Layer 3 Logical Interface To Sgt Mapping (L3If-Sgt Mapping) - Cisco TrustSec Configuration Manual

Manually Configuring IP-Address-to-SGT Mapping
Create an SVI as the gateway for incoming VLAN 100.
Step 4
TS_switch(config)# interface vlan 100
TS_switch(config-if)# ip address 10.1.1.2 255.0.0.0
TS_switch(config-if)# no shutdown
TS_switch(config-if)# end
TS_switch(config)#
Assign Security Group Tag (SGT) 10 to hosts on VLAN 100.
Step 5
TS_switch(config)# cts role-based sgt-map vlan 100 sgt 10
Step 6 Enable IP Device Tracking on the TrustSec switch. Verify that it is operating.
TS_switch(config)# ip device tracking
TS_switch# show ip device tracking all
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 100
---------------------------------------------------------------------
IP Address
---------------------------------------------------------------------
Total number interfaces enabled: 1
Vlan100
(Optional). PING the default gateway from an endpoint (in this example, host IP Address 10.1.1.1).
Step 7
Verify that SGT 10 is being mapped to VLAN 100 hosts.
TS_switch# show cts role-based sgt-map all
Active IP-SGT Bindings Information
IP Address
============================================
10.1.1.1
IP-SGT Active Bindings Summary
============================================
Total number of VLAN
Total number of CLI
Total number of active
Layer 3 Logical Interface to SGT Mapping (L3IF–SGT Mapping)
L3IF-SGT mapping can directly map SGTs to traffic of any of the following Layer 3 interfaces
regardless of the underlying physical interface:
•
•
•
•
Cisco TrustSec Configuration Guide
3-20
MAC Address
SGT
10
bindings = 1
bindings = 0
bindings = 1
Routed port
SVI (VLAN interface)
Layer3 subinterface of a Layer2 port
Tunnel interface
Chapter 3
Vlan Interface
Source
VLAN
Configuring Identities, Connections, and SGTs
STATE
OL-22192-02