- Understanding Cisco TrustSec
- Configuring the Cisco TrustSec Solution
- Configuring Identities and Connections
- Configuring SGACL Policies
- TrustSec SGACL High Availability
- SGT Exchange Protocol over TCP (SXP)
- VRF-Aware SGT
- IP-Prefix and SGT-Based SXP Filtering
- SGT Inline Tagging
- Configuring Cisco TrustSec Reflector and Caching
- Configuring Endpoint Admission Control
- Cisco TrustSec Command Summary
- Considerations for Catalyst 3000 and 2000 Series Switches and Wireless LAN Controller 5700 Series
- Considerations for Catalyst 4500 Series Switches
- Considerations for Catalyst 6500 Series Switches
- Glossary
Configuring Cisco TrustSec Reflector and Caching
This module describes the Cisco TrustSec Reflector for Cisco TrustSec Reflector and the Cisco Trustsec Caching features.
Note
This feature is not supported on Catalyst 3650, 3850, 9300, 9400, and 9500 Series Switches.
Note The Cisco TrustSec supervisor ingress reflector and the Cisco TrustSec egress reflector are mutually exclusive. Do not enable both functions.
Egress reflector should be disabled when ERSPAN is configured.
To configure the Cisco TrustSec supervisor ingress reflector function, perform this task.
Detailed Steps for Catalyst 6500
|
|
|
|
|---|---|---|
Displays Cisco TrustSec reflector mode (Ingress, Egress, Pure, or No CTS). |
This example shows how to configure a Cisco TrustSec ingress reflector:
Note Before disabling the Cisco TrustSec ingress reflector, you must remove power from the Cisco TrustSec-incapable switching modules.
To configure the Cisco TrustSec egress reflector function, perform this task.
Detailed Steps for Catalyst 6500
|
|
|
|
|---|---|---|
Displays Cisco TrustSec reflector mode (Ingress, Egress, Pure, or No CTS). |
This example shows how to configure a Cisco TrustSec egress reflector:
Note Before disabling the Cisco TrustSec egress reflector, you must remove power from the Cisco TrustSec-incapable switching modules.
Configuring Cisco TrustSec Caching
For quick recovery from brief outages, you can enable caching of authentication, authorization, and policy information for Cisco TrustSec connections. Caching allows Cisco TrustSec devices to use unexpired security information to restore links after an outage without requiring a full reauthentication of the Cisco TrustSec domain. The Cisco TrustSec devices will cache security information in DRAM. If non-volatile (NV) storage is also enabled, the DRAM cache information will also be stored to the NV memory. The contents of NV memory populate DRAM during a reboot.
Enabling Cisco TrustSec Caching
Note During extended outages, the Cisco TrustSec cache information is likely to become outdated.
Detailed Steps for Catalyst 6500
This example shows how to configure Cisco TrustSec caching, including non-volatile storage:
Clearing the Cisco TrustSec Cache
To clear the cache for Cisco TrustSec connections, perform this task:
Detailed Steps for Catalyst 6500
|
|
|
|
|---|---|---|
Switch# clear cts cache [ authorization-policies [ peer ] | environment-data | filename filename | interface-controller [ type slot/port ]] |
This example shows how to clear the Cisco TrustSec cache:
Feature Information for Cisco TrustSec Reflector and Caching
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Feedback