policy (cts manual interface configuration submode)
•
•
For statically configured SGTs no RBACL is applied, but traditional interface ACL can be configured
separately for traffic filtering if required.
Examples
The following example applies an SGT 3 to incoming traffic from the peer, except for traffic already
tagged (the interface that has no communication with a Cisco Secure ACS server):
Router# configure terminal
Router(config)# interface gi2/1
Router(config-if)# cts manual
Router(config-if-cts-manual)# sap pmk 1234abcdef mode-list gcm null no-encap
Router(config-if-cts-manual)# policy static sgt 3 trusted
Router(config-if-cts-manual)# exit
Router(config-if)# shutdown
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# exit
Router# show cts interface GigabitEthernet 2/1
Global Dot1x feature is Enabled
Interface GigabitEthernet2/1:
Cisco TrustSec Configuration Guide
7-64
If the policy dynamic command is configured and the authorization policy downloaded from the
authentication server indicates that the packet source is untrusted, the SGT is replaced with the SGT
specified by the downloaded policy.
The authorization policy can specify the peer's SGT, peer's SGT assignment trust state, RBACLs for
the associated peer SGT and an interface ACL.
If the policy dynamic command is configured and the downloaded policy indicates that the packet
source is trusted, no change is made to the SGT.
CTS is enabled, mode:
IFC state:
Authentication Status:
Peer identity:
Peer's advertised capabilities: "sap"
Authorization Status:
Peer SGT:
Peer SGT assignment: Trusted
SAP Status:
Version:
Configured pairwise ciphers:
gcm-encrypt
null
Replay protection:
Replay protection mode: STRICT
Selected cipher:
Propagate SGT:
Cache Info:
Cache applied to link : NONE
Statistics:
authc success:
authc reject:
authc failure:
authc no response:
authc logoff:
sap success:
sap fail:
MANUAL
OPEN
NOT APPLICABLE
"unknown"
SUCCEEDED
3
SUCCEEDED
1
enabled
gcm-encrypt
Enabled
0
0
0
0
0
1
0
Chapter 7
Cisco TrustSec Command Summary
OL-22192-01