Chapter 4
Configuring SGT Exchange Protocol over TCP (SXP) and Layer 3 Transport
To configure Layer 3 SGT Transport, perform this task:
Detailed Steps for Catalyst 6500
Command
Step 1
Router# configure terminal
Step 2
Router(config)# [no] cts policy layer3
{ipv4 | ipv6} traffic acl-name
Step 3
Router(config)# [no] cts policy layer3
{ipv4 | ipv6} exception acl-name
Step 4
Router(config)# interface
type slot/port
Step 5
Router(config-if)# [no] cts layer3
{ipv4 | ipv6} trustsec forwarding
Router(config-if)# [no] cts layer3
{ipv4 | ipv6} policy
Step 6
Router(config-if)# end
Router(config)# end
Step 7
Router# show cts policy layer3 {ipv4 |
ipv6}
When configuring Cisco TrustSec Layer 3 SGT transport, consider these usage guidelines and
restrictions:
•
•
OL-22192-01
The Cisco TrustSec Layer 3 SGT transport feature can be configured only on ports that support
hardware encryption.
Traffic and exception policies for Cisco TrustSec Layer 3 SGT transport have the following
restrictions:
The policies must be configured as IP extended or IP named extended ACLs.
–
The policies must not contain deny entries.
–
If the same ACE is present in both the traffic and exception policies, the exception policy takes
–
precedence. No Cisco TrustSec Layer 3 encapsulation will be performed on packets matching
that ACE.
Configuring Layer 3 SGT Transport Between Cisco TrustSec Domains
Purpose
Enters global configuration mode.
(Optional) Specifies the fallback traffic policy to be
applied when the authentication server is not available
for downloading the traffic policy.
acl-name—The name of a traditional interface
•
ACL already configured on the device.
See the additional usage notes following this task.
(Optional) Specifies the fallback exception policy to
be applied when the authentication server is not
available for downloading the exception policy.
See the additional usage notes following this task.
Specifies an interface and enters interface
configuration mode.
(Configured on a Cisco TrustSec-capable physical
port) Specifies that egress traffic on this interface will
use Cisco TrustSec Layer 3 SGT transport
encapsulation as determined by the traffic and
exception policies.
(Configured on a routed port or SVI) Specifies that
egress traffic on this interface will use Cisco TrustSec
Layer 3 SGT transport encapsulation as determined by
the traffic and exception policies.
Exits interface configuration and global configuration
modes.
(Optional) Displays the Layer 3 SGT transport
configuration on the interfaces.
Cisco TrustSec Configuration Guide
4-7