The Cisco TrustSec
Interface-to-SGT Mapping feature binds all traffic on a Layer 3 ingress
interface to a security group tag (SGT). Once this mapping is implemented,
Cisco TrustSec can use the SGT to segregate traffic from various logical Layer
3 ingress interfaces.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information,
see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module,
and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature
Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Cisco TrustSec Interface-to-SGT Mapping
Interface-to-SGT
Mapping
The mapping between
interfaces and security group tags (SGTs) is used to map SGTs to traffic of any
of the following logical Layer 3 ingress interfaces, regardless of the
underlying physical interface:
Layer 3
(routed) Ethernet interfaces
Layer 3 (routed)
Ethernet 802.1Q subinterfaces
Tunnel
interfaces
The configured SGT
tag is assigned to all traffic on the Layer 3 ingress interface and can be used
for inline tagging and policy enforcement.
Binding Source
Priorities
Cisco TrustSec
resolves conflicts among IP address to security group tag (IP-SGT) binding
sources with a strict priority scheme. The current priority enforcement order,
from lowest to highest, is as follows:
CLI—Bindings
configured using the
cts role-based sgt-map
sgt command.
L3IF—Bindings
added due to FIB forwarding entries that have paths through one or more
interfaces with consistent Layer 3 Interface to SGT (L3IF-SGT) mapping or
identity port mapping on routed ports.
SXP—Bindings
learned from SGT Exchange Protocol (SXP) peers.
INTERNAL—Bindings between locally configured IP addresses and the devices own
SGT.
How to Configure Cisco TrustSec Interface-to-SGT Mapping
Configuring Layer
3 Interface-to-SGT Mapping
SUMMARY STEPS
enable
configure
terminal
interfacetypeslot/port
cts role-based sgt-map sgtsgt-number
end
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Device> enable
Enables
privileged EXEC mode.
Enter
your password if prompted.
Step 2
configure
terminal
Example:
Device# configure terminal
Enters global
configuration mode.
Step 3
interfacetypeslot/port
Example:
Device(config)# interface gigabitEthernet 0/0
Configures an
interface and enters interface configuration mode.
Step 4
cts role-based sgt-map sgtsgt-number
Example:
Device(config-if)# cts role-based sgt-map sgt 77
An SGT is
imposed on ingress traffic to the specified interface.
sgt-number—Specifies the security group tag (SGT)
number. Valid values are from 2 to 65519.
Step 5
end
Example:
Device(config-if)# end
Exits
interface configuration mode and returns to privileged EXEC mode.
Verifying Layer 3
Interface-to-SGT Mapping
SUMMARY STEPS
enable
show cts role-based sgt-map all
DETAILED STEPS
Step 1
enable
Enables
privileged EXEC mode.
Enter
your password if prompted.
Example:
Device> enable
Step 2
show cts role-based sgt-map all
Displays the
security group tag (SGT) mapping for the ingress traffic on the Layer 3
interface.
Example:
The following
sample output from the
show cts role-based sgt-map
all command shows that once the Cisco TrustSec Interface-to-SGT
Mapping feature is implemented, the traffic on the ingress interface is tagged
appropriately with Layer 3 interface (L3IF). The output displays the priority
scheme of the IP address to security group tag (IP-SGT) binding sources (for
more information about the IP-SGT binding source priorities, see the “Binding
Source Priorities” section).
Device# show cts role-based sgt-map all
IP Address SGT Source
============================================
192.0.2.1 4 INTERNAL
192.0.2.5/24 3 L3IF
192.0.2.10/8 3 L3IF
192.0.2.20 5 CLI
198.51.100.1 4 INTERNAL
IP-SGT Active Bindings Summary
============================================
Total number of CLI bindings = 1
Total number of L3IF bindings = 2
Total number of INTERNAL bindings = 2
Total number of active bindings = 5
Configuration Examples for Cisco TrustSec Interface-to-SGT Mapping
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and
resolving technical issues with Cisco products and technologies.
To receive security and technical information about your products, you can subscribe to various services, such as the Product
Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.
Feature
Information for Cisco TrustSec Interface-to-SGT Mapping
The following table provides release information about the feature or features described in this module. This table lists
only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise,
subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco
Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature
Information for Cisco TrustSec Interface-to-SGT Mapping
Feature Name
Releases
Feature
Information
Cisco
TrustSec Interface-to-SGT Mapping
The Cisco TrustSec
Interface-to-SGT Mapping feature binds all traffic on a Layer 3 ingress
interface to a security group tag (SGT). Once this mapping is implemented,
Cisco TrustSec can use the SGT to segregate traffic from various logical Layer
3 ingress interfaces.
The
following command was introduced or modified:
cts role-based sgt-map
sgt.