Verifying Subnet To Sgt Mapping Configuration; Configuration Examples For Subnet To Sgt Mapping - Cisco TrustSec Configuration Manual

Chapter 3 Configuring Identities, Connections, and SGTs

Verifying Subnet to SGT Mapping Configuration

To display Subnet to SGT Mapping configuration information, perform one of the following tasks:
Command
show cts sxp connections
show cts sxp sgt-map
show running-config
For detailed information about the fields in the output from these commands, refer to
TrustSec Command Summary."

Configuration Examples for Subnet to SGT Mapping

The following example shows how to configure IPv4 Subnet to SGT Mapping between two
Catalyst 6500 series switches running SXPv3 (Switch1 and Switch2):
Configure SXP speaker/listener peering between Switch1 (1.1.1.1) and Switch 2 (2.2.2.2).
Step 1
Switch1# config t
Switch1(config)# cts sxp enable
Switch1(config)# cts sxp default source-ip 1.1.1.1
Switch1(config)# cts sxp default password 1syzygy1
Switch1(config)# cts sxp connection peer 2.2.2.2 password default mode local speaker
Configure Switch 2 as SXP listener of Switch1.
Step 2
Switch2(config)# cts sxp enable
Switch2(config)# cts sxp default source-ip 2.2.2.2
Switch2(config)# cts sxp default password 1syzygy1
Switch2(config)# cts sxp connection peer 1.1.1.1 password default mode local listener
On Switch2, verify that the SXP connection is operating:
Step 3
Switch2# show cts sxp connections brief | include 1.1.1.1
Step 4 Configure the subnetworks to be expanded on Switch1.
Switch1(config)# cts sxp mapping network-map 10000
Switch1(config)# cts role-based sgt-map 10.10.10.0/30 sgt 101
Switch1(config)# cts role-based sgt-map 11.11.11.0/29 sgt 11111
Switch1(config)# cts role-based sgt-map 192.168.1.0/28 sgt 65000
On Switch2, verify the subnet to SGT expansion from Switch1. There should be two expansions for the
Step 5
10.10.10.0/30 subnetwork, six expansions for the 11.11.11.0/29 subnetwork, and 14 expansions for the
192.168.1.0/28 subnetwork.
Switch2# show cts sxp sgt-map brief | include 101|11111|65000
OL-22192-02
1.1.1.1 2.2.2.2
IPv4,SGT: <10.10.10.1 , 101>
IPv4,SGT: <10.10.10.2 , 101>
IPv4,SGT: <11.11.11.1 , 11111>
IPv4,SGT: <11.11.11.2 , 11111>
Manually Configuring IP-Address-to-SGT Mapping
Purpose
Displays the SXP speaker and listener
connections with their operational status.
Displays the IP to SGT bindings exported to the
SXP listeners.
Verifies that the Subnet to SGT configurations
commands are in the running configuration file.
On 3:22:23:18 (dd:hr:mm:sec)
Cisco TrustSec Configuration Guide
Chapter 7, "Cisco
3-15