Cisco TrustSec Configuration Manual page 106

cts policy layer3
Configure Cisco TrustSec Layer 3 SGT transport with these usage guidelines and restrictions:
•
•
•
Examples
The following example shows how to configure Layer 3 SGT Transport to a remote Cisco TrustSec
domain:
Router# configure terminal
Router(config)# ip access-list extended traffic-list
Router(config-ext-nacl)# permit ip any 10.1.1.0 0.0.0.255
Router(config-ext-nacl)# exit
Router(config)# ip access-list extended exception-list
Router(config-ext-nacl)# permit ip any 10.2.2.0 0.0.0.255
Router(config-ext-nacl)# exit
Router(config)# cts policy layer3 ipv4 traffic traffic-sgt
Router(config)# cts policy layer3 ipv4 exception exception-list
Router(config)# interface gi2/1
Router(config-if)# cts layer3 trustsec ipv4 forwarding
Router(config-if)# shutdown
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# exit
Related Commands Command
cts layer3
show cts policy layer3
Cisco TrustSec Configuration Guide
7-20
The Cisco TrustSec Layer 3 SGT transport feature can be configured only on ports that support
hardware encryption.
Traffic and exception policies for Cisco TrustSec Layer 3 SGT transport have the following
restrictions:
– The policies must be configured as IP extended or IP named extended ACLs.
– The policies must not contain deny entries.
If the same ACE is present in both the traffic and exception policies, the exception policy takes
–
precedence. No Cisco TrustSec Layer 3 encapsulation will be performed on packets matching
that ACE.
Traffic and exception policies can be downloaded from the authentication server (if supported by
your Cisco IOS Release) or manually configured on the device with the ip access-list global
configuration command. The policies will be applied based on these rules:
If a traffic policy or an exception policy is downloaded from the authentication server, it will
–
take precedence over any manually configured traffic or exception policy.
If the authentication server is not available but both a traffic policy and an exception policy have
–
been manually configured, the manually configured policies will be used.
If the authentication server is not available but a traffic policy has been configured with no
–
exception policy, no exception policy is applied. Cisco TrustSec Layer 3 encapsulation will be
applied on the interface based on the traffic policy.
– If the authentication server is not available and no traffic policy has been manually configured,
no Cisco TrustSec Layer 3 encapsulation will be performed on the interface.
Chapter 7
Description
Enables and applies traffic and exception policies to CTS
Layer 3 Transport gateway interfaces.
Displays the traffic and exception policies used in CTS
Layer3 Transport.
Cisco TrustSec Command Summary
OL-22192-01