Cisco TrustSec Subnet to SGT Mapping

Subnet to security group tag (SGT) mapping binds an SGT to all host addresses of a specified subnet. Once this mapping is implemented, Cisco TrustSec imposes the SGT on any incoming packet that has a source IP address which belongs to the specified subnet.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for Cisco TrustSec Subnet to SGT Mapping

  • An IPv4 subnetwork with a /31 prefix cannot be expanded.

  • Subnet host addresses cannot be bound to SGTs when the cts sxp mapping network-map command bindings argument is less than the total number of subnet hosts in the specified subnets or when the number of bindings is 0.

  • IPv6 expansions and propagation only occurs when SXP speaker and listener are running SXPv3, or more recent versions.

Information About Cisco TrustSec Subnet to SGT Mapping

In IPv4 networks, SXPv3, and more recent versions, can receive and parse subnet network address/prefix strings from SXPv3 peers. Earlier SXP versions convert the subnet prefix into its set of host bindings before exporting them to an SXP listener peer.

For example, the IPv4 subnet 198.1.1.0/29 is expanded as follows (only 3 bits for host addresses):

  • Host addresses 198.1.1.1 to 198.1.1.7 are tagged and propagated to SXP peer.

  • Network and broadcast addresses 198.1.1.0 and 198.1.1.8 are not tagged and not propagated.


Note

To limit the number of subnet bindings SXPv3 can export, use the cts sxp mapping network-map global configuration command.

Subnet bindings are static, which means that active hosts are not learned. They can be used locally for SGT imposition and SGACL enforcement. Packets tagged by subnet to SGT mapping can be propagated on Layer 2 or Layer 3 TrustSec links.

Note

For IPv6 networks, SXPv3 cannot export subnet bindings to SXPv2 or SXPv1 peers.

How to Configure Cisco TrustSec Subnet to SGT Mapping

Configuring Subnet to SGT Mapping

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    cts sxp mapping network-map bindings

    4.    cts role-based sgt-map ipv4-address sgt number

    5.    cts role-based sgt-map ipv6-address::prefix sgt number

    6.    exit

    7.    show running-config | include search-string

    8.    show cts sxp connections

    9.    show cts sxp sgt-map

    10.    copy running-config startup-config


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 cts sxp mapping network-map bindings


    Example:
    Device(config)# cts sxp mapping network-map 10000
     

    Configures the subnet to SGT mapping host count constraint. The bindings argument specifies the maximum number of subnet IP hosts from 0 to 65,535 that can be bound to SGTs and exported to the SXP listener. The default is 0 (no expansions performed).

     
    Step 4 cts role-based sgt-map ipv4-address sgt number


    Example:
    Device(config)# cts role-based sgt-map 10.10.10.10/29 sgt 1234
     

    (IPv4) Specifies an IPv4 subnet in CIDR notation.

    The number of bindings specified in step 3 should match or exceed the number of host addresses in the subnet (excluding network and broadcast addresses). The sgt number keyword pair specifies the SGT number that is to be bound to every host address in the specified subnet.

    • ipv4-address—Specifies the IPv4 network address in dotted decimal notation.

    • prefix—(0 to 30). Specifies the number of bits in the network address.

    • sgt number (0-65,535). Specifies the SGT number.

     
    Step 5 cts role-based sgt-map ipv6-address::prefix sgt number


    Example:
    Device(config)# cts role-based sgt-map 2020::/64 sgt 1234
     

    (IPv6) Specifies an IPv6 subnet in hexadecimal notation.

    The number of bindings specified in step 3 should match or exceed the number of host addresses in the subnet (excluding network and broadcast addresses). The sgt number keyword pair specifies the SGT number that is to be bound to every host address in the specified subnet.

    • ipv6-address—Specifies the IPv4 network address in dotted decimal notation.

    • prefix—(0 to 30). Specifies the number of bits in the network address.

    • sgt number—(0-65,535). Specifies the SGT number.

     
    Step 6 exit


    Example:
    Device(config)# exit
     

    Exits global configuration mode.

     
    Step 7show running-config | include search-string


    Example:
    Device# show running-config | include sgt 1234
Device# show running-config | include network-map
     

    Verifies that the cts role-based sgt-map and the cts sxp mapping network-map commands are in the running configuration.

     
    Step 8 show cts sxp connections


    Example:
    Device# show cts sxp connections
     

    Displays the SXP speaker and listener connections with their operational status.

     
    Step 9 show cts sxp sgt-map


    Example:
    Device# show cts sxp sgt-map
     

    Displays the IP to SGT bindings exported to the SXP listeners.

     
    Step 10copy running-config startup-config


    Example:
    Device# copy running-config startup-config
     

    Copies the running configuration to the startup configuration.

     

    Cisco TrustSec Subnet to SGT Mapping: Examples

    The following example shows how to configure IPv4 Subnet to SGT Mapping between two devices running SXPv3 (Device 1 and Device 2):

    Configure SXP speaker/listener peering between Device 1 (10.1.1.1) and Device 2 (10.2.2.2). 

    Device1# configure terminal
Device1(config)# cts sxp enable
Device1(config)# cts sxp default source-ip 10.1.1.1
Device1(config)# cts sxp default password 1syzygy1
Device1(config)# cts sxp connection peer 10.2.2.2 password default mode local speaker

    Configure Device 2 as SXP listener of Device 1. 

    Device2(config)# cts sxp enable
Device2(config)# cts sxp default source-ip 10.2.2.2
Device2(config)# cts sxp default password 1syzygy1
Device2(config)# cts sxp connection peer 10.1.1.1 password default mode local listener

    On Device 2, verify that the SXP connection is operating: 

    Device2# show cts sxp connections brief | include 10.1.1.1

     10.1.1.1          10.2.2.2          On                3:22:23:18 (dd:hr:mm:sec)

    Configure the subnetworks to be expanded on Device 1. 

    Device1(config)# cts sxp mapping network-map 10000
Device1(config)# cts role-based sgt-map 10.10.10.0/30 sgt 101
Device1(config)# cts role-based sgt-map 10.11.11.0/29 sgt 11111    
Device1(config)# cts role-based sgt-map 172.168.1.0/28 sgt 65000

    On Device 2, verify the subnet to SGT expansion from Device 1. There should be two expansions for the 10.10.10.0/30 subnetwork, six expansions for the 10.11.11.0/29 subnetwork, and 14 expansions for the 172.168.1.0/28 subnetwork. 

    Device2# show cts sxp sgt-map brief | include 101|11111|65000

IPv4,SGT: <10.10.10.1 , 101>
IPv4,SGT: <10.10.10.2 , 101>
IPv4,SGT: <10.11.11.1 , 11111>
IPv4,SGT: <10.11.11.2 , 11111>
IPv4,SGT: <10.11.11.3 , 11111>
IPv4,SGT: <10.11.11.4 , 11111>
IPv4,SGT: <10.11.11.5 , 11111>
IPv4,SGT: <10.11.11.6 , 11111>
IPv4,SGT: <172.168.1.1 , 65000>
IPv4,SGT: <172.168.1.2 , 65000>
IPv4,SGT: <172.168.1.3 , 65000>
IPv4,SGT: <172.168.1.4 , 65000>
IPv4,SGT: <172.168.1.5 , 65000>
IPv4,SGT: <172.168.1.6 , 65000>
IPv4,SGT: <172.168.1.7 , 65000>
IPv4,SGT: <172.168.1.8 , 65000>
IPv4,SGT: <172.168.1.9 , 65000>
IPv4,SGT: <172.168.1.10 , 65000>
IPv4,SGT: <172.168.1.11 , 65000>
IPv4,SGT: <172.168.1.12 , 65000>
IPv4,SGT: <172.168.1.13 , 65000>
IPv4,SGT: <172.168.1.14 , 65000>

    Verify the expansion count on Device 1: 

    Device1# show cts sxp sgt-map

IP-SGT Mappings expanded:22
There are no IP-SGT Mappings

    Save the configurations on Device 1 and Device 2 and exit global configuration mode. 

    Device1(config)# copy running-config startup-config
Device1(config)# exit

Device2(config)# copy running-config startup-config
Device2(config)# exit

    Additional References

    Related Documents

    Related Topic

    Document Title

    Cisco IOS commands

    Cisco IOS Master Commands List, All Releases

    Security commands

    Cisco TrustSec and SXP configuration

    Cisco TrustSec Switch Configuration Guide

    IPsec configuration

    Configuring Security for VPNs with IPsec

    IKEv2 configuration

    Configuring Internet Key Exchange Version 2 (IKEv2) and FlexVPN Site-to-Site

    Cisco Secure Access Control Server

    Configuration Guide for the Cisco Secure ACS

    Technical Assistance

    Description

    Link

    The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

    Feature Information for Cisco TrustSec Subnet to SGT Mapping

    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
    Table 1 Feature Information for Cisco TrustSec Subnet to SGT Mapping

    Feature Name

    Releases

    Feature Information

    Cisco TrustSec Subnet to SGT Mapping

    15.1(1)SY

    15.4(2)T

    Subnet to security group tag (SGT) mapping binds an SGT to all host addresses of a specified subnet. Once this mapping is implemented, Cisco TrustSec imposes the SGT on any incoming packet that has a source IP address which belongs to the specified subnet.

    The following command was introduced: cts sxp mapping network-map.