- Understanding Cisco TrustSec
- Configuring the Cisco TrustSec Solution
- Configuring Identities and Connections
- Configuring SGACL Policies
- TrustSec SGACL High Availability
- SGT Exchange Protocol over TCP (SXP)
- VRF-Aware SGT
- IP-Prefix and SGT-Based SXP Filtering
- SGT Inline Tagging
- Configuring Cisco TrustSec Reflector and Caching
- Configuring Endpoint Admission Control
- Cisco TrustSec Command Summary
- Considerations for Catalyst 3000 and 2000 Series Switches and Wireless LAN Controller 5700 Series
- Considerations for Catalyst 4500 Series Switches
- Considerations for Catalyst 6500 Series Switches
- Glossary
- Cisco TrustSec SGACL Feature Histories
- Restrictions for Configuring SGACL Policies
- SGACL Policy Configuration Process
- Enabling SGACL Policy Enforcement Globally
- Enabling SGACL Policy Enforcement Per Interface
- Enabling SGACL Policy Enforcement on VLANs
- Configuring SGACLMonitor Mode
- Manually Configuring SGACL Policies
- Manually Applying SGACL Policies
- Displaying SGACL Policies
- Refreshing the Downloaded SGACL Policies
- Feature Information for SGACL Policies
Configuring SGACL Policies
This section includes the following topics:
- Cisco TrustSec SGACL Feature Histories
- Restrictions for Configuring SGACL Policies
- SGACL Policy Configuration Process
- Enabling SGACL Policy Enforcement Globally
- Enabling SGACL Policy Enforcement Per Interface
- Enabling SGACL Policy Enforcement on VLANs
- Configuring SGACL Monitor Mode
- Manually Applying SGACL Policies
- Refreshing the Downloaded SGACL Policies
Cisco TrustSec SGACL Feature Histories
For a list of supported TrustSec features per platform and the minimum required IOS release, see
the Cisco TrustSec Platform Support Matrix at the following URL:
http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
Otherwise, see product release notes for detailed feature introduction information.
Restrictions for Configuring SGACL Policies
The following restrictions apply to IPv6 SGACL enforcement:
- SGACL enforcement will be bypassed for IPv6 multicast traffic.
- SGACL enforcement will be by-passed for IPv6 packets with Link-Local IPv6 source/destination addresses
The following restriction apply to the Cisco Catalyst 3750-X Series Switches while configuring SGACL policies:
- When SXP is configured between a Catalyst 3750-X switch and another switch, SGACL policies are not enforced on Catalyst 3750-X series switches. SGACL policies are downloaded for the destination SGT, but policy statements are not applied to the traffic that is initiated from the source SGT.
IP device tracking must be enabled on both switches and these switches should have Layer2 adjacency configured between them so that Catalyst 3750-X can tag packets with the corresponding SGT learned via the SXP protocol.
You can enable IP device tracking on Catalyst 3750-X switches by using the ip device tracking maximum < number > command. Based on your topology, configure the number of IP clients using the number argument. We do not recommend configuring a high number of IP clients on ports/interfaces.
IP device tracking is enabled by default on all ports in Cisco IOS Release 15.2(1)E, and in Catalyst 3750-X switches using this release image, SGACL policy enforcement happens.
The following restriction apply to the Cisco Catalyst 6500 Series Switches:
The following restriction apply to the Cisco Catalyst 3650 Series Switches and Cisco Catalyst 3850 Series Switches:
SGACL Policy Configuration Process
Follow these steps to configure and enable Cisco TrustSec Security Group ACL (SGACL) policies:
Step 1 Configuration of SGACL policies should be done primarily through the Policy Management function of the Cisco Secure ACS or the Cisco Identity Services Engine (see the Configuration Guide for the Cisco Secure ACS or the Cisco Identity Services Engine User Guide).
If you are not using AAA on a Cisco Secure ACS or a Cisco ISE to download the SGACL policy configuration, you can manually configure the SGACL mapping and policies (see the “Manually Configuring SGACL Policies” section).
Note An SGACL policy downloaded dynamically from the Cisco Secure ACS or a Cisco ISE will override any conflicting locally-defined policy.
Step 2 To enable SGACL policy enforcement on egress traffic on routed ports, enable SGACL policy enforcement globally as described in the “Enabling SGACL Policy Enforcement Globally” section.
Step 3 To enable SGACL policy enforcement on switched traffic within a VLAN, or on traffic that is forwarded to an SVI associated with a VLAN, enable SGACL policy enforcement for specific VLANs as described in the “Enabling SGACL Policy Enforcement on VLANs” section.
Enabling SGACL Policy Enforcement Globally
You must enable SGACL policy enforcement globally for Cisco TrustSec-enabled routed interfaces.
The same configuration commands that are used for enforcement of IPv4 traffic apply for IPv6 traffic as well.
To enable SGACL policy enforcement on routed interfaces, perform this task:
|
|
|
---|---|---|
Enables Cisco TrustSec SGACL policy enforcement on routed interfaces. |
Configuration Examples for Enabling SGACL Policy Enforcement Globally
Enabling SGACL Policy Enforcement Per Interface
You must first enable SGACL policy enforcement globally for Cisco TrustSec-enabled routed interfaces. This feature is not supported on Port Channel interfaces.
To enable SGACL policy enforcement on Layer 3 interfaces, perform this task:
Detailed Steps
|
|
|
---|---|---|
Specifies interface on which to enable or disable SGACL enforcement. |
||
Enables Cisco TrustSec SGACL policy enforcement on routed interfaces. |
||
Configuration Examples for Enabling SGACL Policy Enforcement Per Interface
Switch(config)# interface gigabitethernet 1/0/2
Enabling SGACL Policy Enforcement on VLANs
You must enable SGACL policy enforcement on specific VLANs to apply access control to switched traffic within a VLAN, or to traffic that is forwarded to an SVI associated with a VLAN.
To enable SGACL policy enforcement on a VLAN or a VLAN list, perform this task:
Detailed Steps
|
|
|
---|---|---|
Switch(config)# cts role-based enforcement vlan-list vlan-list |
Enables Cisco TrustSec SGACL policy enforcement on the VLAN or VLAN list. |
Configuration Examples for Enabling SGACL Policy Enforcement on VLANs
Configuring SGACL Monitor Mode
Before configuring SGACL monitor mode, ensure the following:
Note The show cts role-based counters CLIs for IPv4 and IPv6 traffic are separate, but the displayed values for IPv4 and IPv6 are combined.
Configuration Example for Configuring SGACL Monitor Mode
Switch(config)# cts role-based permissions from 2 to 3 ipv4
Switch# show cts role-based permissions from 2 to 3 ipv4
IPv4 Role-based permissions from group 2:sgt2 to group 3:sgt3 (monitored):
Switch# show cts role-based permissions from 2 to 3 ipv4 details
IPv4 Role-based permissions from group 2:sgt2 to group 3:sgt3 (monitored):
Role-based IP access list denytcpudpicmp-10 (downloaded)
Role-based IP access list Permit IP-00 (downloaded)
Switch# show cts role-based counters ipv4
From To SW-Denied HW-Denied SW-Permitt HW_Permitt SW-Monitor HW-Monitor
Manually Configuring SGACL Policies
A role-based access control list bound to a range of SGTs and DGTs forms an SGACL, a TrustSec policy enforced on egress traffic. Configuration of SGACL policies are best done through the policy management functions of the Cisco ISE or the Cisco Secure ACS. To manually (that is, locally) configure SGACL policies, do the following:
1. Configure a role-based ACL.
2. Bind the role-based ACL to a range of SGTs.
Note An SGACL policy downloaded dynamically from the Cisco ISE or Cisco ACS overrides any conflicting manually configured policy.
Manually Configuring and Applying IPv4 SGACL Policies
Note When configuring SGACLs and Role-Based access control lists (RBACLs), the named access control lists (ACLs) must start with an alphabet.
Detailed Steps for Catalyst 3850,3650, 9300,9400,9500 switches:
|
|
|
---|---|---|
ip access-list role-based rbacl -name |
Creates a Role-based ACL and enters Role-based ACL configuration mode. |
|
{[ sequence-number ] | default | permit | deny | remark } |
Specifies the access control entries (ACEs) for the RBACL. You can use most of the commands and options allowed in extended named access list configuration mode, with the source and destination fields omitted. Press Enter to complete an ACE and begin the next. For full explanations of ACL configuration, keywords, and options, see, Security Configuration Guide: Access Control Lists, Cisco IOS XE Release 3S. |
|
[ no ] cts role-based permissions { default |[ from { sgt_num | unknown } to { dgt_num | unknown }]{ rbacls | ipv4 rbacls } Switch(config)# cts role-based permissions from 55 to 66 allow_webtraff |
Binds SGTs and DGTs to the RBACL. The configuration is analogous to populating the permission matrix configured on the Cisco ISE or the Cisco Secure ACS. |
|
Configuration Examples for Manually Configuring SGACL Policies
Switch(config)# cts role-based permissions from 55 to 66 allow_webtraff
Configuring IPv6 Policies
To manually configure IPv6 SGACL policies, perform this task:
Detailed Steps for Catalyst 6500
Manually Applying SGACL Policies
To manually apply SGACL policies, perform this task:
Detailed Steps for Catalyst 6500
Configuration Examples for Manually Applying SGACLs
Catalyst 6500—Apply default and custom SGACL policies:
Displaying SGACL Policies
After configuring the Cisco TrustSec device credentials and AAA, you can verify the Cisco TrustSec SGACL policies downloaded from the authentication server or configured manually. Cisco TrustSec downloads the SGACL policies when it learns of a new SGT through authentication and authorization on an interface, from SXP, or from manual IP address to SGT mapping.
To display the contents of the SGACL policies permissions matrix, perform this task:
Detailed Steps for Catalyst 6500
Using the keywords, you can display all or part of the permissions matrix:
- If the from keyword is omitted, a column from the permissions matrix is displayed.
- If the to keyword is omitted, a row from the permissions matrix is displayed.
- If the from and to keywords are omitted, the entire permissions matrix is displayed.
- If the from and to keywords are specified, a single cell from the permissions matrix is displayed and the details keyword is available. When details is entered, the ACEs of the SGACL of the single cell are displayed.
This example shows how to display the content of the SGACL policies permissions matrix for traffic sourced from security group 3:
Refreshing the Downloaded SGACL Policies
Detailed Steps for Catalyst 6500, Catalyst 3850, Catalyst 3650
Feature Information for SGACL Policies
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.