The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the Cisco NX-OS TrustSec commands that begin with C.
To clear the Cisco TrustSec security group access control list (SGACL) policies, use the clear cts policy command.
clear cts policy { all | peer device-id | sgt sgt-value }
|
|
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
When you clear the SGACL policies, the operation does not take effect until the interface is flapped. If the interface is a static SGT interface, the SGT value is set to zero (0) after the flapping. To undo this operation, use the following commands:
If the interface is a dynamic SGT interface, the SGT is downloaded again from the RADIUS server after the flapping.
This example shows how to clear all the Cisco TrustSec SGACL policies on the device:
|
|
---|---|
To clear the role-based access control list (RBACL) statistics so that all counters are reset to 0, use the clear cts role-based counters command.
|
|
This example shows how to clear the RBACL statistics:
|
|
---|---|
Displays the configuration status of RBACL statistics and lists statistics for all RBACL policies. |
To configure a Cisco TrustSec device identifier, use the cts device-id command.
cts device-id device-id password [ 7 ] password
|
|
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
This example shows how to configure a Cisco TrustSec device identifier:
|
|
---|---|
To enter the Cisco TrustSec manual configuration for an interface, use the cts manual command. To remove the manual configuration, use the no form of this command.
|
|
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
After using this command, you must enable and disable the interface using the shutdown and no shutdown command sequence for the configuration to take effect.
This example shows how to enter Cisco TrustSec manual configuration mode for an interface:
This example shows how to remove the Cisco TrustSec manual configuration from an interface:
|
|
---|---|
Displays Cisco TrustSec configuration information for interfaces. |
To create or specify a Cisco TrustSec security group access control list (SGACL) and enter role-based access control list configuration mode, use the cts role-based access-list command. To remove an SGACL, use the no form of this command.
cts role-based access-list list-name
no cts role-based access-list list-name
Name for the SGACL. The name is alphanumeric and case-sensitive. The maximum length is 32 characters. |
|
|
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
When you remove an SGACL, the access list can no longer be referenced by any SGT-DGT pair in the system.
This example shows how to create a Cisco TrustSec SGACL and enter the role-based access list configuration mode:
This example shows how to remove a Cisco TrustSec SGACL:
|
|
---|---|
To enable role-based access control list (RBACL) statistics, use the cts role-based counters enable command. To disable RBACL statistics, use the no form of this command.
cts role-based counters enable
no cts role-based counters enable
|
|
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
To use this command, you must enable RBACL policy enforcement on the VLAN.
When you enable RBACL statistics, each policy requires one entry in the hardware. If you do not have enough space remaining in the hardware, an error message appears, and you cannot enable the statistics.
RBACL statistics are lost during an ISSU or when an access control entry is added to or removed from a RBACL.
This example shows how to enable RBACL statistics:
This example shows how to disable RBACL statistics:
|
|
---|---|
Clears the RBACL statistics so that all counters are reset to 0. |
|
Displays the configuration status of RBACL statistics and lists statistics for all RBACL policies. |
To enable role-based access control list (RBACL) enforcement on a VLAN, use the cts role-based enforcement command. To disable RBACL enforcement on a VLAN, use the no form of this command.
Note If you do not enable cts role-based enforcement on a VLAN, ingress tagging does not occur even though the ingress and egress interfaces have cts manual and policy static SGT. Thus, you must enable cts role-based enforcement on a VLAN for ingress tagging to occur.
|
|
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
RBACL enforcement is enabled on per-VLAN basis. RBACL enforcement cannot be enabled on routed VLANs or interfaces. For RBACL enforcement changes to take effect, you must exit from the VLAN configuration mode.
This example shows how to enable RBACL enforcement on a VLAN and verifies the status:
This example shows how to disable RBACL enforcement on a VLAN:
|
|
---|---|
To manually configure mapping of Cisco TrustSec security group tags (SGTs) to a security group access control list (SGACL), use the cts role-based sgt command. To remove the SGT mapping to an SGACL, use the no form of this command.
cts role-based sgt { sgt-value | any | unknown } dgt { dgt-value | any | unknown } access-list list-name
no cts role-based sgt { sgt-value | any | unknown } dgt { dgt-value | any | unknown }
|
|
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
You must configure the SGACL before you can configure SGT mapping.
This example shows how to configure SGT mapping for an SGACL:
This example shows how to configure any SGT mapping to any destination SGT:
This example shows how to remove SGT mapping for an SGACL:
|
|
---|---|
To manually configure the Cisco TrustSec security group tag (SGT) mapping to IP addresses, use the cts role-based sgt-map command. To remove an SGT, use the no form of this command.
cts role-based sgt-map ipv4-address sgt-value
no cts role-based sgt-map ipv4-address
Global configuration mode
VLAN configuration mode
VRF configuration mode
|
|
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
This example shows how to configure mapping for a Cisco TrustSec SGT:
This example shows how to remove a Cisco TrustSec SGT mapping:
|
|
---|---|
To configure the security group tag (SGT) for Cisco TrustSec, use the cts sgt command. To revert to the default settings, use the no form of this command.
Local SGT for the device that is a hexadecimal value with the format 0x hhhh. The range is from 0x2 to 0xffef. |
|
|
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
This example shows how to configure the Cisco TrustSec SGT for the device:
|
|
---|---|
To configure a Security Group Tag (SGT) Exchange Protocol (SXP) peer connection for Cisco TrustSec, use the cts sxp connection peer command. To remove the SXP connection, use the no form of this command.
cts sxp connection peer peer-ipv4-addr [ source src-ipv4-addr ] password { default | none | required { password | 7 encrypted-password }} mode listener [ vrf vrf-name ]
no cts sxp connection peer peer-ipv4-addr [ source src-ipv4-addr ] password { default | none | required { password | 7 encrypted-password }} mode listener [ vrf vrf-name ]
Configured default SXP password for the device
Configured default SXP source IPv4 address for the device
Default VRF
|
|
---|---|
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
You can use only IPv4 addressing with Cisco TrustSec.
If you do not specify a source IPv4 address, you must configure a default SXP source IPv4 address using the cts sxp default source-ip command.
If you specify default as the password mode, you must configure a default SXP password using the cts sxp default password command.
This example shows how to configure an SXP peer connection:
This example shows how to remove an SXP peer connection:
|
|
---|---|
Configures the default SXP source IPv4 address for the device. |
|
Displays the Cisco TrustSec SXP peer connection information. |
To configure the default Security Group Tag (SGT) Exchange Protocol (SXP) password for the device, use the cts sxp default password command. To remove the default, use the no form of this command.
cts sxp default password { password | 7 encrypted-password }
Clear text password. The password is alphanumeric and case-sensitive. The maximum length is 32 characters. |
|
Specifies an encrypted password. The maximum length is 32 characters. |
|
|
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
This example shows how to configure the default SXP password for the device:
This example shows how to remove the default SXP password:
|
|
---|---|
To configure the default Security Group Tag (SGT) Exchange Protocol (SXP) source IPv4 address for the device, use the cts sxp default source-ip command. To revert to the default, use the no form of this command.
cts sxp default source-ip ipv4-address
|
|
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
This example shows how to configure the default SXP source IP address for the device:
This example shows how to remove the default SXP source IP address:
|
|
---|---|
To enable the Security Group Tag (SGT) Exchange Protocol (SXP) peer on a device, use the cts sxp enable command. To revert to the default, use the no form of this command.
|
|
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
This example shows how to enable SXP:
This example shows how to disable SXP:
|
|
---|---|
To configure a Security Group Tag (SGT) Exchange Protocol (SXP) reconcile period timer, use the cts sxp reconcile-period command. To revert to the default, use the no form of this command.
cts sxp reconcile-period seconds
|
|
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
After a peer terminates an SXP connection, an internal hold-down timer starts. If the peer reconnects before the internal hold-down timer expires, the SXP reconcile period timer starts.
Note Setting the SXP reconcile period to 0 seconds disables the timer.
This example shows how to configure the SXP reconcile period:
This example shows how to revert to the default SXP reconcile period value:
|
|
---|---|
To configure a Security Group Tag (SGT) Exchange Protocol (SXP) retry period timer, use the cts sxp retry-period command. To revert to the default, use the no form of this command.
|
|
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
The SXP retry period determines how often the Cisco NX-OS software retries an SXP connection. When an SXP connection is not successfully set up, the Cisco NX-OS software makes a new attempt to set up the connection after the SXP retry period timer expires.
Note Setting the SXP retry period to 0 seconds disables the timer and retries are not attempted.
This example shows how to configure the SXP retry period:
This example shows how to revert to the default SXP retry period value:
|
|
---|---|
Displays the Cisco TrustSec SXP peer connection information. |