Vlan To Sgt Mapping - Cisco TrustSec Configuration Manual

page of 208

/ 208
Contents
Table of Contents
Bookmarks

Table of Contents

Manually Configuring IP-Address-to-SGT Mapping

Step 6

Verify the expansion count on Switch1:

Switch1# show cts sxp sgt-map

Save the configurations on Switch 1 and Switch 2 and exit global configuration mode.

Step 7

Switch1(config)# copy running-config startup-config

Switch1(config)# exit

Switch2(config)# copy running-config startup-config

Switch2(config)# exit

VLAN to SGT Mapping

The VLAN to SGT mapping feature binds an SGT to packets from a specified VLAN. This simplifies

the migration from legacy to TrustSec-capable networks as follows:

•

The VLAN to SGT binding is configured with the cts role-based sgt-map vlan-list global configuration

command.

When a VLAN is assigned a gateway that is a switched virtual interface (SVI) on a TrustSec-capable

switch, and IP Device Tracking is enabled on that switch, then TrustSec can create an IP to SGT binding

for any active host on that VLAN mapped to the SVI subnet.

IP-SGT bindings for the active VLAN hosts are exported to SXP listeners. The bindings for each mapped

VLAN are inserted into the IP-to-SGT table associated with the VRF the VLAN is mapped to by either

its SVI or by a cts role-based l2-vrf cts global configuration command.

VLAN to SGT bindings have the lowest priority of all binding methods and are ignored when bindings

from other sources are received, such as from SXP or CLI host configurations. Binding priorities are

listing in the

Cisco TrustSec Configuration Guide

3-16

IPv4,SGT: <11.11.11.3 , 11111>

IPv4,SGT: <11.11.11.4 , 11111>

IPv4,SGT: <11.11.11.5 , 11111>

IPv4,SGT: <11.11.11.6 , 11111>

IPv4,SGT: <192.168.1.1 , 65000>

IPv4,SGT: <192.168.1.2 , 65000>

IPv4,SGT: <192.168.1.3 , 65000>

IPv4,SGT: <192.168.1.4 , 65000>

IPv4,SGT: <192.168.1.5 , 65000>

IPv4,SGT: <192.168.1.6 , 65000>

IPv4,SGT: <192.168.1.7 , 65000>

IPv4,SGT: <192.168.1.8 , 65000>

IPv4,SGT: <192.168.1.9 , 65000>

IPv4,SGT: <192.168.1.10 , 65000>

IPv4,SGT: <192.168.1.11 , 65000>

IPv4,SGT: <192.168.1.12 , 65000>

IPv4,SGT: <192.168.1.13 , 65000>

IPv4,SGT: <192.168.1.14 , 65000>

IP-SGT Mappings expanded:22

There are no IP-SGT Mappings

Supports devices that are not TrustSec-capable but are VLAN-capable, such as, legacy switches,

wireless controllers, access points, VPNs, etc.

Provides backward compatibility for topologies where VLANs and VLAN ACLs segment the

network, such as, server segmentation in data centers.

"Binding Source Priorities" section on page

Chapter 3

Configuring Identities, Connections, and SGTs

3-22.

OL-22192-02

Table of Contents

Show Quick Links

Hide quick links:

Table of Contents

Vlan To Sgt Mapping - Cisco TrustSec Configuration Manual

VLAN to SGT Mapping

Hide quick links:

Related Manuals for Cisco TrustSec

Related Content for Cisco TrustSec

Table of Contents