- Understanding Cisco TrustSec
- Configuring the Cisco TrustSec Solution
- Configuring Identities and Connections
- Configuring SGACL Policies
- TrustSec SGACL High Availability
- SGT Exchange Protocol over TCP (SXP)
- VRF-Aware SGT
- IP-Prefix and SGT-Based SXP Filtering
- SGT Inline Tagging
- Configuring Cisco TrustSec Reflector and Caching
- Configuring Endpoint Admission Control
- Cisco TrustSec Command Summary
- Considerations for Catalyst 3000 and 2000 Series Switches and Wireless LAN Controller 5700 Series
- Considerations for Catalyst 4500 Series Switches
- Considerations for Catalyst 6500 Series Switches
- Glossary
- Prerequisites for Cisco TrustSec SGACL High Availability
- Restrictions for Cisco TrustSec SGACL High Availability
- Information About Cisco TrustSec SGACL High Availability
- Verifying Cisco TrustSec SGACL High Availability
- Additional References for Configuring Cisco TrustSec SGACL High Availability
- Feature Information for Cisco TrustSec SGACL High Availability
Cisco TrustSec SGACL High Availability
Cisco TrustSec Security Group access control lists (SGACLs) support the high availability functionality in switches that support the Cisco StackWise technology. This technology provides stateful redundancy and allows a switch stack to enforce and process access control entries.
There is no Cisco TrustSec-specific configuration to enable this functionality, which is supported in Cisco IOS XE Denali 16.2.1 and later.
This chapter consists of these sections:
- Prerequisites for Cisco TrustSec SGACL High Availability
- Restrictions for Cisco TrustSec SGACL High Availability
- Information About Cisco TrustSec SGACL High Availability
- Verifying Cisco TrustSec SGACL High Availability
- Additional References for Configuring Cisco TrustSec SGACL High Availability
- Feature Information for Cisco TrustSec SGACL High Availability
Prerequisites for Cisco TrustSec SGACL High Availability
This document assumes the following:
- An understanding of Cisco TrustSec and the SGACL configuration.
- Switches are configured to function as a stack. For more information, see the “ Managing Switch Stacks” chapter of the Software Configuration Guide, Cisco IOS XE Denali 16.1.1 (Catalyst 3850 Switches).
- All the switches in the stack are running an identical version of Cisco IOS XE software.
Restrictions for Cisco TrustSec SGACL High Availability
Information About Cisco TrustSec SGACL High Availability
High Availability Overview
In a switch stack, the stack manager assigns the switch with the highest priority as the active switch, and the switch with the next highest priority as the standby switch. During an automatic or a CLI-based stateful switchover, the standby switch becomes the active switch and the switch with the next highest priority becomes the standby switch and so on.
Operation data is synchronized from the active switch to the standby switch, during initial system bootup, changes in the operational data (also called Change of Authorization [CoA]), or operational data refresh.
During a stateful switchover, the newly active switch, requests and downloads the operation data. The environment data (ENV-data) and the Role-Based access control lists (RBACLs) are not updated until the refresh time is complete.
The following operation data is downloaded to the active switch:
- Environment Data (ENV-data)—A variable length field that consists of the preferred server list to get the RBACL information at the time of refresh or initialization.
- Protected Access Credential (PAC)—A shared secret that is mutually and uniquely shared between the switch and the authenticator to secure an Extensible Authentication Protocol Flexible Authentication via the Secure Tunneling (EAP-FAST) tunnel.
- Role-Based Policy (RBACL or SGACL)—A variable-length role-based policy list that consists of policy definitions for all the Security Group Tag (SGT) mappings on the switch.
Note Cisco TrustSec credential that consists of the device ID and password details is run as a command on the active switch.
Verifying Cisco TrustSec SGACL High Availability
To verify the Cisco TrustSec SGACL high availability configuration, run the show cts role-based permissions command on both the active and standby switches. The output from the command must be the same on both switches.
The following is sample output from the show cts role-based permissions command on the active switch:
The following is sample output from the show cts role-based permissions command on the standby switch:
After a stateful switchover, run the following commands on the active switch to verify the feature:
The following is sample output from the show cts pacs command:
The following is sample output from the show cts environment-data command:
The following is sample output from the show cts role-based permissions command after a stateful switchover:
Additional References for Configuring Cisco TrustSec SGACL High Availability
Related Documents
|
|
---|---|
“ Managing Switch Stacks ” chapter in the Software Configuration Guide, Cisco IOS XE Denali 16.1.1 (Catalyst 3850 Switches) |
Technical Assistance
Feature Information for Cisco TrustSec SGACL High Availability
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.