TrustSec Security Group Name Download

The TrustSec Security Group Name Download feature enhances the Security Group Tag (SGT) policy that downloads to the network access device to include the SGT name in addition to the SGT number and Security Group Access Control List (SGACL) policy.

Information About TrustSec Security Group Download

Layer 3 Logical Interface to SGT Mapping

The TrustSec Security Group Name Download feature is used to directly map SGTs to traffic of any of the following Layer 3 interfaces regardless of the underlying physical interface:

  • Routed port

  • SVI (VLAN interface)

  • Layer3 subinterface of a Layer2 port

  • Tunnel interface

The cts role-based sgt-map interface global configuration command to specify either a specific SGT number, or a Security Group Name (whose SGT association is dynamically acquired from a Cisco ISE or a Cisco ACS access server).

How to Configure TrustSec Security Group Name Download

Configuring TrustSec Security Group Name Download

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. cts role-based sgt-map interface type slot/port [security-group name | sgt number]
  4. exit
  5. show cts role-based sgt-map all

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

cts role-based sgt-map interface type slot/port [security-group name | sgt number]

Example:

Device(config)# cts role-based sgt-map interface gigabitEthernet 1/1 sgt 77
An SGT is imposed on ingress traffic to the specified interface.

  • interface type slot/port —Displays list of available interfaces.

  • security-group name — Security Group name to SGT pairings are configured on the Cisco ISE or Cisco ACS.

  • sgt number —(0 to 65,535). Specfies the Security Group Tag (SGT) number.

Step 4

exit

Example:

Device(config)# exit

Exits global configuration mode.

Step 5

show cts role-based sgt-map all

Example:

Device# show cts role-based sgt-map all

Verify that ingressing traffic is tagged with the specified SGT.

TrustSec Security Group Name Download Example

The following example shows the SGT download configuration for the ingress interface: 

Device# config terminal
Device(config)# cts role-based sgt-map interface gigabitEthernet 6/3 sgt 3
Device(config)# exit

The following example shows that ingressing traffic for the ingress interface is tagged appropriately: 

Device# show cts role-based sgt-map all 

IP Address              SGT     Source

============================================

15.1.1.15               4       INTERNAL

17.1.1.0/24             3       L3IF

21.1.1.2                4       INTERNAL

31.1.1.0/24             3       L3IF

31.1.1.2                4       INTERNAL

43.1.1.0/24             3       L3IF

49.1.1.0/24             3       L3IF

50.1.1.0/24             3       L3IF

50.1.1.2                4       INTERNAL

51.1.1.1                4       INTERNAL

52.1.1.0/24             3       L3IF

81.1.1.1                5       CLI

102.1.1.1               4       INTERNAL

105.1.1.1               3       L3IF

111.1.1.1               4       INTERNAL

IP-SGT Active Bindings Summary

============================================

Total number of CLI      bindings = 1

Total number of L3IF     bindings = 7

Total number of INTERNAL bindings = 7

Total number of active   bindings = 15

Additional References

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

Security commands

Cisco TrustSec and SXP configuration

Cisco TrustSec Switch Configuration Guide

IPsec configuration

Configuring Security for VPNs with IPsec

IKEv2 configuration

Configuring Internet Key Exchange Version 2 (IKEv2) and FlexVPN Site-to-Site

Cisco Secure Access Control Server

Configuration Guide for the Cisco Secure ACS

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for TrustSec Security Group Name Download

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for TrustSec Security Group Name Download

Feature Name

Releases

Feature Information

TrustSec Security Group Name Download

This feature enhances the Security Group Tag (SGT) policy that downloads to the network access device to include the SGT name in addition to the SGT number and Security Group Access Control List (SGACL) policy.

The following commands were introduced or modified: cts role-based sgt-map interface .