The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The IPv6 Support for SGT and SGACL feature facilitates dynamic learning of mappings between IP addresses and Security Group Tags (SGTs) for IPv6 addresses. The SGT is later used to derive the Security Group Access Control List (SGACL).
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Enforcement of IPv6 addresses is not supported by this feature.
Dynamic learning of IPv6 addresses require three components:
Switch Integrated Security Features (SISF)—An infrastructure built to take care of security, address assignment, address resolution, neighbor discovery, exit point discovery, and so on.
Cisco Enterprise Policy Manager (EPM)—A solution that registers to SISF to receive IPv6 address notifications. The Cisco EPM then uses these IPv6 addresses and the Security Group Tags (SGTs) downloaded from the Cisco Identity Services Engine (ISE) to generate IP-SGT bindings.
Cisco TrustSec—A solution that protects devices from unauthorized access. Cisco TrustSec assigns an SGT to the ingress traffic of a device and enforces the access policy based on the tag anywhere in the network.
VLAN—Bindings learned from snooped Address Resolution Protocol (ARP) packets on a VLAN that has VLAN-SGT mapping.
CLI—Address bindings configured using the IP-SGT form of the cts role-based sgt-map global configuration command.
Layer 3 Interface (L3IF)—Bindings added due to forwarding information base (FIB ) forwarding entries that have paths through one or more interfaces with consistent L3IF-SGT mapping or identity port mapping (IPM) on routed ports.
SXP—Bindings learned from SGT Exchange Protocol (SXP) peers.
IP_ARP—Bindings learned when tagged ARP packets are received on a CTS-capable link.
Local—Bindings of authenticated hosts that are learned via EPM and device tracking.
Internal—Bindings between locally configured IP addresses and the device’s own SGT.
Switch Integrated Security Features (SISF) is a feature that generates IPv6 addresses for use in IP-SGT bindings.
1.
enable
2.
configure terminal
3.
ipv6 snooping policy
policy-name
4.
tracking enable
5.
exit
6.
ipv6 dhcp pool
dhcp-pool-name
7.
address prefix
ipv6-address/prefix
8.
exit
9.
interface vlan
interface-number
10.
ipv6 enable
11.
no ipv6 address
12.
ipv6 address
ipv6-address/prefix
13.
ipv6 address
autoconfiguration
14.
ipv6 dhcp server
dhcp-pool-name
15.
end
Configure IPv6-SGT binding by using either local binding or a VLAN.
In local binding, the Security Group Tag (SGT) value is downloaded from the Identity Services Engine (ISE).
1.
enable
2.
configure terminal
3.
policy-map type control subscriber
control-policy-name
4.
event session-started match-all
5.
priority-number
class
always do-until-failure
6.
action-number
authenticate using mab
7.
end
8.
configure terminal
9.
interface gigabitethernet
interface-number
10.
description
interface-description
11.
switchport access vlan
vlan-id
12.
switchport mode access
13.
ipv6 snooping attach-policy
policy-name
14.
access-session
port-control auto
15.
mab eap
16.
dot1x pae
authenticator
17.
service-policy type
control subscriber
policy-name
18.
end
19.
show cts role-based
sgt-map all ipv6
In a VLAN, a network administrator assigns a Security Group Tag (SGT) value to a particular VLAN.
1.
enable
2.
configure terminal
3.
cts role-based sgt-map vlan-list
vlan-id
sgt
sgt-value
4.
end
5.
show cts role-based sgt-map all ipv6
1.
enable
2.
show cts role-based sgt-map
all
3.
show cts role-based sgt-map
all ipv6
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Device> enable |
|
Step 2 |
show cts role-based sgt-map
all
Example: Device# show cts role-based sgt-map all Active IPv4-SGT Bindings Information IP Address SGT Source ============================================ 192.0.2.1 8 INTERNAL 192.0.2.2 8 INTERNAL 192.0.2.3 11 LOCAL IP-SGT Active Bindings Summary ============================================ Total number of LOCAL bindings = 1 Total number of INTERNAL bindings = 2 Total number of active bindings = 3 Active IPv6-SGT Bindings Information IP Address SGT Source ================================================================ 2001:DB8:0:ABCD::1 8 INTERNAL 2001:DB8:1::1 11 LOCAL 2001:DB8:1::1 11 LOCAL IP-SGT Active Bindings Summary ============================================ Total number of LOCAL bindings = 2 Total number of INTERNAL bindings = 1 Total number of active bindings = 3 |
Displays active IPv4 and IPv6 IP-SGT bindings. |
Step 3 |
show cts role-based sgt-map
all ipv6
Example: Device# show cts role-based sgt-map all ipv6 Active IP-SGT Bindings Information IP Address SGT Source ================================================================ 2001:DB8:1::1 10 CLI 2001:DB8:1:FFFF::1 27 VLAN 2001:DB8:9798:8294:753F::1 5 LOCAL 2001:DB8:8E99:DA94:8A6A::2 5 LOCAL 2001:DB8:104:2001::139 27 VLAN 2001:DB8:104:2001:14FE:9798:8294:753F 5 LOCAL IP-SGT Active Bindings Summary ============================================ Total number of VLAN bindings = 2 Total number of CLI bindings = 1 Total number of LOCAL bindings = 3 Total number of active bindings = 6 |
Displays active IPv6 IP-SGT bindings. |
Device> enable Device# configure terminal Device(config)# ipv6 snooping policy policy-name Device(config-ipv6-snooping)# tracking enable Device(config-ipv6-snooping)# exit Device(config)# ipv6 dhcp pool dhcp-pool Device(config-dhcpv6)# address prefix 2001:DB8::1/64 Device(config-dhcpv6)# exit Device(config)# interface vlan 20 Device(config-if)# no ip address Device(config-if)# ipv6 address 2001:DB8::2/64 Device(config-if)# ipv6 address autoconfiguration Device(config-if)# ipv6 enable Device(config-if)# ipv6 dhcp server dhcp-pool Device(config-if)# end
Device> enable Device# configure terminal Device(config)# ipv6 snooping policy policy-name Device(config-ipv6-snooping)# tracking enable Device(config-ipv6-snooping)# exit Device(config)# ipv6 dhcp pool dhcp-pool Device(config-dhcpv6)# address prefix 2001:DB8::1/64 Device(config-dhcpv6)# exit Device (config)# interface vlan 20 Device(config-if)# no ip address Device(config-if)# ipv6 address 2001:DB8::2/64 Device(config-if)# ipv6 address autoconfiguration Device(config-if)# ipv6 enable Device(config-if)# ipv6 dhcp server dhcp-pool Device(config-if)# exit Device(config)# policy-map type control subscriber policy1 Device(config-event-control-policymap)# event session match-all Device(config-class-control-policymap)# 10 class always do-until-failure Device(config-action-control-policymap)# 10 authenticate using mab Device(config-action-control-policymap)# end Device# configure terminal Device(config)# interface gigabitehternet 1/0/1 Device(config-if)# description downlink to ipv6 clients Device(config-if)# switchport access vlan 20 Device(config-if)# switchport mode access Device(config-if)# ipv6 snooping attach-policy snoop Device(config-if)# access-session port-control auto Device(config-if)# mab eap Device(config-if)# dot1x pae authenticator Device(config-if)# service-policy type control subscriber example Device(config-if)# end
Device> enable Device# configure terminal Device(config)# ipv6 snooping policy policy-name Device(config-ipv6-snooping)# tracking enable Device(config-ipv6-snooping)# exit Device(config)# ipv6 dhcp pool dhcp-pool Device(config-dhcpv6)# address prefix 2001:DB8::1/64 Device(config-dhcpv6)# domain name domain.com Device(config-dhcpv6)# exit Device (config)# interface vlan 20 Device(config-if)# no ip address Device(config-if)# ipv6 address 2001:DB8::2/64 Device(config-if)# ipv6 address autoconfiguration Device(config-if)# ipv6 enable Device(config-if)# ipv6 nd other-config-flag Device(config-if)# ipv6 dhcp server dhcp-pool Device(config-if)# end
Related Topic | Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
Security group ACL |
“Enablement of Security Group ACL at Interface Level” module of Cisco TrustSec Configuration Guide |
IEEE 802.1X authentication |
“Configuring IEEE 802.1X Port-Based Authentication” module of 802.1X Authentication Services Configuration Guide |
MAC Authentication Bypass |
“Configuring MAC Authentication Bypass” module of Authentication Authorization and Accounting Configuration Guide |
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
IPv6 Support for SGT and SGACL |
Cisco IOS 15.2(2)E |
The IPv6 Support for SGT and SGACL feature introduces dynamic learning of mappings between IP addresses and Security Group Tags (SGTs) for IPv6 addresses. The SGT is later used to derive the Security Group Access Control List (SGACL).
The following command was modified: cts role-based sgt-map. |