To verify the Cisco TrustSec SGACL high availability configuration, run the show cts role-based permissions command on both the active and standby switches. The output from the command must be the same on both switches.
The following is sample output from the show cts role-based permissions command on the active switch:
Device# show cts role-based permissions
IPv4 Role-based permissions default (monitored):
default_sgacl-01
Deny IP-00
IPv4 Role-based permissions from group 10:SGT_10 to group 15:SGT_15:
SGACL_3-01
IPv4 Role-based permissions from group 14:SGT_14 to group 15:SGT_15:
multple_ace-14
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
The following is sample output from the show cts role-based permissions command on the standby switch:
Device-stby# show cts role-based permissions
IPv4 Role-based permissions default (monitored):
default_sgacl-01
Deny IP-00
IPv4 Role-based permissions from group 10:SGT_10 to group 15:SGT_15:
SGACL_3-01
IPv4 Role-based permissions from group 14:SGT_14 to group 15:SGT_15:
multple_ace-14
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
After a stateful switchover, run the following commands on the active switch to verify the feature:
The following is sample output from the show cts pacs command:
Device# show cts pacs
AID: A3B6D4D8353F102346786CF220FF151C
PAC-Info:
PAC-type = Cisco Trustsec
AID: A3B6D4D8353F102346786CF220FF151C
I-ID: CTS_ED_21
A-ID-Info: Identity Services Engine
Credential Lifetime: 17:22:32 IST Mon Mar 14 2016
PAC-Opaque:
000200B80003000100040010A3B6D4D8353F102346786CF220FF151C0006009C00030100E044B2650D8351FD06
F23623C470511E0000001356DEA96C00093A80538898D40F633C368B053200D4C9D2422A7FEB4837EA9DBB89D1
E51DA4E7B184E66D3D5F2839C11E5FB386936BB85250C61CA0116FDD9A184C6E96593EEAF5C39BE08140AFBB19
4EE701A0056600CFF5B12C02DD7ECEAA3CCC8170263669C483BD208052A46C31E39199830F794676842ADEECBB
A30FC4A5A0DEDA93
Refresh timer is set for 01:00:05
The following is sample output from the show cts environment-data command:
Device# show cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 0:Unknown
Server List Info:
Installed list: CTSServerList1-000D, 1 server(s):
*Server: 10.78.105.47, port 1812, A-ID A3B6D4D8353F102346786CF220FF151C
Status = ALIVE
auto-test = FALSE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Multicast Group SGT Table:
Security Group Name Table:
0001-45 :
0-00:Unknown
2-ba:SGT_2
3-00:SGT_3
4-00:SGT_4
5-00:SGT_5
6-00:SGT_6
7-00:SGT_7
8-00:SGT_8
9-00:SGT_9
10-16:SGT_10
!
!
!
Environment Data Lifetime = 3600 secs
Last update time = 14:32:53 IST Mon Mar 14 2016
Env-data expires in 0:00:10:04 (dd:hr:mm:sec)
Env-data refreshes in 0:00:10:04 (dd:hr:mm:sec)
Cache data applied = NONE
State Machine is running
The following is sample output from the show cts role-based permissions command after a stateful switchover:
Device# show cts role-based permissions
IPv4 Role-based permissions default:
default_sgacl-01
Deny IP-00
IPv4 Role-based permissions from group 10:SGT_10 to group 15:SGT_15:
SGACL_3-01
IPv4 Role-based permissions from group 14:SGT_14 to group 15:SGT_15:
multple_ace-14
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE