Chapter 5
Configuring SGACL Policies
Enabling SGACL Policy Enforcement Per Interface
You must first enable SGACL policy enforcement globally for Cisco TrustSec-enabled routed interfaces.
This feature is not supported on Port Channel interfaces.
To enable SGACL policy enforcement on Layer 3 interfaces, perform this task:
Detailed Steps Catalyst 6500
Command
Step 1
Router# configure terminal
Step 2
Router(config)# interface gigabit 6/2
Step 3
Router(config-if)# cts role-based enforcement
Step 4
Router(config-if)# do show cts interface
Configuration Examples for Enabling SGACL Policy Enforcement Per Interface
Catalyst 3850:
Switch# configure terminal
Switch(config)# interface gigabit 1/0/2
Switch(config-if)# cts role-based enforcement
Switch(config-if)# end
Enabling SGACL Policy Enforcement on VLANs
You must enable SGACL policy enforcement on specific VLANs to apply access control to switched
traffic within a VLAN, or to traffic that is forwarded to an SVI associated with a VLAN.
To enable SGACL policy enforcement on a VLAN or a VLAN list, perform this task:
Detailed Steps Catalyst 6500
Command
Step 1
Router# configure terminal
Step 2
Router(config)# cts role-based
enforcement vlan-list vlan-list
Configuration Examples for Enabling SGACL Policy Enforcement on VLANs
Catalyst 3850:
Switch# configure terminal
Switch(config)# cts role-based enforcement vlan-list 31-35,41
Switch(config)# exit
OL-22192-02
Enabling SGACL Policy Enforcement Per Interface
Purpose
Enters global configuration mode.
Specifies interface on which to enable or
disable SGACL enforcement.
Enables Cisco TrustSec SGACL policy
enforcement on routed interfaces.
Verifies that SGACL enforcement is enabled.
Purpose
Enters global configuration mode.
Enables Cisco TrustSec SGACL policy enforcement
on the VLAN or VLAN list.
Cisco TrustSec Switch Configuration Guide
5-3