SGACL モニタ モードの設定
この例では、SGT 20 から DGT 30 までの SGACL モニタ モードを設定する際の実行コンフィギュレーションを示します。プレースホルダは実際の設定に応じた値に置き換えてください。
configure terminal
cts role-based detailed-logging
cts role-based monitor permissions from <20> to <30>
exit
次の例では、Cisco TrustSec SGACL ポリシーと、SGT-DGT ペアごとのモニタ モード機能の詳細を示します。
switch(config)# sh cts role-based policy
sgt:unknown
dgt:unknown rbacl:rbacl1
permit ip log
sgt:10
dgt:20 rbacl:rbacl1(monitored)
permit ip log
sgt:20
dgt:10 rbacl:rbacl2
deny ip log
sgt:30
dgt:40 rbacl:rbacl1
permit ip
sgt:40
dgt:30 rbacl:rbacl2(monitored)
deny ip
sgt:any
dgt:any rbacl:rbacl1
permit ip log
次の例では、RBACL 統計情報のモニタリング ステータスと、すべての RBACL ポリシーの統計情報を示します。
switch(config)# sh cts role-based counters
RBACL policy counters enabled
Counters last cleared: 12/23/2015 at 01:41:46 AM
sgt:unknown dgt:unknown [0]
rbacl:rbacl1
permit ip log [0]
sgt:10 dgt:20 [5]
rbacl:rbacl1(monitored)
permit ip log [5]
sgt:20 dgt:10 [5]
rbacl:rbacl2
deny ip log [5]
sgt:30 dgt:40 [0]
rbacl:rbacl1
permit ip [0]
sgt:40 dgt:30 [0]
rbacl:rbacl2(monitored)
deny ip [0]
sgt:any dgt:any [0]
rbacl:rbacl1
permit ip log [0]
次の例では、Cisco TrustSec の実行コンフィギュレーションを示します。
switch(config)# show run cts
!Command: show running-config cts
!Time: Wed Dec 23 02:01:43 2015
version 7.3(0)D1(1)
feature cts
cts role-based counters enable
cts role-based detailed-logging
cts role-based monitor enable
cts role-based sgt-map 1.1.1.1 10
cts role-based sgt-map 2.1.1.2 20
cts role-based sgt-map 3.1.1.1 30
cts role-based sgt-map 4.1.1.2 40
cts role-based access-list rbacl1
permit ip log
cts role-based access-list rbacl2
deny ip log
cts role-based sgt 0 dgt 0 access-list rbacl1
cts role-based sgt 10 dgt 20 access-list rbacl1
cts role-based sgt 20 dgt 10 access-list rbacl2
cts role-based sgt 30 dgt 40 access-list rbacl1
cts role-based sgt 40 dgt 30 access-list rbacl2
cts role-based sgt any dgt any access-list rbacl1
cts role-based monitor permissions from 10 to 20
cts role-based monitor permissions from 40 to 30
cts role-based enforcement
次の例では、SGACL ロギングを含まない Cisco TrustSec の実行コンフィギュレーションを示します。
switch(config)# show run cts
!Command: show running-config cts
!Time: Wed Dec 23 02:01:43 2015
version 7.3(0)D1(1)
feature cts
cts role-based counters enable
cts role-based detailed-logging
cts role-based monitor enable
cts role-based sgt-map 1.1.1.1 10
cts role-based sgt-map 2.1.1.2 20
cts role-based sgt-map 3.1.1.1 30
cts role-based sgt-map 4.1.1.2 40
cts role-based access-list rbacl1
permit ip log
cts role-based access-list rbacl2
deny ip log
cts role-based access-list rbacl1_no_log
permit ip
cts role-based access-list rbacl2_no_log
deny ip
cts role-based sgt 0 dgt 0 access-list rbacl1
cts role-based sgt 10 dgt 20 access-list rbacl1
cts role-based sgt 20 dgt 10 access-list rbacl2
cts role-based sgt 30 dgt 40 access-list rbacl1_no_log
cts role-based sgt 40 dgt 30 access-list rbacl2_no_log
cts role-based sgt any dgt any access-list rbacl1
cts role-based monitor permissions from 10 to 20
cts role-based monitor permissions from 40 to 30
cts role-based enforcement