Cisco TrustSec Switch Configuration Guide
Configuring SGACL Policies
Downloads: This chapterpdf (PDF - 373.0 KB) The complete bookPDF (PDF - 2.01 MB) | Feedback

Table of Contents

Configuring SGACL Policies

Cisco TrustSec SGACL Feature Histories

SGACL Policy Configuration Process

Enabling SGACL Policy Enforcement Globally

Configuration Examples for Enabling SGACL Policy Enforcement Globally

Enabling SGACL Policy Enforcement Per Interface

Configuration Examples for Enabling SGACL Policy Enforcement Per Interface

Enabling SGACL Policy Enforcement on VLANs

Configuration Examples for Enabling SGACL Policy Enforcement on VLANs

Manually Configuring SGACL Policies

Manually Configuring and Applying IPv4 SGACL Policies

Configuration Examples for Manually Configuring SGACL Policies

Displaying SGACL Policies

Refreshing the Downloaded SGACL Policies

Cisco TrustSec SGACL Feature Histories

For a list of supported TrustSec features per platform and the minimum required IOS release, see
the Cisco TrustSec Platform Support Matrix at the following URL:

http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html

Otherwise, see product release notes for detailed feature introduction information.

SGACL Policy Configuration Process

Follow these steps to configure and enable Cisco TrustSec SGACL policies:


Step 1 Configuration of SGACL policies should be done primarily through the Policy Management function of the Cisco Secure ACS or the Cisco Identity Services Engine (see the Configuration Guide for the Cisco Secure ACS or the Cisco Identity Services Engine User Guide).

If you are not using AAA on a Cisco Secure ACS or a Cisco ISE to download the SGACL policy configuration, you can manually configure the SGACL mapping and policies (see the “Manually Configuring SGACL Policies” section and the “Manually Configuring SGACL Policies” section).


Note An SGACL policy downloaded dynamically from the Cisco Secure ACS or a Cisco ISE will override any conflicting locally-defined policy.


Step 2 To enable SGACL policy enforcement on egress traffic on routed ports, enable SGACL policy enforcement globally as described in the “Enabling SGACL Policy Enforcement Globally” section.

Step 3 To enable SGACL policy enforcement on switched traffic within a VLAN, or on traffic that is forwarded to an SVI associated with a VLAN, enable SGACL policy enforcement for specific VLANs as described in the “Enabling SGACL Policy Enforcement on VLANs” section.


 

Enabling SGACL Policy Enforcement Globally

You must enable SGACL policy enforcement globally for Cisco TrustSec-enabled routed interfaces.

To enable SGACL policy enforcement on routed interfaces, perform this task:

 

Command
Purpose

Step 1

Router# configure terminal

Enters global configuration mode.

Step 2

Router(config)# cts role-based enforcement

Enables Cisco TrustSec SGACL policy enforcement on routed interfaces.

Configuration Examples for Enabling SGACL Policy Enforcement Globally

Catalyst 6500, Catalyst 3850:

Switch(config)# cts role-based enforcement

Enabling SGACL Policy Enforcement Per Interface

You must first enable SGACL policy enforcement globally for Cisco TrustSec-enabled routed interfaces. This feature is not supported on Port Channel interfaces.

To enable SGACL policy enforcement on Layer 3 interfaces, perform this task:

Detailed Steps Catalyst 6500

 

Command
Purpose

Step 1

Router# configure terminal

Enters global configuration mode.

Step 2

Router(config)# interface gigabit 6/2

Specifies interface on which to enable or disable SGACL enforcement.

Step 3

Router(config-if)# cts role-based enforcement

 

Enables Cisco TrustSec SGACL policy enforcement on routed interfaces.

Step 4

Router(config-if)# do show cts interface

Verifies that SGACL enforcement is enabled.

Configuration Examples for Enabling SGACL Policy Enforcement Per Interface

Catalyst 3850:

Switch# configure terminal

Switch(config)# interface gigabit 1/0/2

Switch(config-if)# cts role-based enforcement
Switch(config-if)# end

Enabling SGACL Policy Enforcement on VLANs

You must enable SGACL policy enforcement on specific VLANs to apply access control to switched traffic within a VLAN, or to traffic that is forwarded to an SVI associated with a VLAN.

To enable SGACL policy enforcement on a VLAN or a VLAN list, perform this task:

Detailed Steps Catalyst 6500

 

Command
Purpose

Step 1

Router# configure terminal

Enters global configuration mode.

Step 2

Router(config)# cts role-based enforcement vlan-list vlan-list

Enables Cisco TrustSec SGACL policy enforcement on the VLAN or VLAN list.

Configuration Examples for Enabling SGACL Policy Enforcement on VLANs

Catalyst 3850:

Switch# configure terminal
Switch(config)# cts role-based enforcement vlan-list 31-35,41
Switch(config)# exit

Manually Configuring SGACL Policies

A role-based access control list bound to a range of SGTs and DGTs forms an SGACL, a TrustSec policy enforced on egress traffic. Configuration of SGACL policies are best done through the policy management functions of the Cisco ISE or the Cisco Secure ACS. To manually (that is, locally) configure SGACL policies, do the following:

1. Configure a role-based ACL.

2. Bind the role-based ACL to a range of SGTs.


Note An SGACL policy downloaded dynamically from the Cisco ISE or Cisco ACS overrides any conflicting manually configured policy.


Manually Configuring and Applying IPv4 SGACL Policies

Detailed Steps for Catalyst 3850

 

Command
Purpose

Step 1

Router# configure terminal

Enters global configuration mode.

Step 2

ip access-list role-based rbacl -name

 

 

 

Switch(config)# ip access-list role-based allow_webtraff

Creates a Role-based ACL and enters Role-based ACL configuration mode.

Step 3

{[ sequence-number ] | default | permit | deny | remark }

 

 

 

 

 

 

 

 

 

 

 

 

 

Switch(config-rb-acl)# 10 permit tcp dst eq 80 dst eq 20

Specifies the access control entries (ACEs) for the RBACL.

You can use most of the commands and options allowed in extended named access list configuration mode, with the source and destination fields omitted.

Press Enter to complete an ACE and begin the next.

For full explanations of ACL configuration, keywords, and options, see, Security Configuration Guide: Access Control Lists, Cisco IOS XE Release 3S.

The following ACE commands or keywords are not supported:

  • reflect
  • evaluate
  • time-range

Step 4

Switch(config-rb-acl)# exit

Exits to global configuration mode.

Step 5

[ no ] cts role-based permissions { default |[ from { sgt_num | unknown } to { dgt_num | unknown }]{ rbacls | ipv4 rbacls }

 

 

 

 

 

 

 

 

 

 

 

Switch(config)# cts role-based permissions from 55 to 66 allow_webtraff

Binds SGTs and DGTs to the RBACL. The configuration is analogous to populating the permission matrix configured on the Cisco ISE or the Cisco Secure ACS.

  • Default—Default permissions list
  • sgt_num— 0 to 65,519. Source Group Tag
  • dgt_num— 0 to 65,519. Destination Group Tag
  • unknown—SGACL applies to packets where the security group (source or destination) cannot be determined.
  • ipv4—Indicates the following RBACL is IPv4.
  • rbacls— Name of RBACLs

Step 6

Switch(config)# end

Exits to Privileged Exec mode.

Step 7

Switch# show cts role-based permissions

Displays permission to RBACL configurations.

Step 8

Switch# show ip access-lists allow_webtraff

Displays ACEs of all RBACLs or a specified RBACL.

Configuration Examples for Manually Configuring SGACL Policies

Catalyst 3850 IPv4 Manual SGACL policy:

Switch(config)# ip access role allow_webtraff
Switch(config-rb-acl)# 10 permit tcp dst eq 80
Switch(config-rb-acl)# 20 permit tcp dst eq 443
Switch(config-rb-acl)# 30 permit icmp
Switch(config-rb-acl)# 40 deny ip
Switch(config-rb-acl)# exit

Switch(config)# cts role-based permissions from 55 to 66 allow_webtraff

Switch# show ip access allow_webtraff
 
Role-based IP access list allow_webtraff
10 permit tcp dst eq www
20 permit tcp dst eq 443
30 permit icmp
40 deny ip
Switch# show show cts role-based permissions from 50 to 70
XXX need output XX

Displaying SGACL Policies

After configuring the Cisco TrustSec device credentials and AAA, you can verify the Cisco TrustSec SGACL policies downloaded from the authentication server or configured manually. Cisco TrustSec downloads the SGACL policies when it learns of a new SGT through authentication and authorization on an interface, from SXP, or from manual IP address to SGT mapping.

To display the contents of the SGACL policies permissions matrix, perform this task:

Detailed Steps for Catalyst 6500

 

Command
Purpose

Step 1

Router# show cts role-based permissions default [ ipv4 | ipv6 | details ]

Displays the list of SGACL of the default policy.

Router# show cts role-based permissions [ from { source-sgt | unknown }] [ to { dest-sg | unknown }] [ ipv4 | ipv6 ] [ details ]

Displays the contents of the permissions matrix, including SGACLs downloaded from the authentication server and manually configured on the switch.

Using the keywords, you can display all or part of the permissions matrix:

  • If the from keyword is omitted, a column from the permissions matrix is displayed.
  • If the to keyword is omitted, a row from the permissions matrix is displayed.
  • If the from and to keywords are omitted, the entire permissions matrix is displayed.
  • If the from and to keywords are specified, a single cell from the permissions matrix is displayed and the details keyword is available. When details is entered, the ACEs of the SGACL of the single cell are displayed.

This example shows how to display the content of the SGACL policies permissions matrix for traffic sourced from security group 3:

Router# show cts role-based permissions from 3
Role-based permissions from group 3 to group 5:
SRB3
SRB5
Role-based permissions from group 3 to group 7:
SRB4
 

Refreshing the Downloaded SGACL Policies

Detailed Steps for Catalyst 6500, Catalyst 3850, Catalyst 3650

 

Command
Purpose

Step 1

cts refresh policy {peer [ peer-id ] | sgt [ sgt_number | default|unknown]}

 

 

 

 

 

 

 

 

 

 

Switch3850# cts refresh policy peer my_cisco_ise

Performs an immediate refresh of the SGACL policies from the authentication server.

  • If a peer-id is specified, only the policies related to the specified peer connection are refreshed. To refresh all peer policies, press Enter without specifying an ID.
  • If an SGT number is specified, only the policies related to that SGT are refreshed. To refresh all security group tag policies, press Enter without specifying an SGT number. Select default to refresh the default policy. Select unknown to refresh unknown policy.