Configuring Cisco TrustSec Reflector and Caching
Revised: August 31, 2017
This module describes the Cisco TrustSec Reflector for Cisco TrustSec Reflector and the Cisco Trustsec Caching features.
Note This feature is not supported on Catalyst 3650, 3850, 9300, 9400, and 9500 Series Switches.
Note The Cisco TrustSec supervisor ingress reflector and the Cisco TrustSec egress reflector are mutually exclusive. Do not enable both functions.
Egress reflector should be disabled when ERSPAN is configured.
To configure the Cisco TrustSec supervisor ingress reflector function, perform this task.
Detailed Steps for Catalyst 6500
|
|
|
Step 1 |
Switch# configure terminal |
Enters configuration mode. |
Step 2 |
Switch(config)# [ no ] platform cts ingress |
Activates the Cisco TrustSec supervisor ingress reflector. |
Step 3 |
Switch(config)# exit |
Exits configuration mode. |
Step 4 |
Switch# show platform cts |
Displays Cisco TrustSec reflector mode (Ingress, Egress, Pure, or No CTS). |
This example shows how to configure a Cisco TrustSec ingress reflector:
Switch# configure terminal
Switch(config)# platform cts ingress
Switch# show platform cts
Note Before disabling the Cisco TrustSec ingress reflector, you must remove power from the Cisco TrustSec-incapable switching modules.
To configure the Cisco TrustSec egress reflector function, perform this task.
Detailed Steps for Catalyst 6500
|
|
|
Step 1 |
Switch# configure terminal |
Enters configuration mode. |
Step 2 |
Switch(config)# [ no ] platform cts egress |
Activates the Cisco TrustSec egress reflector. |
Step 3 |
Switch(config)# exit |
Exits configuration mode. |
Step 4 |
Switch# show platform cts |
Displays Cisco TrustSec reflector mode (Ingress, Egress, Pure, or No CTS). |
This example shows how to configure a Cisco TrustSec egress reflector:
Switch# configure terminal
Switch(config)# platform cts egress
Switch# show platform cts
Note Before disabling the Cisco TrustSec egress reflector, you must remove power from the Cisco TrustSec-incapable switching modules.
Configuring Cisco TrustSec Caching
For quick recovery from brief outages, you can enable caching of authentication, authorization, and policy information for Cisco TrustSec connections. Caching allows Cisco TrustSec devices to use unexpired security information to restore links after an outage without requiring a full reauthentication of the Cisco TrustSec domain. The Cisco TrustSec devices will cache security information in DRAM. If non-volatile (NV) storage is also enabled, the DRAM cache information will also be stored to the NV memory. The contents of NV memory populate DRAM during a reboot.
Enabling Cisco TrustSec Caching
Note During extended outages, the Cisco TrustSec cache information is likely to become outdated.
To enable Cisco TrustSec caching, perform this task:
Detailed Steps for Catalyst 6500
|
|
|
Step 1 |
Switch# configure terminal |
Enters configuration mode. |
Step 2 |
Switch(config)# [ no ] cts cache enable |
Enables caching of authentication, authorization and environment-data information to DRAM. The default is disabled. The no form of this command deletes all cached information from DRAM and non-volatile storage. |
Step 3 |
Switch(config)# [ no ] cts cache nv-storage { bootdisk: | bootflash: | disk0: } [ directory dir-name ] |
When DRAM caching is enabled, enables DRAM cache updates to be written to non-volatile storage. Also enables DRAM cache to be initially populated from non-volatile storage when the device boots. |
Step 4 |
Switch(config)# exit |
Exits configuration mode. |
This example shows how to configure Cisco TrustSec caching, including non-volatile storage:
Switch# configure terminal
Switch(config)# cts cache enable
Switch(config)# cts cache nv-storage bootdisk:
Clearing the Cisco TrustSec Cache
To clear the cache for Cisco TrustSec connections, perform this task:
Detailed Steps for Catalyst 6500
|
|
|
Step 1 |
Switch# clear cts cache [ authorization-policies [ peer ] | environment-data | filename filename | interface-controller [ type slot/port ]] |
Clears the cache for Cisco TrustSec connection information. |
This example shows how to clear the Cisco TrustSec cache:
Feature Information for Cisco TrustSec Reflector and Caching
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Table 1 Feature Information for Cisco TrustSec Reflector and Caching
|
|
|
Cisco TrustSec Reflector |
Cisco IOS Release 12.2(50) SY |
This feature was introduced on Cisco Catalyst 6500 Series Switches. |
Cisco TrustSec Caching |
Cisco IOS Release 12.2(50) SY |
This feature was introduced on Cisco Catalyst 6500 Series Switches. |