Displaying Sgacl Policies - Cisco TrustSec Configuration Manual

Displaying SGACL Policies

Displaying SGACL Policies
After configuring the Cisco TrustSec device credentials and AAA, you can verify the Cisco TrustSec
SGACL policies downloaded from the authentication server or configured manually. Cisco TrustSec
downloads the SGACL policies when it learns of a new SGT through authentication and authorization
on an interface, from SXP, or from manual IP address to SGT mapping.
To display the contents of the SGACL policies permissions matrix, perform this task:
Detailed Steps for Catalyst 6500
Command
Step 1
Router# show cts role-based permissions
default [ipv4 | ipv6 | details]
Router# show cts role-based permissions
[from {source-sgt | unknown}] [to {dest-sg
| unknown}] [ipv4 | ipv6] [details]
Using the keywords, you can display all or part of the permissions matrix:
•
•
•
•
This example shows how to display the content of the SGACL policies permissions matrix for traffic
sourced from security group 3:
Router# show cts role-based permissions from 3
Role-based permissions from group 3 to group 5:
Role-based permissions from group 3 to group 7:
Cisco TrustSec Switch Configuration Guide
5-6
If the from keyword is omitted, a column from the permissions matrix is displayed.
If the to keyword is omitted, a row from the permissions matrix is displayed.
If the from and to keywords are omitted, the entire permissions matrix is displayed.
If the from and to keywords are specified, a single cell from the permissions matrix is displayed and
the details keyword is available. When details is entered, the ACEs of the SGACL of the single cell
are displayed.
SRB3
SRB5
SRB4
Chapter 5
Purpose
Displays the list of SGACL of the default policy.
Displays the contents of the permissions matrix,
including SGACLs downloaded from the
authentication server and manually configured on
the switch.
Configuring SGACL Policies
OL-22192-02