1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Switch
  5. TrustSec
  6. Configuration manual

Manually Configuring Ip-Address-To-Sgt Mapping; Subnet To Sgt Mapping; Default Settings; Configuring Subnet To Sgt Mapping - Cisco TrustSec Configuration Manual

Hide thumbs
Table of Contents

Advertisement

Manually Configuring IP-Address-to-SGT Mapping

Manually Configuring IP-Address-to-SGT Mapping
This section discusses SGTs to source IP address mapping as follows:
For Identity Port Mapping in cts interface manual mode, see the following section:

Subnet to SGT Mapping

Subnet to SGT mapping binds an SGT to all host addresses of a specified subnet. TrustSec imposes the
SGT on an incoming packet when the packet's source IP address belongs to the specified subnet. The
subnet and SGT are specified in the CLI with the cts role-based sgt-map net_address/prefix sgt
sgt_number global configuration command. A single host may also be mapped with this command.
In IPv4 networks, SXPv3, and more recent versions, can receive and parse subnet net_address/prefix
strings from SXPv3 peers. Earlier SXP versions convert the subnet prefix into its set of host bindings
before exporting them to an SXP listener peer.
For example, the IPv4 subnet 198.1.1.0/29 is expanded as follows (only 3 bits for host addresses):
To limit the number of subnet bindings SXPv3 can export, use the cts sxp mapping network-map global
configuration command.
Subnet bindings are static, there is no learning of active hosts. They can be used locally for SGT
imposition and SGACL enforcement. Packets tagged by subnet to SGT mapping can be propagated on
Layer 2 or Layer 3 TrustSec links.
For IPv6 networks, SXPv3 cannot export subnet bindings to SXPv2 or SXPv1 peers.

Default Settings

There are no default settings for this feature.

Configuring Subnet to SGT Mapping

This section includes the following topics:
Cisco TrustSec Configuration Guide
3-12
Subnet to SGT Mapping, page 3-12
VLAN to SGT Mapping, page 3-16
Layer 3 Logical Interface to SGT Mapping (L3IF–SGT Mapping), page 3-20
Configuring Cisco TrustSec and MACsec in Manual Mode on an Uplink Port, page 3-6
Host addresses 198.1.1.1 to 198.1.1.7–tagged and propagated to SXP peer.
Network and broadcast addresses 198.1.1.0 and 198.1.1.8— not tagged and not propagated.
Verifying Subnet to SGT Mapping Configuration, page 3-15
Configuring Subnet to SGT Mapping, page 3-12
Chapter 3
Configuring Identities, Connections, and SGTs
OL-22192-02
Show Quick Links

Hide quick links:

Advertisement

Table of Contents
loading

Related Manuals for Cisco TrustSec

Related Content for Cisco TrustSec

Table of Contents