IPv6 Support for SGT and SGACL
Finding Feature Information
Restrictions for IPv6 Support for SGT and SGACL
Information About IPv6 Support for SGT and SGACL
- Components of IPv6 Dynamic Learning
How to Configure IPv6 Support for SGT and SGACL
Configuration Examples for IPv6 Support for SGT and SGACL
Additional References for IPv6 Support for SGT and SGACL
Feature Information for IPv6 Support for SGT and SGACL

IPv6 Support for SGT and SGACL

The IPv6 Support for SGT and SGACL feature facilitates dynamic learning of mappings between IP addresses and Security Group Tags (SGTs) for IPv6 addresses. The SGT is later used to derive the Security Group Access Control List (SGACL).

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Restrictions for IPv6 Support for SGT and SGACL

Enforcement of IPv6 addresses is not supported by this feature.

Information About IPv6 Support for SGT and SGACL

Components of IPv6 Dynamic Learning

Dynamic learning of IPv6 addresses require three components:

Switch Integrated Security Features (SISF)—An infrastructure built to take care of security, address assignment, address resolution, neighbor discovery, exit point discovery, and so on.
Cisco Enterprise Policy Manager (EPM)—A solution that registers to SISF to receive IPv6 address notifications. The Cisco EPM then uses these IPv6 addresses and the Security Group Tags (SGTs) downloaded from the Cisco Identity Services Engine (ISE) to generate IP-SGT bindings.
Cisco TrustSec—A solution that protects devices from unauthorized access. Cisco TrustSec assigns an SGT to the ingress traffic of a device and enforces the access policy based on the tag anywhere in the network.

Learning of IPv6 addresses can be done using the following methods, which are listed starting from lowest priority (1) to highest priority (7):

VLAN—Bindings learned from snooped Address Resolution Protocol (ARP) packets on a VLAN that has VLAN-SGT mapping.
CLI—Address bindings configured using the IP-SGT form of the cts role-based sgt-map global configuration command.
Layer 3 Interface (L3IF)—Bindings added due to forwarding information base (FIB ) forwarding entries that have paths through one or more interfaces with consistent L3IF-SGT mapping or identity port mapping (IPM) on routed ports.
SXP—Bindings learned from SGT Exchange Protocol (SXP) peers.
IP_ARP—Bindings learned when tagged ARP packets are received on a CTS-capable link.
Local—Bindings of authenticated hosts that are learned via EPM and device tracking.
Internal—Bindings between locally configured IP addresses and the device’s own SGT.

How to Configure IPv6 Support for SGT and SGACL

Configuring SISF Policy and Attaching to a Port

The Switch Integrated Security Features (SISF) policy is configured on both the VLAN and on the physical port. The SISF policy is attached to a VLAN to learn the VLAN-specific address binding. The purpose of attaching the SISF policy to a physical port is to learn IPv4 and IPv6 addresses on the physical port.

SUMMARY STEPS

enable
configure terminal
device-tracking policy name
trusted-port
limit address-count max-number
device-role node
tracking enable
exit
vlan configuration vlan-id
device-tracking attach-policy name
ipv6 nd suppress
exit
interface type number
switchport
switchport mode access
switchport access vlan vlan-id
access-session host-mode multi-host
access-session closed
access-session port-control auto
device-tracking attach-policy name
dot1x pae authenticator
service-policy type control subscriber policy-name
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	device-tracking policy `name` Example: `Device(config)# device-tracking policy policy1`	Configures a policy for feature device-tracking and enters device tracking configuration mode.
Step 4	trusted-port Example: `Device(config-device-tracking)# trusted-port`	Configures a port to become a trusted port.
Step 5	limit address-count `max-number` Example: `Device(config-device-tracking)# limit address-count 100`	Configures the maximum number of addresses for a port.
Step 6	device-role node Example: `Device(config-device-tracking)# device-role node`	Specifies that the device attached to the port is a node.
Step 7	tracking enable Example: `Device(config-device-tracking)# tracking enable`	Overrides default tracking behavior.
Step 8	exit Example: `Device(config-device-tracking)# exit`	Exits device tracking configuration mode and enters global configuration mode.
Step 9	vlan configuration `vlan-id` Example: `Device(config)# vlan configuration 20`	Configures the VLAN ID and enters VLAN configuration mode.
Step 10	device-tracking attach-policy `name` Example: `Device(config-vlan-config)# device-tracking attach-policy policy1`	Applies a policy for feature device-tracking on the VLAN.
Step 11	ipv6 nd suppress Example: `Device(config-vlan-config)# ipv6 nd suppress`	Applies the IPv6 neighbor discovery (ND) suppress feature on the VLAN.
Step 12	exit Example: `Device(config-vlan-config)# exit`	Exits VLAN configuration mode and enters global configuration mode.
Step 13	interface `type number` Example: `Device(config)# interface GigabitEthernet5/2`	Configures the interface and enters interface configuration mode.
Step 14	switchport Example: `Device(config-if)# switchport`	Modifies an interface that is in Layer 3 mode into Layer 2 mode for Layer 2 configuration.
Step 15	switchport mode access Example: `Device(config-if)# switchport`	Sets the interface type to access mode.
Step 16	switchport access vlan `vlan-id` Example: `Device(config-if)# switchport access vlan 20`	Sets access mode characteristics of the interface and configures VLAN when the interface is in access mode.
Step 17	access-session host-mode multi-host Example: `Device(config-if)# access-session host-mode multi-host`	Allows hosts to gain access to a controlled port and specifies that all subsequent clients are allowed access after the first client is authenticated.
Step 18	access-session closed Example: `Device(config-if)# access-session closed`	Prevents preauthentication access on a port.
Step 19	access-session port-control auto Example: `Device(config-if)# access-session port-control auto`	Enables port-based authentication and causes the port to begin in the unauthorized state, allowing only Extensible Authentication Protocol over LAN (EAPOL) frames to be sent and received through the port.
Step 20	device-tracking attach-policy `name` Example: `Device(config-if)# device-tracking attach-policy policy1`	Applies a policy for feature device-tracking on a port.
Step 21	dot1x pae authenticator Example: `Device(config-if)# dot1x pae authenticator`	Enables dot1x authentication on a port.
Step 22	service-policy type control subscriber `policy-name` Example: `Device(config-if)# service-policy type control subscriber DOT1X`	Specifies the policy-map that is used for sessions that come up on this interface. The policy-map has rules for authentication and authorization.
Step 23	end Example: `Device(config-if)# end`	Exits interface configuration mode and returns to privileged EXEC mode.

Generating IPv6 Addresses for IP-SGT Bindings

Switch Integrated Security Features (SISF) is a feature that generates IPv6 addresses for use in IP-SGT bindings.

Before you begin

Ensure that the SISF policy is configured and attached to a Layer 2 physical interface and to a VLAN. For more information, see the “Configuring SISF Policy and Attaching to a Port” section.

SUMMARY STEPS

enable
configure terminal
ipv6 dhcp pool dhcp-pool-name
address prefix ipv6-address/prefix
exit
interface vlan interface-number
ipv6 enable
no ipv6 address
ipv6 address ipv6-address/prefix
ipv6 address autoconfiguration
ipv6 dhcp server dhcp-pool-name
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	ipv6 dhcp pool `dhcp-pool-name` Example: `Device(config)# ipv6 dhcp pool dhcp-pool`	Assigns an IPv6 DHCP pool to the DHCP server and enters IPv6 DHCP pool configuration mode.
Step 4	address prefix `ipv6-address/prefix` Example: `Device(config-dhcpv6)# address prefix 2001:DB8::1/64`	Sets the IPv6 address for an end host.
Step 5	exit Example: `Device(config-dhcpv6)# exit`	Exits IPv6 DHCP pool configuration mode and returns to global configuration mode.
Step 6	interface vlan `interface-number` Example: `Device(config)# interface vlan 20`	Creates a VLAN interface and enters interface configuration mode.
Step 7	ipv6 enable Example: `Device(config-if)# ipv6 enable`	Enables IPv6 on an interface.
Step 8	no ipv6 address Example: `Device(config-if)# no ipv6 address`	Removes the existing IPv6 address set for an interface.
Step 9	ipv6 address `ipv6-address/prefix` Example: `Device(config-if)# ipv6 address 2001:DB8:1:1::1/64`	Assigns an IPv6 address for the interface.
Step 10	ipv6 address autoconfiguration Example: `Device(config-if)# ipv6 address autoconfiguration`	Enables stateless autoconfiguration on an interface.
Step 11	ipv6 dhcp server `dhcp-pool-name` Example: `Device(config-if)# ipv6 dhcp server dhcp-pool`	Assigns an IPv6 DHCP pool to the DHCP server.
Step 12	end Example: `Device(config-if)# end`	Exits interface configuration mode and returns to privileged EXEC mode.

What to do next

Configure IPv6-SGT binding by using either local binding or a VLAN.

Configuring IPv6 IP-SGT Binding Using Local Binding

In local binding, the Security Group Tag (SGT) value is downloaded from the Identity Services Engine (ISE).

Before you begin

Ensure that the SISF policy is configured and attached to a Layer 2 physical interface and to a VLAN. For more information, see the “Configuring SISF Policy and Attaching to a Port” section.
An IPv6 address must be generated through Switch Integrated Security Features (SISF) to configure an IP-SGT binding.

SUMMARY STEPS

enable
configure terminal
policy-map type control subscriber control-policy-name
event session-started match-all
priority-number class always do-until-failure
action-number authenticate using mab
end
configure terminal
interface gigabitethernet interface-number
description interface-description
switchport access vlan vlan-id
switchport mode access
ipv6 snooping attach-policy policy-name
access-session port-control auto
mab eap
dot1x pae authenticator
service-policy type control subscriber policy-name
end
show cts role-based sgt-map all ipv6

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	policy-map type control subscriber `control-policy-name` Example: `Device(config)# policy-map type control subscriber policy1`	Defines a control policy for subscriber sessions and enters control policy-map configuration mode.
Step 4	event session-started match-all Example: `Device(config-event-control-policymap)# event session-started match-all`	Specifies the type of event that triggers actions in a control policy if conditions are met.
Step 5	`priority-number` class always do-until-failure Example: `Device(config-class-control-policymap)# 10 class always do-until-failure`	Associates a control class with one or more actions in a control policy and enters action control policy-map configuration mode. A named control class must first be configured before specifying it with the `control-class-name` argument.
Step 6	`action-number` authenticate using mab Example: `Device(config-action-control-policymap)# 10 authenticate using mab`	Initiates the authentication of a subscriber session using the specified method.
Step 7	end Example: `Device(config-action-control-policymap)# end`	Exits action control policy-map configuration mode and returns to privileged EXEC mode.
Step 8	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 9	interface gigabitethernet `interface-number` Example: `Device(config)# interface gigabitehternet 1/0/1`	Enters interface configuration mode.
Step 10	description `interface-description` Example: `Device(config-if)# description downlink to ipv6 clients`	Describes the configured interface.
Step 11	switchport access vlan `vlan-id` Example: `Device(config-if)# switchport access vlan 20`	Sets access mode characteristics of the interface and configures VLAN when the interface is in access mode.
Step 12	switchport mode access Example: `Device(config-if)# switchport mode access`	Sets the trunking mode to access mode.
Step 13	ipv6 snooping attach-policy `policy-name` Example: `Device(config-if)# ipv6 snooping attach-policy snoop`	Applies a policy to the IPv6 snooping feature.
Step 14	access-session port-control auto Example: `Device(config-if)# access-session port-control auto`	Sets the authorization state of a port.
Step 15	mab eap Example: `Device(config-if)# mab eap`	Uses Extensible Authentication Protocol (EAP) for MAC authentication bypass.
Step 16	dot1x pae authenticator Example: `Device(config-if)# dot1x pae authenticator`	Enables dot1x authentication on the port.
Step 17	service-policy type control subscriber `policy-name` Example: `Device(config-if)# service-policy type control subscriber policy`	Specifies the policy map that is used for sessions that come up on this interface. The policy map has rules for authentication and authorization.
Step 18	end Example: `Device(config-if)# end`	Exits interface configuration mode and returns to privileged EXEC mode.
Step 19	show cts role-based sgt-map all ipv6 Example: `Device# show cts role-based sgt-map all ipv6`	Displays active IPv6 IP-SGT bindings.

Configuring IPv6 IP-SGT Binding Using a VLAN

In a VLAN, a network administrator assigns a Security Group Tag (SGT) value to a particular VLAN.

Before you begin

Ensure that the SISF policy is configured and attached to a Layer 2 physical interface and to a VLAN. For more information, see the “Configuring SISF Policy and Attaching to a Port” section.
An IPv6 address must be generated through Switch Integrated Security Features (SISF) to configure an IP-SGT binding.

SUMMARY STEPS

enable
configure terminal
cts role-based sgt-map vlan-list vlan-id sgt sgt-value
end
show cts role-based sgt-map all ipv6

DETAILED STEPS

Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

cts role-based sgt-map vlan-list vlan-id sgt sgt-value

Example:

Device(config)# cts role-based sgt-map vlan-list 20 sgt 3

Assigns an SGT value to the configured VLAN.

Note

The range of the sgt-value argument must be from 2 to 65519.

Step 4

end

Example:

Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Step 5

show cts role-based sgt-map all ipv6

Example:

Device# show cts role-based sgt-map all ipv6

Displays active IPv6 IP-SGT bindings.

Verifying IPv6 Support for SGT and SGACL

SUMMARY STEPS

enable
show cts role-based sgt-map all
show cts role-based sgt-map all ipv6
show device-tracking database

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	show cts role-based sgt-map all Example: Device# show cts role-based sgt-map all Active IPv4-SGT Bindings Information IP Address SGT Source ============================================ 192.0.2.1 8 INTERNAL 192.0.2.2 8 INTERNAL 192.0.2.3 11 LOCAL IP-SGT Active Bindings Summary ============================================ Total number of LOCAL bindings = 1 Total number of INTERNAL bindings = 2 Total number of active bindings = 3 Active IPv6-SGT Bindings Information IP Address SGT Source ================================================================ 2001:DB8:0:ABCD::1 8 INTERNAL 2001:DB8:1::1 11 LOCAL 2001:DB8:1::1 11 LOCAL IP-SGT Active Bindings Summary ============================================ Total number of LOCAL bindings = 2 Total number of INTERNAL bindings = 1 Total number of active bindings = 3	Displays active IPv4 and IPv6 IP-SGT bindings.
Step 3	show cts role-based sgt-map all ipv6 Example: Device# show cts role-based sgt-map all ipv6 Active IP-SGT Bindings Information IP Address SGT Source ================================================================ 2001:DB8:1::1 10 CLI 2001:DB8:1:FFFF::1 27 VLAN 2001:DB8:9798:8294:753F::1 5 LOCAL 2001:DB8:8E99:DA94:8A6A::2 5 LOCAL 2001:DB8:104:2001::139 27 VLAN 2001:DB8:104:2001:14FE:9798:8294:753F 5 LOCAL IP-SGT Active Bindings Summary ============================================ Total number of VLAN bindings = 2 Total number of CLI bindings = 1 Total number of LOCAL bindings = 3 Total number of active bindings = 6	Displays active IPv6 IP-SGT bindings.
Step 4	show device-tracking database Example: Device# show device-tracking database Binding Table has 8 entries, 5 dynamic Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created Preflevel flags (prlvl): 0001:MAC and LLA match 0002:Orig trunk 0004:Orig access 0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned 0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned Network Layer Address Link Layer Address Interface vlan prlvl age state Time left ARP 192.0.2.1 001f.e21c.09b6 Gi5/2 20 0011 8s REACHABLE 12 s L 192.0.2.2 c464.1395.c700 Vl20 20 0100 45s REACHABLE ND 2001:DB8::1 0000.0000.00fd Gi5/2 20 0000 13s UNKNOWN (47 s) L 2001:DB8::1 c464.1395.c700 Vl20 20 0100 43s REACHABLE ND 2001:DB8:1::1 001f.e21c.09b6 Gi5/2 20 0011 0s REACHABLE 20 s ND 2001:DB8:0:ABCD::1 001f.e21c.09b6 Gi5/2 20 0011 3s REACHABLE 17 s try 0 ND 2001:DB8::FFFE:FFFF:FFFF 001f.e21c.09b6 Gi5/2 20 0011 12s REACHABLE 7 s try 0 L 2001:DB8::2 c464.1395.c700 Vl20 20 0100 42s REACHABLE	Displays the state of the IPv4 and IPv6 neighbor binding entries in a binding table.

Configuration Examples for IPv6 Support for SGT and SGACL

Example: Configuring SISF Policy and Attaching to a Port


Device> enable 
Device# configure terminal 
Device(config)# device-tracking policy policy1
Device(config-device-tracking)# trusted-port
Device(config-device-tracking)# limit address-count 100
Device(config-device-tracking)# device-role node
Device(config-device-tracking)# tracking enable
Device(config-device-tracking)# exit
Device(config)# vlan configuration 20
Device(config-vlan-config)# device-tracking attach-policy policy1
Device(config-vlan-config)# ipv6 nd suppress
Device(config-vlan-config)# exit
Device(config)# interface GigabitEthernet5/2
Device(config-if)# switchport
Device(config-if)# switchport mode access
Device(config-if)# switchport access vlan 20
Device(config-if)# access-session host-mode multi-host
Device(config-if)# access-session closed
Device(config-if)# access-session port-control auto
Device(config-if)# device-tracking attach-policy policy1
Device(config-if)# dot1x pae authenticator
Device(config-if)# service-policy type control subscriber DOT1X
Device(config-if)# exit

Example: Generating IPv6 Addresses for IP-SGT Bindings


Device> enable 
Device# configure terminal 
Device(config)# device-tracking policy policy1
Device(config-device-tracking)# trusted-port
Device(config-device-tracking)# limit address-count 100
Device(config-device-tracking)# device-role node
Device(config-device-tracking)# tracking enable
Device(config-device-tracking)# exit
Device(config)# vlan configuration 20
Device(config-vlan-config)# device-tracking attach-policy policy1
Device(config-vlan-config)# ipv6 nd suppress
Device(config-vlan-config)# exit
Device(config)# interface GigabitEthernet5/2
Device(config-if)# switchport
Device(config-if)# switchport mode access
Device(config-if)# switchport access vlan 20
Device(config-if)# access-session host-mode multi-host
Device(config-if)# access-session closed
Device(config-if)# access-session port-control auto
Device(config-if)# device-tracking attach-policy policy1
Device(config-if)# dot1x pae authenticator
Device(config-if)# service-policy type control subscriber DOT1X
Device(config-if)# exit
Device(config)# ipv6 dhcp pool dhcp-pool
Device(config-dhcpv6)# address prefix 2001:DB8::1/64
Device(config-dhcpv6)# exit
Device(config)# interface vlan 20
Device(config-if)# no ip address
Device(config-if)# ipv6 address 2001:DB8::2/64
Device(config-if)# ipv6 address autoconfiguration
Device(config-if)# ipv6 enable
Device(config-if)# ipv6 dhcp server dhcp-pool
Device(config-if)# end

Example: Configuring IPv6 IP-SGT Binding Using Local Binding


Device> enable 
Device# configure terminal 
Device(config)# device-tracking policy policy1
Device(config-device-tracking)# trusted-port
Device(config-device-tracking)# limit address-count 100
Device(config-device-tracking)# device-role node
Device(config-device-tracking)# tracking enable
Device(config-device-tracking)# exit
Device(config)# vlan configuration 20
Device(config-vlan-config)# device-tracking attach-policy policy1
Device(config-vlan-config)# ipv6 nd suppress
Device(config-vlan-config)# exit
Device(config)# interface GigabitEthernet5/2
Device(config-if)# description downlink to ipv6 clients
Device(config-if)# switchport
Device(config-if)# switchport mode access
Device(config-if)# switchport access vlan 20
Device(config-if)# access-session host-mode multi-host
Device(config-if)# access-session closed
Device(config-if)# access-session port-control auto
Device(config-if)# device-tracking attach-policy policy1
Device(config-if)# mab eap
Device(config-if)# dot1x pae authenticator
Device(config-if)# service-policy type control subscriber DOT1X
Device(config-if)# exit
Device(config)# ipv6 dhcp pool dhcp-pool
Device(config-dhcpv6)# address prefix 2001:DB8::1/64
Device(config-dhcpv6)# exit
Device(config)# interface vlan 20
Device(config-if)# no ip address
Device(config-if)# ipv6 address 2001:DB8::2/64
Device(config-if)# ipv6 address autoconfiguration
Device(config-if)# ipv6 enable
Device(config-if)# ipv6 dhcp server dhcp-pool
Device(config-if)# exit
Device(config)# policy-map type control subscriber policy1
Device(config-event-control-policymap)# event session match-all
Device(config-class-control-policymap)# 10 class always do-until-failure
Device(config-action-control-policymap)# 10 authenticate using mab
Device(config-action-control-policymap)# end

Example: Configuring IPv6 IP-SGT Binding Using a VLAN


Device> enable 
Device# configure terminal 
Device(config)# device-tracking policy policy1
Device(config-device-tracking)# trusted-port
Device(config-device-tracking)# limit address-count 100
Device(config-device-tracking)# device-role node
Device(config-device-tracking)# tracking enable
Device(config-device-tracking)# exit
Device(config)# vlan configuration 20
Device(config-vlan-config)# device-tracking attach-policy policy1
Device(config-vlan-config)# ipv6 nd suppress
Device(config-vlan-config)# exit
Device(config)# interface GigabitEthernet5/2
Device(config-if)# switchport
Device(config-if)# switchport mode access
Device(config-if)# switchport access vlan 20
Device(config-if)# access-session host-mode multi-host
Device(config-if)# access-session closed
Device(config-if)# access-session port-control auto
Device(config-if)# device-tracking attach-policy policy1
Device(config-if)# dot1x pae authenticator
Device(config-if)# service-policy type control subscriber DOT1X
Device(config-if)# exit
Device(config)# ipv6 dhcp pool dhcp-pool
Device(config-dhcpv6)# address prefix 2001:DB8::1/64
Device(config-dhcpv6)# domain name domain.com
Device(config-dhcpv6)# exit
Device(config)# interface vlan 20
Device(config-if)# no ip address
Device(config-if)# ipv6 address 2001:DB8::2/64
Device(config-if)# ipv6 address autoconfiguration
Device(config-if)# ipv6 enable
Device(config-if)# ipv6 nd other-config-flag
Device(config-if)# ipv6 dhcp server dhcp-pool
Device(config-if)# end

Additional References for IPv6 Support for SGT and SGACL

Related Topic	Document Title
Cisco IOS commands	Cisco IOS Master Command List, All Releases
Security commands	Cisco IOS Security Command Reference Commands A to C Cisco IOS Security Command Reference Commands D to L Cisco IOS Security Command Reference Commands M to R Cisco IOS Security Command Reference Commands S to Z
Security group ACL	“Enablement of Security Group ACL at Interface Level” module of Cisco TrustSec Configuration Guide
IEEE 802.1X authentication	“Configuring IEEE 802.1X Port-Based Authentication” module of 802.1X Authentication Services Configuration Guide
MAC Authentication Bypass	“Configuring MAC Authentication Bypass” module of Authentication Authorization and Accounting Configuration Guide

Technical Assistance


Description	Link
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.	http://www.cisco.com/support

Feature Information for IPv6 Support for SGT and SGACL

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 1. Feature Information for IPv6 Support for SGT and SGACL
Feature Name	Releases	Feature Information
IPv6 Support for SGT and SGACL	Cisco IOS 15.2(1)SY	The IPv6 Support for SGT and SGACL feature introduces dynamic learning of mappings between IP addresses and Security Group Tags (SGTs) for IPv6 addresses. The SGT is later used to derive the Security Group Access Control List (SGACL). The following command was modified: cts role-based sgt-map .

Cisco TrustSec Configuration Guide, Cisco IOS Release 15SY

Bias-Free Language

Results

Chapter: IPv6 Support for SGT and SGACL

IPv6 Support for SGT and SGACL

Finding Feature Information

Restrictions for IPv6 Support for SGT and SGACL

Information About IPv6 Support for SGT and SGACL

Components of IPv6 Dynamic Learning

How to Configure IPv6 Support for SGT and SGACL

Configuring SISF Policy and Attaching to a Port

SUMMARY STEPS

DETAILED STEPS

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Generating IPv6 Addresses for IP-SGT Bindings

Before you begin

SUMMARY STEPS

DETAILED STEPS

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

What to do next

Configuring IPv6 IP-SGT Binding Using Local Binding

Before you begin

SUMMARY STEPS

DETAILED STEPS

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Configuring IPv6 IP-SGT Binding Using a VLAN

Before you begin

SUMMARY STEPS

DETAILED STEPS