beautypg.com
Manuals
Brands
Cisco Manuals
Switch
TrustSec
Cisco TrustSec Manuals
Manuals and User Guides for Cisco TrustSec. We have
1
Cisco TrustSec manual available for free PDF download: Configuration Manual
Cisco TrustSec Configuration Manual (208 pages)
Brand:
Cisco
| Category:
Switch
| Size: 2.27 MB
Table of Contents
Table of Contents
3
Cisco Trustsec Command Summary
9
Obtaining Documentation and Submitting a Service Request
11
Cisco Trustsec Overview
13
Information about Cisco Trustsec Architecture
13
Authentication
15
Cisco Trustsec and Authentication
15
Device Identities
18
Device Credentials
18
User Credentials
18
Security Group-Based Access Control
19
Security Groups and Sgts
19
SGACL Policies
19
Ingress Tagging and Egress Enforcement
20
Determining the Source Security Group
21
Determining the Destination Security Group
22
SGACL Enforcement on Routed and Switched Traffic
22
Authorization and Policy Acquisition
22
Environment Data Download
23
RADIUS Relay Functionality
24
Link Security
24
Using Cisco Trustsec-Incapable Devices and Networks in a Cisco Trustsec Network
25
SXP for SGT Propagation Across Legacy Access Networks
25
Layer 3 SGT Transport for Spanning Non-Trustsec Regions
26
Cisco Trustsec Reflector for Cisco Trustsec-Incapable Switching Modules
27
Ingress Reflector
28
Egress Reflector
28
VRF-Aware SXP
29
Layer 2 VRF-Aware SXP and VRF Assignment
29
Configuring the Cisco Trustsec Solution
31
Configuration Overview
31
Cisco Trustsec Configuration How-To Documents
31
Supported Hardware and Software
32
Prerequisites for Cisco Trustsec
32
Cisco Trustsec Guidelines and Limitations
33
Default Settings
33
Additional Documentation
33
Release-Specific Documents
33
Platform-Specific Documents
34
Cisco IOS Trustsec Documentation Set
35
Configuring Identities, Connections, and Sgts
37
Cisco Trustsec Identity Configuration Feature Histories
37
Configuring Credentials and AAA for a Cisco Trustsec Seed Device
38
Configuration Examples for Seed Device
39
Configuring Credentials and AAA for a Cisco Trustsec Non-Seed Device
39
Configuration Examples for Non-Seed Device
40
Enabling Cisco Trustsec Authentication and Macsec in 802.1X Mode on an Uplink Port
41
Configuration Examples for 802.1X on Uplink Port
42
Configuring Cisco Trustsec and Macsec in Manual Mode on an Uplink Port
42
Configuration Examples for Manual Mode and Macsec on an Uplink Port
44
Regenerating SAP Key on an Interface
45
Verifying the Cisco Trustsec Interface Configuration
45
Manually Configuring a Device SGT
47
Configuration Examples for Manually Configuring a Device SGT
47
Manually Configuring IP-Address-To-SGT Mapping
48
Subnet to SGT Mapping
48
Default Settings
48
Configuring Subnet to SGT Mapping
48
Verifying Subnet to SGT Mapping Configuration
51
Configuration Examples for Subnet to SGT Mapping
51
VLAN to SGT Mapping
52
Default Settings
53
Configuring VLAN to SGT Mapping
53
Verifying VLAN to SGT Mapping
55
Configuration Example for VLAN to SGT Mapping for a Single Host over an Access Link
55
Layer 3 Logical Interface to SGT Mapping (L3IF-SGT Mapping)
56
Feature History for L3IF-SGT Mapping
57
Default Settings
57
Configuring L3IF to SGT Mapping
57
Verifying L3IF to SGT Mapping
57
Configuration Example for L3IF to SGT Mapping on an Ingress Port
58
Binding Source Priorities
58
Configuring Additional Authentication Server-Related Parameters
59
Automatically Configuring a New or Replacement Password with the Authentication Server
60
Configuring SGT Exchange Protocol over TCP (SXP) and Layer 3 Transport
62
Configuring Cisco Trustsec SXP
62
Enabling Cisco Trustsec SXP
62
Configuring an SXP Peer Connection
62
Configuring the Default SXP Password
64
Configuring the Default SXP Source IP Address
64
Changing the SXP Reconciliation Period
65
Changing the SXP Retry Period
65
Creating Syslogs to Capture Changes of IP Address to SGT Mapping Learned through SXP
65
Verifying the SXP Connections
66
Configuring Layer 3 SGT Transport between Cisco Trustsec Domains
66
Configuring Cisco Trustsec Reflector for Cisco Trustsec-Incapable Switching Modules
68
Configuring Cisco Trustsec Caching
69
Enabling Cisco Trustsec Caching
69
Clearing the Cisco Trustsec Cache
70
Configuring SGACL Policies
71
SGACL Policy Configuration Process
72
Enabling SGACL Policy Enforcement Globally
72
Configuration Examples for Enabling SGACL Policy Enforcement Globally
72
Enabling SGACL Policy Enforcement Per Interface
73
Configuration Examples for Enabling SGACL Policy Enforcement Per Interface
73
Enabling SGACL Policy Enforcement on Vlans
73
Configuration Examples for Enabling SGACL Policy Enforcement on Vlans
73
Manually Configuring SGACL Policies
74
Manually Configuring and Applying Ipv4 SGACL Policies
74
Configuration Examples for Manually Configuring SGACL Policies
75
Displaying SGACL Policies
76
Refreshing the Downloaded SGACL Policies
77
Configuring Endpoint Admission Control
79
Information about Endpoint Admission Control
79
Basic EAC Configuration Sequence
80
802.1X Authentication Configuration
80
Verifying the 802.1X Configuration
80
MAC Authentication Bypass Configuration
81
Verifying the MAB Configuration
81
Web Authentication Proxy Configuration
82
Verifying Web Authentication Proxy Configuration
82
Flexible Authentication Sequence and Failover Configuration
83
802.1X Host Modes
83
Pre-Authentication Open Access
83
DHCP Snooping and SGT Assignment
84
Verifying the SGT to Endpoint Host Binding
84
Cisco Trustsec Endpoint Access Control Feature Histories
85
Cisco Trustsec Command Summary
87
Notes for Catalyst 3000 and 2000 Series Switches and WLC 5700 Series Wireless LAN
191
Controllers
191
Supported Hardware and Software
191
Configuration Guidelines and Restrictions
191
Global Cat3K Restrictions
191
Catalyst 3850 and Catalyst 3650 Switches, and WLC 5700 Wireless LAN Controllers
192
Catalyst 3750-X and Catalyst 3560-X Switches
192
Notes for Catalyst 4500 Series Switches
193
Supported Hardware and Software
193
Trustsec SGT and SGACL Configuration Guidelines and Limitations
193
Notes for Catalyst 6500 Series Switches
195
Trustsec Supported Hardware
195
Flexible Netflow Support
195
Sample Configurations
196
Configuration Excerpt of an IPV4 Flow Record (5-Tuple, Direction, SGT, DGT)
196
Configuration Excerpt of an IPV6 Flow Record (5-Tuple, Direction, SGT, DGT)
196
Configuration Excerpt of an Ipv4 Flow Monitor
196
Configuration Excerpt of an Ipv6 Flow Monitor
197
Configuration Excerpt of the Global Flow Monitor (Ipv4 and Ipv6)
197
Configuration Excerpt of the Interface Monitor
197
Flexible Netflow Show Commands
197
Trustsec System Error Messages
198
FIPS Support
198
Trustsec Considerations When Configuring FIPS
198
Licensing Requirements for FIPS
198
Prerequisites for FIPS Configuration
199
Guidelines and Limitations for FIPS
199
Default Settings for FIPS
199
Related Products
Cisco TRC 5
Cisco TELEPRESENCE MANAGEMENT SUITE
Cisco TelePresence Video Communication Server
Cisco TelePresence Touch 10
Cisco TelePresence System 1100
Cisco IP Talk 7940
Cisco TelePresence Profiles C20
Cisco TelePresence System 3010
Cisco TS MSE 8710
Cisco 3700 - 32 To 128MB
Cisco Categories
Switch
IP Phone
Network Router
Wireless Access Point
Conference System
More Cisco Manuals