TrustSec Security Group Name Download

Feature History for TrustSec Security Group Name Download

This table provides release and platform support information for the features explained in this module.

These features are available in all the releases subsequent to the one they were introduced in, unless noted otherwise.

Release

Feature Name and Description

Supported Platform

Cisco IOS XE 17.18.1

TrustSec Security Group Name Download:

The TrustSec Security Group Name Download feature improves the SGT policy by enabling network access devices to receive not only the SGT number and SGACL policy, but also the associated SGT name.

Cisco C9610 Series Smart Switches

TrustSec Security Group Name Download

The TrustSec Security Group Name Download feature improves the Security Group Tag (SGT) policy by enabling network access devices to receive not only the SGT number and Security Group Access Control List (SGACL) policy, but also the associated SGT name.

SGT Mapping to Layer 3 Logical interface

With this feature, SGTs can be directly mapped to traffic on any of the following Layer 3 interfaces, regardless of the underlying physical interface:

  • Routed port

  • Switch Virtual Interface (SVI or VLAN interface)

  • Layer 3 subinterface of a Layer 2 port

  • Tunnel interface

The cts role-based sgt-map interface global configuration command allows you to specify either a particular SGT number or a Security Group Name. The association between the Security Group Name and its SGT is dynamically obtained from a Cisco Identity Services Engine (ISE) or Cisco Access Control Server (ACS).

Configure TrustSec Security Group Name Download

To configure TrustSec security group name download, perform this task.

Procedure

Step 1

enable

Example:

Device# enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

cts role-based sgt-map interface type slot/port [security-group name | sgt number]

Example:

Device(config)# cts role-based sgt-map interface gigabitEthernet 1/1 sgt 77

An SGT is imposed on ingress traffic to the specified interface.

  • interface type slot/port : Displays list of available interfaces.

  • security-group name : Security Group name to SGT pairings are configured on the Cisco ISE or Cisco ACS.

  • sgt number : Specfies the SGT number. The range is from 0 to 65,535.

Step 4

exit

Example:

Device(config)# exit

Exits global configuration mode.

Step 5

show cts role-based sgt-map all

Example:

Device# show cts role-based sgt-map all

Verify that ingressing traffic is tagged with the specified SGT.

Example: Configure TrustSec Security Group Name Download

The following example shows the SGT download configuration for the ingress interface:

 
Device# config terminal
Device(config)# cts role-based sgt-map interface gigabitEthernet 6/3 sgt 3 
Device (config)# exit

Example: Verify TrustSec Security Group Name Download Configuration

The following example shows a sample output of the show cts role-based sgt-map all command. 

Device# show cts role-based sgt-map all

IP Address              SGT     Source

============================================

15.1.1.15               4       INTERNAL

17.1.1.0/24             3       L3IF

21.1.1.2                4       INTERNAL

31.1.1.0/24             3       L3IF

31.1.1.2                4       INTERNAL

43.1.1.0/24             3       L3IF

49.1.1.0/24             3       L3IF

50.1.1.0/24             3       L3IF

50.1.1.2                4       INTERNAL

51.1.1.1                4       INTERNAL

52.1.1.0/24             3       L3IF

81.1.1.1                5       CLI

102.1.1.1               4       INTERNAL

105.1.1.1               3       L3IF

111.1.1.1               4       INTERNAL

IP-SGT Active Bindings Summary

============================================

Total number of CLI      bindings = 1

Total number of L3IF     bindings = 7

Total number of INTERNAL bindings = 7

Total number of active   bindings = 15