Cisco TrustSec Configuration Manual page 117

Chapter 7 Cisco TrustSec Command Summary
VRFs
•
Single or multiple VLANs
•
A Layer 3 physical or logical interface
•
Single Host Address to SGT Binding
The cts role-based sgt-map host command binds the specified SGT with incoming packets when the IP
source address is matched by the specified host address. This IP-SGT binding has the lowest priority and
is ignored in the presence of any other dynamically discovered bindings from other sources (such as,
SXP or locally authenticated hosts). The binding is used locally on the switch for SGT imposition and
SGACL enforcement. It is exported to SXP peers if it is the only binding known for the specified host
IP address.
Network or Subnetwork Addresses to SGT Binding
The cts role-based sgt-map ipv4_netaddress | ipv6_netaddress and
cts role-based sgt-map ipv4_subnetaddress/prefix | ipv6_subnetaddress/prefix commands bind the
specified SGT with packets that fall within the specified network address.
SXP exports an exhaustive expansion of all possible individual IP–SGT bindings within the specified
network or subnetwork. IPv6 bindings and subnet bindings are exported only to SXP listener peers of
SXP version 2 or later.
VRF to SGT Bindings
The vrf keyword specifies a Virtual Routing and Forwarding table previously defined with the vrf
definition global configuration command. The configuration of VRF contexts is outside the scope of this
document. The IP-SGT binding specified with the cts role-based sgt-map vrf global configuration
command is entered into the IP-SGT table associated with the specified VRF and the IP protocol version
which is implied by the type of IP address entered.
VLAN to SGT Mapping
The cts role-based sgt-map vlan-list command binds an SGT with a specified VLAN or a set of
VLANs. The keyword all is equivalent to the full range of VLANs supported by the switch and is not
preserved in the nonvolatile generation (NVGEN) process. The specified SGT is bound to incoming
packets received in any of the specified VLANs.
Layer 3 Interface Mapping (L3IF)
The cts role-based sgt-map interface command binds a specified Layer 3 logical interface to a security
group name or to an SGT. A security group information table that maps SGTs to security group names
is downloaded from the authentication server with the TrustSec environment data. The cts role-based
sgt-map interface security-group command is rejected if a security group name table is not available.
Whenever a security group table is downloaded for the first time or refreshed, all L3IF mappings are
reprocessed. IP–SGT bindings are added, updated, or deleted for all network prefixes that have output
paths through the specified interface.
Binding Source Priorities
OL-22192-01
Cisco TrustSec Configuration Guide
cts role-based
7-31