Cisco TrustSec Switch Configuration Guide
Configuring SGACL Policies
Downloads: This chapterpdf (PDF - 373.0KB) The complete bookPDF (PDF - 2.77MB) | Feedback

Configuring SGACL Policies

Table Of Contents

Configuring SGACL Policies

Configuring SGACL Policies

SGACL Policy Configuration Process

Enabling SGACL Policy Enforcement

Enabling SGACL Policy Enforcement on VLANs

Manually Configuring SGACL Policies

Manually Applying SGACL Policies

Displaying the SGACL Policies

Refreshing the Downloaded SGACL Policies


Configuring SGACL Policies


Revised: February 10, 2012, OL-22192-02

Configuring SGACL Policies

This section includes the following topics:

SGACL Policy Configuration Process

Enabling SGACL Policy Enforcement

Enabling SGACL Policy Enforcement on VLANs

Manually Configuring SGACL Policies

Manually Applying SGACL Policies

Displaying the SGACL Policies

Refreshing the Downloaded SGACL Policies

SGACL Policy Configuration Process

Follow these steps to configure and enable Cisco TrustSec SGACL policies:


Step 1 Configuration of SGACL policies should be done primarily through the Policy Management function of the Cisco Secure ACS or the Cisco Identity Services Engine (see the Configuration Guide for the Cisco Secure ACS or the Cisco Identity Services Engine User Guide).

If you are not using AAA on a Cisco Secure ACS or a Cisco ISE to download the SGACL policy configuration, or if you have a short term need for a local policy, you can manually configure the SGACL mapping and policies (see the "Manually Configuring SGACL Policies" section and the "Manually Configuring SGACL Policies" section).


Note An SGACL policy downloaded dynamically from the ACS will override any conflicting locally-defined policy.


Step 2 To enable SGACL policy enforcement on egress traffic on routed ports, enable SGACL policy enforcement globally as described in the "Enabling SGACL Policy Enforcement" section.

Step 3 To enable SGACL policy enforcement on switched traffic within a VLAN, or on traffic that is forwarded to an SVI associated with a VLAN, enable SGACL policy enforcement for specific VLANs as described in the "Enabling SGACL Policy Enforcement on VLANs" section.


Enabling SGACL Policy Enforcement

Feature
History

12.2(50) SY

This feature was introduced on the Catalyst 6500 series switches.


You must enable SGACL policy enforcement globally for Cisco TrustSec-enabled routed interfaces.

To enable SGACL policy enforcement on routed interfaces, perform this task:

 
Command
Purpose

Step 1 

Router# configure terminal

Enters global configuration mode.

Step 2 

Router(config)# cts role-based enforcement

Enables Cisco TrustSec SGACL policy enforcement on routed interfaces.

This example shows how to enable SGACL policy enforcement globally for Cisco TrustSec-enabled routed interfaces:

Router# configure terminal
Router(config)# cts role-based enforcement
Router(config)# exit
 
   

Enabling SGACL Policy Enforcement on VLANs

Feature
History

12.2(50) SY

This feature was introduced on the Catalyst 6500 series switches.


You must enable SGACL policy enforcement on specific VLANs to apply access control to switched traffic within a VLAN, or to traffic that is forwarded to an SVI associated with a VLAN.

To enable SGACL policy enforcement on a VLAN or a VLAN list, perform this task:

 
Command
Purpose

Step 1 

Router# configure terminal

Enters global configuration mode.

Step 2 

Router(config)# cts role-based enforcement vlan-list vlan-list

Enables Cisco TrustSec SGACL policy enforcement on the VLAN or VLAN list.

This example shows how to enable SGACL policy enforcement on a VLAN list:

Router# configure terminal
Router(config)# cts role-based enforcement vlan-list 31-35,41
Router(config)# exit
 
   

Manually Configuring SGACL Policies

Feature
History

12.2(50) SY

This feature was introduced on the Catalyst 6500 series switches.


Although configuration of SGACL policies should be done primarily through the Policy Management functions of the Cisco Secure ACS or Cisco ISE, you can manually configure SGACL polices on your switch if a Cisco ACS or Cisco ISE is not available or if you have a short term need for a local policy.


Note You must create the SGACL before using it in a policy.



Note An SGACL policy downloaded dynamically from the ACS will override any conflicting locally-defined policy.


Configuring IPv4 Policies

To manually configure IPv4 SGACL policies, perform this task:

 
Command
Purpose

Step 1 

Router# configure terminal

Enters global configuration mode.

Step 2 

Router(config)# ip access-list role-based sgacl-name

Creates a named SGACL and enters role-based ACL configuration mode.

Step 3 

Router(config-rb-acl)# [sequence-number | no] {permit | deny} protocol [option option-name] {[precedence precedence] [tos tos] | [dscp dscp]} [log] [fragments]

Specifies the access control entries (ACEs) for the SGACL.

You can use most of the commands and options allowed in extended named access list configuration mode, with the source and destination fields omitted.

The following ACE commands or keywords are not supported:

reflect

evaluate

time-range

Router(config-rb-acl)# [sequence-number | no] [permit | deny] icmp [icmp-type [icmp-code] | icmp-message] {[precedence precedence] [tos tos] | [dscp dscp]} [log] [fragments]

Router(config-rb-acl)# [sequence-number | no] {permit | deny} tcp [src operator {src-port}+] [dst operator {dst-port}+] {[precedence precedence] [tos tos] | [dscp dscp]} [log] [fragments] [established | {{match-any | match-all} {{+ | -}flag-name}+]

Router(config-rb-acl)# [sequence-number | no] {permit | deny} udp [src operator {src-port}+] [dst operator {dst-port}+] {[precedence precedence] [tos tos] | [dscp dscp]} [log] [fragments]

Router(config-rb-acl)# [sequence-number | no] {permit | deny} igmp [igmp-type] {[precedence precedence] [tos tos] | [dscp dscp]} [log] [fragments]

Step 4 

Router(config-rb-acl)# exit

Exits ACL configuration mode.

This example shows how to configure and verify an IPv4 SGACL policy:

Router(config)# ip access-list role-based RBAC2
Router(config-rb-acl)# permit tcp src eq 10 dst eq 20
Router(config-rb-acl)# permit udp src range 3100 4200
Router(config-rb-acl)# end
Router# show ip access-lists RBAC2
 
   
Role-based IP access list RBAC2
    10 permit tcp src eq 10 dst eq ftp-data
    20 permit udp src range 3100 4200
 
   

Configuring IPv6 Policies

To manually configure IPv6 SGACL policies, perform this task:

 
Command
Purpose

Step 1 

Router# configure terminal

Enters global configuration mode.

Step 2 

Router(config)# ipv6 access-list role-based sgacl-name

Creates a named IPv6 SGACL and enters IPv6 role-based ACL configuration mode.

Step 3 

Router(config-ipv6rb-acl)# [no] {permit | deny} protocol [dest-option | dest-option-type {doh-number | doh-type}] [dscp cp-value] [flow-label fl-value] [mobility | mobility-type {mh-number | mh-type}] [routing | routing-type routing-number] [fragments] [log | log-input] [sequence seqno]

Specifies the access control entries (ACEs) for the IPv6 SGACL.

You can use most of the commands and options allowed in extended named access list configuration mode, with the source and destination fields omitted.

The following ACE commands or keywords are not supported:

reflect

evaluate

time-range

Step 4 

Router(config-ipv6rb-acl)# exit

Exits IPv6 ACL configuration mode.

Manually Applying SGACL Policies

Feature
History

12.2(50) SY

This feature was introduced on the Catalyst 6500 series switches.


To manually apply SGACL policies, perform this task:

 
Command
Purpose

Step 1 

Router# configure terminal

Enters global configuration mode.

Step 2 

Router(config)# cts role-based permissions default [ipv4 | ipv6] sgacl-name1 [sgacl-name2 [sgacl-name3 ...]]]

Specifies the default SGACLs. The default policies are applied when no explicit policy exists between the source and destination security groups.

Step 3 

Router(config)# cts role-based permissions from {source-sgt | unknown} to {dest-sgt | unknown} [ipv4 | ipv6] sgacl-name1 [sgacl-name2 [sgacl-name3 ...]]]

Specifies the SGACLs to be applied for a source security group (SGT) and destination security group (DGT). Values for source-sgt and dest-sgt range from 1 to 65533. By default, SGACLs are considered to be IPv4.

from—Specifies the source SGT.

to—Specifies the destination security group.

unknown—SGACL applies to packets where the security group (source or destination) cannot be determined.

Note An SGACL policy downloaded dynamically from the ACS will override any conflicting manual policy.

This example shows how to manually apply default and custom SGACL policies:

Router# configure terminal
Router(config)# cts role-based permissions default MYDEFAULTSGACL
Router(config)# cts role-based permissions from 3 to 5 SRB3 SRB5
Router(config)# exit
 
   

Displaying the SGACL Policies

After configuring the Cisco TrustSec device credentials and AAA, you can verify the Cisco TrustSec SGACL policies downloaded from the authentication server or configured manually. Cisco TrustSec downloads the SGACL policies when it learns of a new SGT through authentication and authorization on an interface, from SXP, or from manual IP address to SGT mapping.

To display the contents of the SGACL policies permissions matrix, perform this task:

 
Command
Purpose

Step 1 

Router# show cts role-based permissions default [ipv4 | ipv6 | details]

Displays the list of SGACL of the default policy.

Router# show cts role-based permissions [from {source-sgt | unknown}] [to {dest-sg | unknown}] [ipv4 | ipv6] [details]

Displays the contents of the permissions matrix, including SGACLs downloaded from the authentication server and manually configured on the switch.

Using the keywords, you can display all or part of the permissions matrix:

If the from keyword is omitted, a column from the permissions matrix is displayed.

If the to keyword is omitted, a row from the permissions matrix is displayed.

If the from and to keywords are omitted, the entire permissions matrix is displayed.

If the from and to keywords are specified, a single cell from the permissions matrix is displayed and the details keyword is available. When details is entered, the ACEs of the SGACL of the single cell are displayed.

This example shows how to display the content of the SGACL policies permissions matrix for traffic sourced from security group 3:

Router# show cts role-based permissions from 3 
Role-based permissions from group 3 to group 5:
        SRB3
        SRB5
Role-based permissions from group 3 to group 7:
        SRB4
 
   

Refreshing the Downloaded SGACL Policies

To refresh the SGACL policies downloaded to the switch by the authentication server, perform this task:

 
Command
Purpose

Step 1 

Router# cts refresh policy {peer [peer-id] | sgt [sgt_number| default|unknown]}

Performs an immediate refresh of the SGACL policies from the authentication server.

If a peer-id is specified, only the policies related to the specified peer connection are refreshed. To refresh all peer policies, press Enter without specifying an ID.

If an SGT number is specified, only the policies related to that SGT are refreshed. To refresh all security group tag policies, press Enter without specifying an SGT number. Select default to refresh the default policy. Select unknown to refresh unknown policy.