- Understanding Cisco TrustSec
- Configuring the Cisco TrustSec Solution
- Configuring Identities and Connections
- Configuring SGACL Policies
- TrustSec SGACL High Availability
- SGT Exchange Protocol over TCP (SXP)
- VRF-Aware SGT
- IP-Prefix and SGT-Based SXP Filtering
- SGT Inline Tagging
- Configuring Cisco TrustSec Reflector and Caching
- Configuring Endpoint Admission Control
- Cisco TrustSec Command Summary
- Considerations for Catalyst 3000 and 2000 Series Switches and Wireless LAN Controller 5700 Series
- Considerations for Catalyst 4500 Series Switches
- Considerations for Catalyst 6500 Series Switches
- Glossary
Configuring the Cisco TrustSec Solution
Configuration Overview
This guide documents elementary Cisco TrustSec configuration procedures for Cisco Catalyst switches and includes a TrustSec command reference.
For network-wide deployment configurations, see the section, “Cisco TrustSec Configuration How-to Documents.”
A network-wide deployment includes the configuration, interoperability, and management of multiple devices, which may include the Cisco Identity Services Engine (Cisco ISE), The Cisco Secure Access Control System (Cisco ACS), Cisco IP Telephones, Cisco routers, Cisco network appliances, etc.
White papers and presentations explaining the Cisco TrustSec Solution are at the following URL:
http://www.cisco.com/en/US/netsol/ns1051/index.html
Cisco TrustSec Configuration How-to Documents
A series of “How-to” configuration documents provides deployment guidelines and best practices for proven network architectures in complex scenarios:
Cisco TrustSec How-to Guide: ISE Profiling Design Guide includes the following topics:
Supported Hardware and Software
For a list of TrustSec supported hardware and software per TrustSec release, see,
Release Notes for Cisco TrustSec General Availability Releases at the following URL:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/release/notes/rn_cts_crossplat.html
See also, the Release Notes, Configuration Guides, and Command References for your device.
Prerequisites for Cisco TrustSec
The following are the prerequisites for establishing a TrustSec network with Catalyst switches:
Cisco TrustSec Guidelines and Limitations
Cisco TrustSec has the following guidelines and limitations for Catalyst switches:
- AAA for Cisco TrustSec uses RADIUS and is supported only by the Cisco Secure Access Control System (ACS), version 5.1 or later.
- You must enable the 802.1X feature globally for Cisco TrustSec to perform NDAC authentication. If you disable 802.1X globally, you will disable NDAC.
- Cisco TrustSec is supported only on physical interfaces, not on logical interfaces.
- Cisco TrustSec does not support IPv6 in the releases referenced in this guide.
- If the default password is configured on a switch, the connection on that switch should configure the password to use the default password. If the default password is not configured on a switch, the connection on that switch should also not configure a password. The configuration of the password option should be consistent across the deployment network.
- Configure the retry open timer command to a different value on different switches.
- SXP conveys IP-SGT mapping to RBACL enforcing switches in the network. If the access layer switch is in a different NAT domain than the RBACL enforcing switch, then clearly the IP-SGT map it uploads will be meaningless because the IP address included in the map will belong to the wrong NAT domain. The RBACL enforcing switch will never see the source IP address enumerated in the map and therefore IP-SGT database lookup will yield nothing. This means it will not be possible to apply RBACL
Default Settings
Table 2-1 lists the default settings for Cisco TrustSec parameters.
|
|
|
|---|---|
Additional Documentation
Release-Specific Documents
|
|
|
|---|---|
Release Notes for Cisco TrustSec General Availability Releases |
Platform-Specific Documents
|
|
|
|---|---|
Catalyst 3750-E and 3560-E Switch |
|
Cisco Catalyst 3560-X Series Switches |
|
Catalyst 3750 Metro Series Switches |
|
Cisco Catalyst 3750-X Series Switches |
|
Catalyst 6500 Release 12.2SXH and Later Software Configuration Guide |
|
| Cisco Secure Access Control System and Cisco Identity Services Engine |
|
TrustSec Configurations. TrustSec is referred to as SGA, or Security Group Access in ISE documentation. |
|
Cisco IOS TrustSec Documentation Set
|
|
|---|
Feedback