- Understanding Cisco TrustSec
- Configuring the Cisco TrustSec Solution
- Configuring Identities and Connections
- Configuring SGACL Policies
- TrustSec SGACL High Availability
- SGT Exchange Protocol over TCP (SXP)
- VRF-Aware SGT
- IP-Prefix and SGT-Based SXP Filtering
- SGT Inline Tagging
- Configuring Cisco TrustSec Reflector and Caching
- Configuring Endpoint Admission Control
- Cisco TrustSec Command Summary
- Considerations for Catalyst 3000 and 2000 Series Switches and Wireless LAN Controller 5700 Series
- Considerations for Catalyst 4500 Series Switches
- Considerations for Catalyst 6500 Series Switches
- Glossary
- TrustSec Supported Hardware
- Flexible NetFlow Support
- Sample Configurations
- Configuration Excerpt of an IPV4 Flow Record (5-tuple, direction, SGT, DGT)
- Configuration Excerpt of an IPV6 Flow Record (5-tuple, direction, SGT, DGT)
- Configuration Excerpt of an IPv4 Flow Monitor
- Configuration Excerpt of an IPv6 Flow Monitor
- Configuration Excerpt of the Global Flow Monitor (IPv4 and IPv6)
- Configuration Excerpt of the Interface Monitor
- Flexible NetFlow Show Commands
- Sample Configurations
- TrustSec System Error Messages
- FIPS Support
Notes for Catalyst 6500 Series Switches
TrustSec Supported Hardware
TrustSec-capable supervisors and Line Cards are listed in tables 3 and 4 of “ Cisco Catalyst 6500 Series with Supervisor Engine 2T: Enabling Cisco TrustSec with Investment Protection, ” at the following URL:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11-658388.html
The Catalyst 6500 Series switches that are not TrustSec hardware-capable implement TrustSec Network Device Admission Control (NDAC) without SAP or 802.1AE link encryption.
For a complete table of features, platforms, and IOS images supported, see the latest Product Bulletins at the following URL:
http://www.cisco.com/en/US/netsol/ns1051/index.html
See also, the Matrix of Cisco TrustSec-Enabled Infrastructure at the following URL:
http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
Flexible NetFlow Support
Flexible NetFlow can account for packets dropped by SGACL enforcement when SGT and DGT flow objects are configured in the flow record with the standard 5-tuple flow objects
Use the flow record and flow exporter global configuration commands to configure a flow record, and a flow exporter, then use the flow monitor command to add them to a flow monitor. Use the show flow show commands to verify your configurations.
To collect only SGACL dropped packets, use the [ no ] cts role-based { ip | ipv6 } flow monitor dropped global configuration command.
For Flexible NetFlow overview and configuration information, see the following documents:
Flexible NetFlow Configuration Guide, Cisco IOS Release 15S
http://www.cisco.com/en/US/docs/ios-xml/ios/fnetflow/configuration/15-s/fnf-15-s-book.html
Catalyst 6500 Release 15.0SY Software Configuration Guide
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/15_0_sy_swcg.html
Sample Configurations
Configuration Excerpt of an IPV4 Flow Record (5-tuple, direction, SGT, DGT)
Configuration Excerpt of an IPV6 Flow Record (5-tuple, direction, SGT, DGT)
Configuration Excerpt of an IPv4 Flow Monitor
Configuration Excerpt of an IPv6 Flow Monitor
Configuration Excerpt of the Global Flow Monitor (IPv4 and IPv6)
The following configuration applies the Flow Monitor to packets dropped by Role-Based Access Control Lists (RBACLs) for all TrustSec interfaces on the router or switch:
Configuration Excerpt of the Interface Monitor
The Flow Monitor can be attached per interface, configured to filter for combinations of ingress (input), egress (output), multicast, unicast, or Layer2 switched traffic.
For IPv6, flow monitor is supported only for routed traffic in Cisco IOS Release 12.2(50)SY.
Flexible NetFlow Show Commands
- show flow record
- show flow monitor
- show flow exporter
- show flow interface
- show cts role-based counters
- show flow monitor <monitor_name> cache
- show flow monitor <monitor_name> statistics
- show platform flow ip
- show platform software flow internal fnf
- show platform hardware flow table flowmask
- show platform hardware flow table profile
- show platform hardware acl entry rbacl all
- show platform hardware acl entry tcam
- show platform software flow internal export
- show platform software flow internal export statistics
- show platform internal export information
- show platform internal export statistics
TrustSec System Error Messages
Cisco TrustSec system error messages are listed in the Cisco Catalyst 6500 Series Switches Error and System Messages guides, found at the following URL:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_system_message_guides_list.html
The Error Message Decoder Tool is at the following URL:
http://www.cisco.com/en/US/support/tsd_most_requested_tools.html
FIPS Support
The Federal Information Processing Standard (FIPS) certification documents for Catalyst 6500 series switch software and hardware combinations are posted on the following website:
http://www.cisco.com/web/strategy/government/security_certification/net_business_benefit_seccert_fips140.html
The Catalyst 6500 Series FIPS certification documents describe the FIPS concepts and implementation per software/hardware combination.
TrustSec Considerations when Configuring FIPS
Perform initial setup, initialization, and configuration procedures of the Catalyst switch per the FIPS certification guide appropriate to your hardware and software configuration.
Licensing Requirements for FIPS
FIPS requires no licence for the Catalyst 6500 series switches.
Prerequisites for FIPS Configuration
Guidelines and Limitations for FIPS
- The RADIUS keywrap feature works only with Cisco Identity Services Engine 1.1 or Cisco ACS Release 5.2 or later releases.
- HTTPS/TLS access to the module is allowed in FIPS approved mode of operation, using SSLv3.1/TLSv1.0 and a FIPS approved algorithm.
- SSH access to the module is allowed in FIPS approved mode of operation, using SSHv2 and a FIPS approved algorithm. Many SSH clients provide cryptographic libraries that can be set to FIPS Mode, making all cryptographic operations FIPS 140-2 Level 2 compliant.
- Your passwords must have a minimum of eight alphanumeric characters including at least one letter and at least one number character.
Feedback