Cisco TrustSec SGACL Feature Histories For a list of supported TrustSec features per platform and the minimum required IOS release, see the Cisco TrustSec Platform Support Matrix at the following URL: http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html Otherwise, see product release notes for detailed feature introduction information.
Cisco Identity Services Engine User Guide). If you are not using AAA on a Cisco Secure ACS or a Cisco ISE to download the SGACL policy configuration, you can manually configure the SGACL mapping and policies (see the “Manually Configuring SGACL Policies”...
Switch(config-if)# end Enabling SGACL Policy Enforcement on VLANs You must enable SGACL policy enforcement on specific VLANs to apply access control to switched traffic within a VLAN, or to traffic that is forwarded to an SVI associated with a VLAN.
Manually Configuring SGACL Policies Manually Configuring SGACL Policies A role-based access control list bound to a range of SGTs and DGTs forms an SGACL, a TrustSec policy enforced on egress traffic. Configuration of SGACL policies are best done through the policy management functions of the Cisco ISE or the Cisco Secure ACS.
[no] cts role-based permissions {default |[from {sgt_num | unknown} to {dgt_num | configuration is analogous to populating the unknown}]{rbacls | ipv4 rbacls} permission matrix configured on the Cisco ISE or the Cisco Secure ACS. Default—Default permissions list • sgt_num—0 to 65,519. Source Group Tag •...
If the from and to keywords are specified, a single cell from the permissions matrix is displayed and • the details keyword is available. When details is entered, the ACEs of the SGACL of the single cell are displayed. This example shows how to display the content of the SGACL policies permissions matrix for traffic...
Refreshing the Downloaded SGACL Policies Detailed Steps for Catalyst 6500, Catalyst 3850, Catalyst 3650 Command Purpose Step 1 Performs an immediate refresh of the SGACL policies from cts refresh policy {peer [peer-id] | sgt [sgt_number| the authentication server. default|unknown]} If a peer-id is specified, only the policies related to the •...