Table of Contents
Advertisement
Manually Configuring SGACL Policies
Manually Configuring SGACL Policies
A role-based access control list bound to a range of SGTs and DGTs forms an SGACL, a TrustSec policy
enforced on egress traffic. Configuration of SGACL policies are best done through the policy
management functions of the Cisco ISE or the Cisco Secure ACS. To manually (that is, locally)
configure SGACL policies, do the following:
1.
2.
An SGACL policy downloaded dynamically from the Cisco ISE or Cisco ACS overrides any conflicting
Note
manually configured policy.
Manually Configuring and Applying IPv4 SGACL Policies
Detailed Steps for Catalyst 3850
Command
Step 1
Router# configure terminal
Step 2
ip access-list role-based rbacl-name
Example:
Switch(config)# ip access-list
role-based allow_webtraff
Step 3
{[sequence-number] | default | permit |
deny | remark}
Example:
Switch(config-rb-acl)#10 permit tcp dst
eq 80 dst eq 20
Step 4
Switch(config-rb-acl)# exit
Cisco TrustSec Switch Configuration Guide
5-4
Configure a role-based ACL.
Bind the role-based ACL to a range of SGTs.
Chapter 5
Purpose
Enters global configuration mode.
Creates a Role-based ACL and enters Role-based ACL
configuration mode.
Specifies the access control entries (ACEs) for the
RBACL.
You can use most of the commands and options
allowed in extended named access list configuration
mode, with the source and destination fields omitted.
Press Enter to complete an ACE and begin the next.
For full explanations of ACL configuration, keywords,
and options, see,
Security Configuration Guide:
Access Control Lists, Cisco IOS XE Release
The following ACE commands or keywords are not
supported:
•
reflect
•
evaluate
•
time-range
Exits to global configuration mode.
Configuring SGACL Policies
3S.
OL-22192-02
Hide quick links:
Advertisement
Table of Contents
