Table of Contents
Advertisement
Configuring Cisco TrustSec and MACsec in Manual Mode on an Uplink Port
Command
Step 9
Router(config-if)# no shutdown
Step 10
Router(config-if)# exit
Identity Port Mapping (IPM) configures a physical port such that a single SGT is imposed on all traffic
entering the port; this SGT is applied on all IP traffic exiting the port until a new binding is learned. IPM
is configured as follows:
•
•
IPM is supported for the following ports:
•
•
•
When manually configuring Cisco TrustSec on an interface, consider these usage guidelines and
restrictions:
•
•
•
Configuration Examples for Manual Mode and MACsec on an Uplink Port
Catalyst 6500 TrustSec interface configuration in manual mode:
Router# configure terminal
Router(config)# interface gi 2/1
Router(config-if)# cts manual
Router(config-if-cts-manual)# sap pmk 1234abcdef mode-list gcm null no-encap
Router(config-if-cts-manual)# policy static sgt 111
Router(config-if-cts-manual)# exit
Cisco TrustSec Configuration Guide
3-8
CTS Manual interface configuration mode with the policy static sgt tag command
CTS Manual interface configuration mode with the policy dynamic identity peer-name command
where peer-name is designated as non-trusted in the Cisco ACS or Cisco ISE configuration.
Routed ports
Switchports in access mode
Switchports in trunk mode
If no SAP parameters are defined, no Cisco TrustSec encapsulation or encryption will be performed.
If the selected SAP mode allows SGT insertion and an incoming packet carries no SGT, the tagging
policy is as follows:
–
If the policy static command is configured, the packet is tagged with the SGT configured in the
policy static command.
If the policy dynamic command is configured, the packet is not tagged.
–
If the selected SAP mode allows SGT insertion and an incoming packet carries an SGT, the tagging
policy is as follows:
If the policy static command is configured without the trusted keyword, the SGT is replaced
–
with the SGT configured in the policy static command.
If the policy static command is configured with the trusted keyword, no change is made to the
–
SGT.
If the policy dynamic command is configured and the authorization policy downloaded from
–
the authentication server indicates that the packet source is untrusted, the SGT is replaced with
the SGT specified by the downloaded policy.
If the policy dynamic command is configured and the downloaded policy indicates that the
–
packet source is trusted, no change is made to the SGT.
Chapter 3
Configuring Identities, Connections, and SGTs
Purpose
Enables the interface and enables Cisco TrustSec
authentication on the interface.
Exits interface configuration mode.
OL-22192-02
Hide quick links:
Advertisement
Table of Contents
