Table of Contents
Advertisement
Chapter 3
Configuring Identities, Connections, and SGTs
Use the cts role-based sgt-map interface global configuration command to specify either a specific
SGT number, or a Security Group Name (whose SGT association is dynamically acquired from a Cisco
ISE or a Cisco ACS access server).
In cases where Identity Port Mapping (cts interface manual sub mode configuration) and L3IF-SGT
require different IP to SGT bindings, IPM takes precedence. All other conflicts among IP to SGT binding
are resolved according to the priorities listing in the
Feature History for L3IF-SGT Mapping
Default Settings
There are no default settings.
Configuring L3IF to SGT Mapping
Detailed steps Catalyst 6500
Command
Step 1
Router# configure terminal
Step 2
Router(config)# cts role-based sgt-map
interface type slot/port [security-group
name | sgt number]
Router(config)# cts role-based sgt-map
interface gigabitEthernet 1/1 sgt 77
Step 3
Router(config)# exit
Step 4
Router# show cts role-based sgt-map all
Verifying L3IF to SGT Mapping
To display L3IF to SGT configuration information, use the following show commands:
Command
show cts role-based sgt-map all
OL-22192-02
Manually Configuring IP-Address-to-SGT Mapping
"Binding Source Priorities" section on page
Purpose
Enters global configuration mode.
An SGT is imposed on ingress traffic to the specified
interface.
interface type slot/port—Displays list of
•
available interfaces.
security-group name— Security Group name to
•
SGT pairings are configured on the Cisco ISE or
Cisco ACS.
•
sgt number—(0 to 65,535). Specifies the Security
Group Tag (SGT) number.
Exits configuration mode.
Verify that ingressing traffic is tagged with the
specified SGT.
Purpose
Displays all IP address to SGT bindings.
Cisco TrustSec Configuration Guide
3-22.
3-21
Hide quick links:
Advertisement
Table of Contents
