Configuring Cisco Trustsec Reflector For Cisco Trustsec-Incapable Switching Modules - Cisco TrustSec Configuration Manual

Configuring Cisco TrustSec Reflector for Cisco TrustSec-Incapable Switching Modules

•
This example shows how to configure Layer 3 SGT Transport to a remote Cisco TrustSec domain:
Router# configure terminal
Router(config)# ip access-list extended traffic-list
Router(config-ext-nacl)# permit ip any 10.1.1.0 0.0.0.255
Router(config-ext-nacl)# exit
Router(config)# ip access-list extended exception-list
Router(config-ext-nacl)# permit ip any 10.2.2.0 0.0.0.255
Router(config-ext-nacl)# exit
Router(config)# cts policy layer3 ipv4 traffic traffic-sgt
Router(config)# cts policy layer3 ipv4 exception exception-list
Router(config)# interface gi2/1
Router(config-if)# cts layer3 trustsec ipv4 forwarding
Router(config-if)# shutdown
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# exit
Configuring Cisco TrustSec Reflector for Cisco
TrustSec-Incapable Switching Modules
The Cisco TrustSec supervisor ingress reflector and the Cisco TrustSec egress reflector are mutually
Note
exclusive. Do not enable both functions.
Egress reflector should be disabled when ERSPAN is configured.
To configure the Cisco TrustSec supervisor ingress reflector function, perform this task.
Detailed Steps for Catalyst 6500
Command
Step 1
Router# configure terminal
Step 2
Router(config)# [no] platform cts ingress
Cisco TrustSec Configuration Guide
4-8
Traffic and exception policies can be downloaded from the authentication server (if supported by
your Cisco IOS Release) or manually configured on the device. The policies will be applied based
on these rules:
If a traffic policy or an exception policy is downloaded from the authentication server, it will
–
take precedence over any manually configured traffic or exception policy.
If the authentication server is not available but both a traffic policy and an exception policy have
–
been manually configured, the manually configured policies will be used.
If the authentication server is not available but a traffic policy has been configured with no
–
exception policy, no exception policy is applied. Cisco TrustSec Layer 3 encapsulation will be
applied on the interface based on the traffic policy.
If the authentication server is not available and no traffic policy has been manually configured,
–
no Cisco TrustSec Layer 3 encapsulation will be performed on the interface.
Chapter 4 Configuring SGT Exchange Protocol over TCP (SXP) and Layer 3 Transport
Purpose
Enters configuration mode.
Activates the Cisco TrustSec supervisor ingress
reflector.
OL-22192-01