09-19-2017 11:33 PM - edited 02-21-2020 10:34 AM
Hi,
I would like to implement Cisco Trustsec on Catalyst 6500 Series Supervisor Engine 2T to control access between the PCI system and non PCI system in the same subnet/VLAN.
Question: Can you configure classfication/progatation/enforcement in a single device?
Please refer to attached diagram.
Regards,
Eric
Solved! Go to Solution.
09-23-2017 03:00 AM
I don't have a 6500 to verify this configuration, but the following commands work on a CSR with Loopback interfaces. Note the ACL below is not a standard/extended ACL but rather a role-based ACL.
ip access-list role-based DENY
deny ip
cts role-based sgt-map 192.168.1.10 sgt 10
cts role-based sgt-map 192.168.1.20 sgt 20
cts role-based sgt-map 192.168.1.30 sgt 30
cts role-based permissions from 10 to 20 DENY
cts role-based permissions from 10 to 30 DENY
cts role-based enforcement
Use the commands "show cts role-based counters" to verify hits increase for denies.
Any traffic not explictly denied is permitted.
I'd suggest obviously to test the commands in the lab before implementing in production.
09-21-2017 11:03 AM
Hi Eric,
Yes, I don't see why not. As long as the 6500 has the IP to SGT bindings and an SGACL then yes you can enforce. You'd probably want to confirm you are running a validated firmware as per the trustsec matrix https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/platform-capability-matrix.pdf
HTH
09-21-2017 10:13 PM
Will you able to share the configuration please?
09-22-2017 11:46 AM - edited 09-22-2017 11:47 AM
Are you planning to use ISE to propagate the SGT Mappings/SGACL or are you just going to statically define them on the switch?
09-22-2017 06:44 PM
Hi
I am planning to configure in switch statically
09-23-2017 03:00 AM
I don't have a 6500 to verify this configuration, but the following commands work on a CSR with Loopback interfaces. Note the ACL below is not a standard/extended ACL but rather a role-based ACL.
ip access-list role-based DENY
deny ip
cts role-based sgt-map 192.168.1.10 sgt 10
cts role-based sgt-map 192.168.1.20 sgt 20
cts role-based sgt-map 192.168.1.30 sgt 30
cts role-based permissions from 10 to 20 DENY
cts role-based permissions from 10 to 30 DENY
cts role-based enforcement
Use the commands "show cts role-based counters" to verify hits increase for denies.
Any traffic not explictly denied is permitted.
I'd suggest obviously to test the commands in the lab before implementing in production.
09-25-2017 02:07 AM
Thanks. It works on 6506 too.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: