Cisco TrustSec Configuration Manual page 154

propagate (cts manual interface configuration submode)
propagate (cts manual interface configuration submode)
To enable and disable an interface's ability to propagate a Security Group Tag on a interface, use the cts
propagate cts interface manual configuration submode command.
Syntax Description sgt
Defaults
.Default is to propagate the SGT.
Command Modes CTS manual interface configuration submode (config-if-cts-manual)
Supported User Roles Administrator
Command History Release
12.2(50) SY
Usage Guidelines Security Group Tag propagation is enabled by default in both CTS dot1x and CTS manual modes. To
disable SGT processing, enter the no propagate sgt command. To re-enable, enter propagate sgt. Only
the no propagate sgt state is saved when issuing a CLI command that invokes the nonvolatile generation
(NVGEN) process (for example, copy system running-config).
A TrustSec-capable interface can support MACsec (Layer2 802.1AE security) and SGT tagging. A
TrustSec-capable interface attempts to negotiate the most secure mode with its peer. The peer may be
capable of MACsec but not capable of SGT processing. In a manual CTS interface configuration, disable
the SGT propagation on the CTS-capable interface if you are only implementing the MACsec feature.
Examples The following example disables SGT tagging on a manually-configured TrustSec-capable interface:
router(config-if)# cts manual
router(config-if-cts-manual)# sap pmk FFFE
router(config-if-cts-manual)# no propagate sgt
router(config-if-cts-manual)# exit
router(config-if)# exit
router(config)# exit
router# show running-config
. . .
interface GigabitEthernet6/2
ip address 172.16.4.12 255.255.255.0
cts manual
no propagate sgt
sap pmk 000000000000000000000000000000000000000000000000000000000000FFFE
. . .
Cisco TrustSec Configuration Guide
7-68
[no] propagate sgt
Specifies the Security Group Tag
Modification
This command was introduced on the Catalyst 6500 Series Switches.
Chapter 7 Cisco TrustSec Command Summary
OL-22192-01