cts role-based
TrustSec resolves conflicts among IP-SGT binding sources in the master binding data-base with a strict
priority scheme. For example, an SGT may also be applied to an interface with the
policy {dynamic identity peer-name | static sgt tag} cts interface command (Identity Port Mapping).
The current priority enforcement order, from lowest to highest, is as follows:
VLAN—Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping
1.
configured.
CLI— Address bindings configured using the IP-SGT form of the cts role-based sgt-map global
2.
configuration command.
Layer 3 Interface—(L3IF) Bindings added due to FIB forwarding entries that have paths through
3.
one or more interfaces with consistent L3IF-SGT mapping or Identity Port Mapping on routed ports.
SXP—Bindings learned from SXP peers.
4.
IP_ARP—Bindings learned when tagged ARP packets are received on a CTS capable link.
5.
LOCAL—Bindings of authenticated hosts which are learned via EPM and device tracking. This type
6.
of binding also include individual hosts that are learned via ARP snooping on L2 [I]PM configured
ports.
INTERNAL—Bindings between locally configured IP addresses and the device own SGT.
7.
L2 VRF Assignment
For the [no] cts role-based l2-vrf vrf-name vlan-list {vlan-list | all} global configuration command,
the vlan-list argument can be a single VLAN ID, a list of comma-separated VLAN IDs, or
hyphen-separated VLAN ID ranges.
The keyword all is equivalent to the full range of VLANs supported by the network device. The keyword
all is not preserved in the nonvolatile generation (NVGEN) process.
If the cts role-based l2-vrf command is issued more than once for the same VRF, each successive
command entered adds the specified VLAN IDs to the specified VRF.
The VRF assignments configured by the cts role-based l2-vrf command are active as long as a VLAN
remains a Layer 2 VLAN. The IP–SGT bindings learned while a VRF assignment is active are also added
to the Forwarding Information Base (FIB) table associated with the VRF and the IP protocol version. If
an SVI becomes active for a VLAN, the VRF to VLAN assignment becomes inactive and all the bindings
learned on the VLAN are moved to the FIB table associated with the SVI's VRF.
The VRF to VLAN assignment is retained even when the assignment becomes inactive. It is reactivated
when the SVI is removed or when the SVI IP address is deconfigured. When reactivated, the IP–SGT
bindings are moved back from the FIB table associated with the SVI's VRF to the FIB table associated
with the VRF assigned by the cts role-based l2-vrf command.
Role-based Enforcement
Use the [no] cts role-based enforcement command to globally enable or disable SGACL enforcement
for CTS-enabled Layer 3 interfaces in the system.
Note
The terms Role-based Access Control and Role-based ACLs that appear in the CTS CLI command
description is equivalent to Security Group Access Control List (SGACL) in Cisco TrustSec
documentation.
VLAN Enforcement
Use the [no] cts role-based enforcement vlan-list {vlan-ids | all} command to enable or disable
SGACL enforcement for Layer 2 switched packets and for L3 switched packets on an SVI interface.
Cisco TrustSec Configuration Guide
7-32
Chapter 7
Cisco TrustSec Command Summary
OL-22192-01