |
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
To enable RBACL logging, you must enable RBACL policy enforcement on the VLAN. You must also enable Cisco TrustSec counters using the cts role-based counters enable command.
This command does not require a license.
This example shows how to add a permit action to an SGACL and enable RBACL logging:
switch# configure terminal
switch(config)# cts role-based access-list MySGACL
switch(config-rbacl)# permit icmp log
switch(config-rbacl)#
This example shows how to remove a permit action from an SGACL:
switch# configure terminal
switch(config)# cts role-based access-list MySGACL
switch(config-rbacl)# no permit icmp log
switch(config-rbacl)#
To manually configure a Cisco TrustSec authentication policy on an interface with either a Cisco TrustSec device identifier or security group tag (SGT), use the policy command. To revert to the default, use the no form of this command.
policy {dynamic identity device-id | static sgt sgt-value [trusted]}
no policy {dynamic | static}
None
Cisco TrustSec manual configuration mode
|
|
5.1(3)N1(1) |
This command was introduced. |
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
After using this command, you must enable and disable the interface using the shutdown and no shutdown command sequence for the configuration to take effect.
This command does not require a license.
This example shows how to manually configure a dynamic Cisco TrustSec policy on an interface:
switch# configure terminal
switch(config)# interface ethernet 2/3
switch(config-if)# cts manual
switch(config-if-cts-manual)# policy dynamic identity DeviceB
switch(config-if-cts-manual)# exit
switch(config-if)# shutdown
switch(config-if)# no shutdown
switch(config-if)#
This example shows how to remove a manually configured dynamic Cisco TrustSec policy from an interface:
switch# configure terminal
switch(config)# interface ethernet 2/3
switch(config-if)# cts manual
switch(config-if-cts-manual)# no policy dynamic
switch(config-if-cts-manual)# exit
switch(config-if)# shutdown
switch(config-if)# no shutdown
switch(config-if)#
This example shows how to manually configure a static Cisco TrustSec policy on an interface:
switch# configure terminal
switch(config)# interface ethernet 2/4
switch(config-if)# cts manual
switch(config-if-cts-manual)# policy static sgt 0x100
switch(config-if-cts-manual)# exit
switch(config-if)# shutdown
switch(config-if)# no shutdown
switch(config-if)#
This example shows how to remove a manually configured static Cisco TrustSec policy on an interface:
switch# configure terminal
switch(config)# interface ethernet 2/4
switch(config-if)# cts manual
switch(config-if-cts-manual)# no policy static
switch(config-if-cts-manual)# exit
switch(config-if)# shutdown
switch(config-if)# no shutdown
switch(config-if)#
To enable security group tag (SGT) propagation on Layer 2 Cisco TrustSec interfaces, use the propagate-sgt command. To disable SGT propagation, use the no form of this command.
propagate-sgt
no propagate-sgt
This command has no arguments or keywords.
Enabled if manual configuration is enabled on the interface.
Disabled if manual configuration is disabled on the interface.
Global configuration mode
|
|
5.1(3)N1(1) |
This command was introduced. |
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
You can disable the SGT propagation feature on an interface if the peer device connected to the interface can not handle Cisco TrustSec packets tagged with an SGT.
After using this command, you must enable and disable the interface using the shutdown and no shutdown command sequence for the configuration to take effect.
This command does not require a license.
This example shows how to disable SGT propagation:
switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# cts manual
switch(config-if-cts-manual)# no propagate-sgt
switch(config-if-cts-manual)# exit
switch(config-if)# shutdown
switch(config-if)# no shutdown
switch(config-if)#
This example shows how to enable SGT propagation:
switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# cts manual
switch(config-if-cts-manual)# propagate-sgt
switch(config-if-cts-manual)# exit
switch(config-if)# shutdown
switch(config-if)# no shutdown
switch(config-if)#