CISCO Configuring Security Group Tag Daim ntawv qhia

Cov ntaub ntawv khoom

Cov khoom tso cai rau kev teeb tsa kev ruaj ntseg pab pawg tag (SGT) daim ntawv qhia. Qhov tshwj xeeb no khi SGT rau txhua qhov chaw nyob ntawm tus tswv tsev ntawm lub subnet. Thaum daim ntawv qhia no tau ua tiav, Cisco TrustSec yuam SGT ntawm ib pob khoom tuaj uas muaj qhov chaw nyob IP uas yog nyob rau hauv subnet teev.

Kev txwv rau SGT Mapping
Cov lus txib hauv qab no tsis txaus siab rau tus tswv tsev IP teeb tsa: Device(config)#cts role-based sgt-map 0.0.0.0 sgt 1000

Tshajview ntawm Subnet-to-SGT Mapping

• Subnet-to-SGT mapping khi SGT rau txhua tus tswv chaw nyob ntawm ib lub subnet. Cisco TrustSec yuam SGT rau ntawm pob ntawv tuaj thaum pob ntawv qhov chaw nyob IP yog nyob rau hauv subnet teev. Lub subnet thiab SGT tau teev nyob rau hauv CLI nrog raucts role-based sgt-map net_address/prefix sgt sgt_number ntiaj teb no configuration command. Ib tus tswv tsev kuj tseem tuaj yeem tsim nrog cov lus txib no.
• Hauv IPv4 tes hauj lwm, Security Exchange Protocol (SXP)v3, thiab cov kev hloov tshiab tsis ntev los no, tuaj yeem tau txais thiab txheeb xyuas subnet net_address/prefix strings los ntawm SXPv3 cov phooj ywg. Yav dhau los SXP versions hloov lub subnet prefix rau hauv nws cov txheej txheem kev sib txuas ua ntej xa tawm mus rau SXP cov neeg mloog cov phooj ywg.
• Subnet bindings yog zoo li qub, tsis muaj kev kawm ntawm cov tswv lag luam. Lawv tuaj yeem siv hauv zos rau SGT txoj cai thiab SGACL kev tswj hwm. Pob ntawv tagged los ntawm subnet-to-SGT daim ntawv qhia tuaj yeem nthuav tawm ntawm Txheej 2 lossis Txheej 3 Cisco TrustSec txuas.
• Rau IPv6 tes hauj lwm, SXPv3 tsis tuaj yeem xa cov subnet khi rau SXPv2 lossis SXPv1 cov phooj ywg.

Tshajview ntawm VLAN-rau-SGT Mapping

• Lub VLAN-rau-SGT mapping feature khi SGT rau pob ntawv los ntawm VLAN teev. Qhov no ua kom yooj yim rau kev tsiv teb tsaws chaw los ntawm keeb kwm mus rau Cisco TrustSec-muaj peev xwm tes hauj lwm.
• Lub VLAN-rau-SGT khi tau teeb tsa nrog lub cts role-based sgt-map vlan-list ntiaj teb no configuration command.
• Thaum lub VLAN raug xa mus rau lub rooj vag uas yog qhov hloov pauv virtual interface (SVI) ntawm Cisco TrustSec-muaj peev xwm hloov, thiab IP Device Tracking tau qhib rau ntawm qhov kev hloov, ces Cisco TrustSec tuaj yeem tsim IP-rau-SGT khi rau txhua tus tswv tsev. ntawm qhov VLAN mapped rau SVI subnet.
• IP-SGT bindings rau lub active VLAN hosts raug xa tawm mus rau SXP mloog. Cov ntawv khi rau txhua daim ntawv qhia VLAN tau muab tso rau hauv IP-rau-SGT cov lus cuam tshuam nrog VRF lub VLAN yog mapped los ntawm nws SVI lossis los ntawm cts role-based l2-vrf lus txib.
• VLAN-rau-SGT kev khi muaj qhov tseem ceeb tshaj plaws ntawm txhua txoj kev khi thiab tsis quav ntsej thaum kev khi los ntawm lwm qhov chaw tau txais, xws li los ntawm SXP lossis CLI tus tswv tsev teeb tsa. Binding qhov tseem ceeb yog teev nyob rau hauv Tshooj Qhov Tseem Ceeb Ntawm Qhov Tseem Ceeb.

Cov lus qhia siv khoom

Configuring Subnet-to-SGT Mapping

1. Nkag mus rau lub cuab yeej CLI interface.
2. Nkag mus rau lub configuration hom siv lub config lus txib.
3. Ua raws li cov lus txib hauv qab no los teeb tsa subnet-to-SGT mapping:

cts role-based sgt-map net_address/prefix sgt sgt_number

1. Hloov net_address/prefix nrog subnet chaw nyob thiab prefix ntev koj xav tau daim ntawv qhia (piv txwv li, 192.168.1.0/24).
2. Hloov sgt_number nrog rau pawg neeg ruaj ntseg uas xav tau tag tus lej.
3. Nias Enter los siv qhov kev teeb tsa.
4. Tawm ntawm lub configuration hom.

Configuring VLAN-to-SGT Mapping

1. 1. Nkag mus rau lub cuab yeej CLI interface.
   2. Nkag mus rau lub configuration hom siv lub config lus txib.
   3. Ua raws li cov lus txib hauv qab no los teeb tsa VLAN-rau-SGT mapping:

cts role-based sgt-map vlan-list

1. Qhia meej VLANs yuav tsum tau kos npe rau SGTs.
2. Nias Enter los siv qhov kev teeb tsa.
3. Tawm ntawm lub configuration hom.

Specifications

• Txhawb Networks: IPv4, IPv6
• Txhawb Cov Txheej Txheem: Kev Ruaj Ntseg Txauv Txheej Txheem (SXP) v3
• Kev Txhawb Nqa Txoj Kev: Subnet-to-SGT Mapping, VLAN-rau-SGT Mapping

Cov lus nug nquag nug (FAQ)

• Q: Cov kev sib txuas hauv subnet puas tuaj yeem xa tawm mus rau SXPv2 lossis SXPv1 cov phooj ywg hauv IPv6 tes hauj lwm?
  A: Tsis yog, subnet bindings tsuas yog xa tawm mus rau SXPv3 cov phooj ywg hauv IPv6 tes hauj lwm.
• Q: Dab tsi yog qhov tseem ceeb ntawm VLAN-rau-SGT bindings?
  A: VLAN-rau-SGT kev khi muaj qhov tseem ceeb tshaj plaws ntawm txhua txoj kev khi thiab tsis quav ntsej thaum kev khi los ntawm lwm qhov chaw tau txais.

Subnet rau kev ruaj ntseg pab pawg tag (SGT) daim ntawv qhia khi SGT rau txhua qhov chaw nyob ntawm tus tswv tsev ntawm lub subnet. Thaum daim ntawv qhia no tau ua tiav, Cisco TrustSec yuam SGT ntawm ib pob khoom tuaj uas muaj qhov chaw nyob IP uas yog nyob rau hauv subnet teev.

Kev txwv rau SGT Mapping

Kev txwv rau Subnet-to-SGT Mapping

• IPv4 subnetwork nrog /31 prefix tsis tuaj yeem nthuav dav.
• Subnet host chaw nyob tsis tuaj yeem khi rau Security Group Tags (SGT)s thaum lub network-daim ntawv qhia kev sib khi tsis muaj tsawg dua li tag nrho cov subnet hosts hauv cov subnets uas tau teev tseg, lossis thaum cov ntawv khi yog 0.
• IPv6 nthuav tawm thiab nthuav tawm tsuas yog tshwm sim thaum Security Exchange Protocol (SXP) tus neeg hais lus thiab tus mloog tau khiav SXPv3 lossis ntau dua tshiab versions.

Kev txwv rau Default Route SGT Mapping

• Default route configuration tsuas yog txais nrog subnet /0. Nkag mus tsuas yog host-ip yam tsis muaj subnet / 0 qhia cov lus hauv qab no:

Cov ntaub ntawv hais txog SGT Mapping

Tshooj lus no qhia txog SGT daim ntawv qhia.

Tshajview

Tshajview ntawm Subnet-to-SGT Mapping
Subnet-to-SGT mapping khi SGT rau txhua tus tswv chaw nyob ntawm lub subnet. Cisco TrustSec yuam SGT rau ntawm pob ntawv tuaj thaum pob ntawv qhov chaw nyob IP yog nyob rau hauv subnet teev. Lub subnet thiab SGT tau teev nyob rau hauv CLI nrog rau cts lub luag hauj lwm-raws li sgt-map net_address/prefix sgt sgt_number thoob ntiaj teb configuration hais kom ua. Ib tus tswv tsev kuj tseem tuaj yeem tsim nrog cov lus txib no. Hauv IPv4 tes hauj lwm, Security Exchange Protocol (SXP)v3, thiab cov kev hloov tshiab tsis ntev los no, tuaj yeem tau txais thiab txheeb xyuas subnet net_address/prefix strings los ntawm SXPv3 cov phooj ywg. Yav dhau los SXP versions hloov lub subnet prefix rau hauv nws cov txheej txheem kev sib txuas ua ntej xa tawm mus rau SXP cov neeg mloog cov phooj ywg.

Rau example, IPv4 subnet 192.0.2.0/24 tau nthuav dav raws li hauv qab no (tsuas yog 3 khoom rau tus tswv chaw nyob):

• Tus tswv chaw nyob 198.0.2.1 txog 198.0.2.7—tagged thiab propagated rau SXP phooj ywg.
• Network thiab tshaj tawm qhov chaw nyob 198.0.2.0 thiab 198.0.2.8—tsis yog tagged thiab tsis propagated.

Txhawm rau txwv tus naj npawb ntawm subnet bindings SXPv3 tuaj yeem xa tawm, siv cts sxp mapping network-map thoob ntiaj teb kev teeb tsa cov lus txib. Subnet bindings yog zoo li qub, tsis muaj kev kawm ntawm cov tswv lag luam. Lawv tuaj yeem siv hauv zos rau SGT txoj cai thiab SGACL kev tswj hwm. Pob ntawv tagged los ntawm subnet-to-SGT daim ntawv qhia tuaj yeem nthuav tawm ntawm Txheej 2 lossis Txheej 3 Cisco TrustSec txuas. Rau IPv6 tes hauj lwm, SXPv3 tsis tuaj yeem xa cov subnet khi rau SXPv2 lossis SXPv1 cov phooj ywg.

Tshajview ntawm VLAN-rau-SGT Mapping
Lub VLAN-rau-SGT mapping feature khi SGT rau pob ntawv los ntawm VLAN teev. Qhov no ua kom yooj yim rau kev tsiv teb tsaws chaw los ntawm keeb kwm mus rau Cisco TrustSec-muaj peev xwm tes hauj lwm raws li hauv qab no:

• Txhawb cov khoom siv uas tsis yog Cisco TrustSec-muaj peev xwm tab sis yog VLAN-muaj peev xwm, xws li, hloov pauv qub, wireless controllers, cov ntsiab lus nkag, VPNs, thiab lwm yam.
• Muab rov qab sib raug zoo rau topologies qhov twg VLANs thiab VLAN ACLs segment lub network, xws li, server segmentation nyob rau hauv cov ntaub ntawv chaw.
• VLAN-rau-SGT khi tau teeb tsa nrog cts lub luag haujlwm-raws li sgt-map vlan-list thoob ntiaj teb kev teeb tsa cov lus txib.
• Thaum lub VLAN raug xa mus rau lub rooj vag uas yog qhov hloov pauv virtual interface (SVI) ntawm Cisco TrustSec-muaj peev xwm hloov, thiab IP Device Tracking tau qhib rau ntawm qhov kev hloov, ces Cisco TrustSec tuaj yeem tsim IP-rau-SGT khi rau txhua tus tswv tsev. ntawm qhov VLAN mapped rau SVI subnet.
• IP-SGT bindings rau lub active VLAN hosts raug xa tawm mus rau SXP mloog. Cov kev khi rau txhua daim ntawv qhia VLAN tau muab tso rau hauv IP-rau-SGT cov lus cuam tshuam nrog VRF lub VLAN yog mapped los ntawm nws SVI lossis los ntawm cts lub luag haujlwm raws li l2-vrf hais kom ua.
• VLAN-rau-SGT kev khi muaj qhov tseem ceeb tshaj plaws ntawm txhua txoj kev khi thiab tsis quav ntsej thaum kev khi los ntawm lwm qhov chaw tau txais, xws li los ntawm SXP lossis CLI tus tswv tsev teeb tsa. Binding qhov tseem ceeb yog teev nyob rau hauv Tshooj Qhov Tseem Ceeb Ntawm Qhov Tseem Ceeb.

Binding Source Priorities

Cisco TrustSec daws cov teeb meem tsis sib haum xeeb ntawm IP-SGT khi cov peev txheej nrog cov txheej txheem tseem ceeb nruj. Rau example, ib qho SGT yuav raug siv rau qhov kev sib txuas nrog txoj cai {dynamic tus kheej tus phooj ywg-npe | zoo sgt tag} Cisco Trustsec Manual interface hom hais kom ua (Identity Port Mapping). Txoj cai tswjfwm tseem ceeb tam sim no, ntawm qis tshaj (1) mus rau siab tshaj (7), yog raws li hauv qab no:

1. VLAN: Kev khi tau kawm los ntawm snooped ARP pob ntawv ntawm VLAN uas muaj VLAN-SGT daim ntawv teeb tsa.
2. CLI: Chaw nyob bindings configured siv tus IP-SGT daim ntawv ntawm cts lub luag hauj lwm raws li sgt-map thoob ntiaj teb configuration hais kom ua.
3. SXP: Kev sib txuas tau kawm los ntawm SXP cov phooj ywg.
4. IP_ARP: Kev khi tau kawm thaum tagged ARP pob ntawv tau txais ntawm CTS-muaj peev xwm txuas.
5. LOCAL: Kev khi ntawm cov tswv tsev uas tau lees paub uas tau kawm los ntawm EPM thiab cov cuab yeej taug qab. Hom kev khi no kuj suav nrog tus tswv tsev uas tau kawm los ntawm ARP snooping ntawm L2 [I] PM-configured ports.
6. INTERNAL: Kev khi nruab nrab ntawm qhov chaw nyob IP hauv zos thiab lub cuab yeej tus kheej SGT.

Nco tseg
Yog tias qhov chaw IP chaw nyob sib tw nrog ntau lub subnet prefixes nrog cov SGTs sib txawv, ces qhov ntev tshaj plaws prefix SGT yuav siv qhov tseem ceeb tshwj tsis yog qhov tseem ceeb sib txawv.

Default Route SGT

• Default Route Security Group Tag (SGT) muab tus lej SGT rau txoj hauv kev.
• Default Route yog txoj kev uas tsis phim ib txoj hauv kev thiab yog li ntawd yog txoj kev mus rau qhov chaw kawg. Default routes yog siv los coj cov pob ntawv xa mus rau cov tes hauj lwm uas tsis tau teev meej meej hauv cov lus qhia.

Yuav Configure SGT Mapping li cas

Tshooj lus no piav qhia txog kev teeb tsa SGT daim ntawv qhia.

Configuring a Device SGT Manually
Hauv kev ua haujlwm Cisco TrustSec ib txwm muaj, tus neeg rau zaub mov kev lees paub muab SGT rau lub cuab yeej rau pob ntawv los ntawm lub cuab yeej. Koj tuaj yeem kho tus kheej SGT kom siv tau yog tias tus neeg rau zaub mov authentication tsis tuaj yeem siv tau, tab sis qhov kev lees paub tus neeg rau zaub mov uas tau muab SGT yuav ua qhov tseem ceeb tshaj li SGT manually.

Txhawm rau kho tus kheej SGT ntawm lub cuab yeej, ua cov haujlwm no:

Txheej txheem

	txib or Kev ua	Lub hom phiaj
Kauj ruam 1	pab	Ua kom muaj cai EXEC hom.

	Example: Ntaus # pab	• Sau koj tus password yog tias tau txais kev ceeb toom.
Kauj ruam 2	configure lub davhlau ya nyob twg Example: Ntaus # configure lub davhlau ya nyob twg	Nkag mus rau hom kev teeb tsa thoob ntiaj teb.
Kauj ruam 3	cts ua tag Example: Device(config)# wb 1234	Qhib SXP rau Cisco TrustSec.
Kauj ruam 4	tawm Example: Device(config)# tawm	Tshem tawm hom kev teeb tsa thoob ntiaj teb thiab rov qab mus rau EXEC hom muaj cai

Configuring Subnet-to-SGT Mapping

Txheej txheem

	txib or Kev ua	Lub hom phiaj
Kauj ruam 1	pab Example: Ntaus # pab	Ua kom muaj cai EXEC hom. • Sau koj tus password yog tias tau txais kev ceeb toom.
Kauj ruam 2	configure lub davhlau ya nyob twg Example: Ntaus # configure lub davhlau ya nyob twg	Nkag mus rau hom kev teeb tsa thoob ntiaj teb.
Kauj ruam 3	cts sxp maps network-map kev khi Example: Device(config)# cts sxp map network-map 10000	•  Configures Subnet rau SGT Mapping host suav txwv. Cov lus sib cog lus qhia txog qhov ntau tshaj plaws ntawm subnet IP hosts uas tuaj yeem khi rau SGTs thiab xa tawm mus rau SXP mloog. • bindings—(0 txog 65,535) default yog 0 (tsis muaj expansions ua)
Kauj ruam 4	cts lub luag haujlwm raws li sgt-map ipv4_address/ua ua sgt tus lej Example: Device(config)# cts sgt-map 10.10.10.10/29 sgt 1234	(IPv4) Qhia ib subnet hauv CIDR cim. •  Siv tsis muaj daim ntawv hais kom tsis txhob teeb tsa Subnet rau SGT mapping. Tus naj npawb ntawm kev sib khi tau teev tseg hauv Kauj Ruam 2 yuav tsum sib phim lossis ntau dua tus tswv chaw nyob hauv subnet (tsis suav nrog lub network thiab chaw nyob tshaj tawm). sgt tus lej lo lus tseem ceeb qhia txog Kev Ruaj Ntseg

		Pab pawg Tag yuav raug khi rau txhua tus tswv tsev chaw nyob hauv subnet uas tau teev tseg. •  ipv4_address—Qhia tus IPv4 network chaw nyob hauv dotted decimal cim. •  prefix—(0 txog 30) Qhia cov naj npawb ntawm cov khoom hauv lub network chaw nyob. •  ua sgt tus lej—(0–65,535) Qhia Txog Pawg Saib Xyuas Kev Ruaj Ntseg Tag (SGT) naj npawb.
Kauj ruam 5	cts lub luag haujlwm raws li sgt-map ipv6_address:: npe ua sgt tus lej Example: Device(config)# cts sgt-map 2020::/64 sgt 1234	(IPv6) Qhia ib subnet nyob rau hauv txoj kab lus hexadecimal cim. Siv qhov tsis muaj daim ntawv ntawm cov lus txib kom unconfigure Subnet rau SGT mapping. Tus naj npawb ntawm kev sib khi tau teev tseg hauv Kauj Ruam 2 yuav tsum sib phim lossis ntau dua tus tswv chaw nyob hauv subnet (tsis suav nrog lub network thiab chaw nyob tshaj tawm). sgt tus lej lo lus tseem ceeb qhia txog Pawg Kev Ruaj Ntseg Tag yuav tsum tau khi rau txhua tus tswv chaw nyob hauv lub subnet teev. • ipv6_address—Qhia IPv6 network chaw nyob hauv txoj kab lus hexadecimal. •  prefix—(0 to 128) Qhia cov naj npawb ntawm cov khoom hauv lub network chaw nyob. •  ua sgt tus lej—(0–65,535) Qhia Txog Pawg Saib Xyuas Kev Ruaj Ntseg Tag (SGT) naj npawb.
Kauj ruam 6	tawm Example: Device(config)# tawm	Tshem tawm hom kev teeb tsa thoob ntiaj teb thiab rov qab mus rau EXEC hom..

Configuring VLAN-to-SGT Mapping

Task Flow rau Configuring VLAN-SGT Mapping ntawm Cisco TrustSec ntaus ntawv.

• Tsim ib lub VLAN ntawm lub cuab yeej nrog tib VLAN_ID ntawm VLAN uas tuaj.
• Tsim ib qho SVI rau VLAN ntawm lub cuab yeej ua lub rooj vag qub rau cov neeg siv khoom kawg.
• Configure lub cuab yeej siv SGT rau VLAN tsheb.
• Pab kom IP Device taug qab ntawm lub cuab yeej.
• Txuas cov cuab yeej nrhiav txoj cai rau VLAN.

Nco tseg
Hauv ntau lub network hloov, SISF-raws li cov cuab yeej taug qab muab lub peev xwm los faib cov lus sib txuas lus nkag ntawm cov keyboards khiav lub feature. Qhov no xav tias kev khi nkag yog tsim rau ntawm cov keyboards uas tus tswv tsev tshwm rau ntawm qhov chaw nkag, thiab tsis muaj kev nkag tau tsim rau tus tswv tsev uas tshwm dhau qhov chaw nres nkoj lub cev. Txhawm rau ua tiav qhov no hauv ntau qhov kev hloov pauv, peb xav kom koj teeb tsa lwm txoj cai thiab muab nws tso rau hauv qhov chaw nres nkoj lub cev, raws li tau piav qhia hauv Configuring a Multi-Switch Network kom Tsis txhob Tsim Cov Kev Nkag Nkag Los ntawm Cov Txheej Txheem Ntawm Qhov Chaw Nres Tsheb, hauv Configuring SISF -Based Device Tracking tshooj ntawm Daim Ntawv Qhia Kev Nyab Xeeb Kev Nyab Xeeb.

• Xyuas kom tseeb tias VLAN-rau-SGT daim ntawv qhia tshwm sim ntawm lub cuab yeej.

Txheej txheem

	txib or Kev ua	Lub hom phiaj
Kauj ruam 1	pab Example: Ntaus # pab	Ua kom muaj cai EXEC hom. • Sau koj tus password yog tias tau txais kev ceeb toom.
Kauj ruam 2	configure lub davhlau ya nyob twg Example: Ntaus # configure lub davhlau ya nyob twg	Nkag mus rau hom kev teeb tsa thoob ntiaj teb.
Kauj ruam 3	vlan vlan_id Example: Device(config)# vlan 100	Tsim VLAN 100 ntawm TrustSec-muaj peev xwm rooj vag ntaus ntawv thiab nkag mus rau VLAN teeb tsa hom.
Kauj ruam 4	[tsis muaj] kaw Example: Device(config-vlan)# tsis muaj kev kaw	Kev Pabcuam VLAN 100.
Kauj ruam 5	tawm Example: Device(config-vlan)# tawm	Tawm VLAN configuration hom thiab rov qab mus rau lub ntiaj teb configuration hom.
Kauj ruam 6	interface hom slot/port Example: Device(config)# interface vlan 100	Qhia meej hom interface thiab nkag mus rau interface configuration hom.
Kauj ruam 7	ip chaw qhov/port Example: Device(config-if)# IP chaw nyob 10.1.1.2 255.0.0.0	Configures Switched Virtual Interface (SVI) rau VLAN 100.

Kauj ruam 8	[tsis muaj ] kaw Example: Device(config-if)# tsis muaj kev kaw	Enables SVI.
Kauj ruam 9	tawm Example: Device(config-if)# tawm	Tshem tawm interface configuration hom thiab rov qab mus rau lub ntiaj teb configuration hom.
Kauj ruam 10	cts lub luag haujlwm raws li sgt-map vlan-list vlan_id ua sgt sgt_num Example: Device(config)# cts lub luag haujlwm raws li sgt-map vlan-list 100 sgt 10	Muab cov SGT uas tau teev tseg rau VLAN uas tau teev tseg.
Kauj ruam 11	ntaus ntawv-txuas txoj cai txoj cai-npe Example: Device(config)# ntaus ntawv-txheej txheem txoj cai 1	Qhia meej txoj cai thiab nkag mus rau cov cuab yeej nrhiav txoj cai kev teeb tsa hom.
Kauj ruam 12	taug qab pab Example: Device(config-device-tracking)# taug qab pab	Overrides lub default device nrhiav chaw rau txoj cai attribute.
Kauj ruam 13	tawm Example: Device(config-device-tracking)# tawm	Tshem tawm cov cuab yeej-txheej txheem txoj cai kev teeb tsa hom thiab rov qab mus rau hom kev teeb tsa thoob ntiaj teb.
Kauj ruam 14	vlan configuration vlan_id Example: Device(config)# vlan configuration 100	Qhia meej txog VLAN uas cov cuab yeej nrhiav txoj cai yuav raug txuas nrog, thiab nkag mus rau VLAN kev teeb tsa hom.
Kauj ruam 15	device-tracking attach-policy txoj cai-npe Example: Device(config-vlan-config)# ntaus ntawv-txuas ntxiv-txoj cai txoj cai 1	Txuas cov cuab yeej nrhiav txoj cai rau VLAN tau teev tseg.
Kauj ruam 16	kawg Example: Device(config-vlan-config)# kawg	Tawm VLAN configuration hom thiab rov qab mus rau EXEC hom muaj cai.
Kauj ruam 17	qhia cts lub luag haujlwm raws li sgt-map {ipv4_netaddr | ipv4_netaddr/prefix | ipv6_netaddr | ipv6_netaddr/prefix |tag nrho [ipv 4 |ipv 6] |tus tswv tsev { ipv4 addr |ipv6_addr } |Cov ntsiab lus [ ipv 4 |ipv 6 ]	(Yeem) Qhia txog VLAN-rau-SGT mappings.

	Example: Ntaus # qhia cts lub luag hauj lwm raws li sgt-map tag nrho
Kauj ruam 18	qhia ntaus ntawv-txuas txoj cai txoj cai-npe Example: Ntaus # qhia cov cuab yeej-mus txog qhovtwg txoj cai1	(Yeem) Qhia cov yam ntxwv ntawm txoj cai tam sim no.

Emulating Hardware Keystore

Nyob rau hauv rooj plaub uas lub hardware keystore tsis nyob los yog siv tsis tau, koj tuaj yeem kho qhov hloov mus siv software emulation ntawm keystore. Txhawm rau teeb tsa kev siv software keystore, ua cov haujlwm no:

Txheej txheem

	txib or Kev ua	Lub hom phiaj
Kauj ruam 1	pab Example: Ntaus # pab	Ua kom muaj cai EXEC hom. • Sau koj tus password yog tias tau txais kev ceeb toom.
Kauj ruam 2	configure lub davhlau ya nyob twg Example: Ntaus # configure lub davhlau ya nyob twg	Nkag mus rau hom kev teeb tsa thoob ntiaj teb.
Kauj ruam 3	cts keystore emulate Example: Device(config)# cts keystore emulate	Configures tus hloov mus siv ib tug software emulation ntawm lub keystore es tsis txhob ntawm hardware keystore.
Kauj ruam 4	tawm Example: Device(config)# tawm	Tshem tawm hom kev teeb tsa.
Kauj ruam 5	qhia keystore Example: Ntaus # qhia keystore	Qhia txog cov xwm txheej thiab cov ntsiab lus ntawm cov keystore. Cov ntaub ntawv zais cia tsis tshwm sim.

Configuring Default Route SGT

Ua ntej koj pib
Xyuas kom tseeb tias koj twb tau tsim ib txoj hauv kev ua ntej ntawm lub cuab yeej siv ip txoj kev 0.0.0.0 hais kom ua. Txwv tsis pub, txoj hauv kev ua ntej (uas los nrog Default Route SGT) tau txais qhov chaw tsis paub thiab yog li qhov kawg qhov chaw yuav taw tes rau CPU.

Txheej txheem

	txib or Kev ua	Lub hom phiaj
Kauj ruam 1	pab Example: Ntaus> pab	Ua kom muaj cai EXEC hom. • Sau koj tus password yog tias tau txais kev ceeb toom.
Kauj ruam 2	configure lub davhlau ya nyob twg Example: Ntaus # configure terminal	Nkag mus rau hom kev teeb tsa thoob ntiaj teb.
Kauj ruam 3	cts lub luag haujlwm raws li sgt-map 0.0.0.0/0 sgt tus lej Example: Device(config)# cts role-based sgt-map 0.0.0.0/0 sgt 3	Qhia tus lej SGT rau txoj hauv kev. Cov nqi siv tau yog los ntawm 0 txog 65,519. Nco tseg                    • Cov host_address/subnet tuaj yeem yog IPv4 chaw nyob (0.0.0.0/0) lossis IPv6 chaw nyob (0:0::/0) •  Txoj hauv kev ua ntej configuration tsuas yog txais nrog lub subnet /0. Nkag mus tsuas yog host-ip yam tsis muaj subnet / 0 qhia cov lus hauv qab no: Device(config)#cts lub luag hauj lwm raws li sgt-map 0.0.0.0 TSI 1000 Default route configuration tsis txaus siab rau host ip
Kauj ruam 4	tawm Example: Ntaus (config) # tawm	Tshem tawm hom kev teeb tsa thoob ntiaj teb.

Txheeb xyuas SGT Mapping

Cov ntu hauv qab no qhia yuav ua li cas txheeb xyuas SGT daim ntawv qhia:

Txheeb xyuas Subnet-to-SGT Mapping Configuration
Txhawm rau tso saib Subnet-to-SGT Mapping cov ntaub ntawv teeb tsa, siv ib qho ntawm cov lus qhia hauv qab no:

txib	Lub hom phiaj
qhia cts sxp kev sib txuas	Qhia txog SXP tus neeg hais lus thiab cov neeg mloog sib txuas nrog lawv txoj haujlwm ua haujlwm.
qhia cts sxp sgt-map	Qhia tus IP rau SGT khi xa tawm mus rau SXP mloog.
qhia run-config	Xyuas kom tseeb tias cov subnet-to-SGT configurations commands nyob rau hauv kev khiav configuration file.

Txheeb xyuas VLAN-rau-SGT Mapping

Txhawm rau tso tawm VLAN-rau-SGT cov ntaub ntawv teeb tsa, siv cov lus qhia hauv qab no:

Table 1:

txib	Lub hom phiaj
qhia ntaus ntawv-txuas txoj cai	Qhia cov yam ntxwv ntawm txoj cai tam sim no ntawm cov cuab yeej nrhiav txoj cai.
qhia cts lub luag haujlwm raws li sgt-map	Qhia IP chaw nyob-rau-SGT khi.

Txheeb xyuas Default Route SGT Configuration

Txheeb xyuas qhov Default Route SGT configuration:
ntaus ntawv# qhia lub luag hauj lwm raws li sgt-daim ntawv qhia tag nrho Active IPv4-SGT Bindings Cov ntaub ntawv

Configuration Examples rau SGT Mapping

Cov ntu hauv qab no qhia txog kev teeb tsa exampSGT daim ntawv qhia:

Example: Configuring a Device SGT Manually

• Ntaus # configure terminal
• Device(config)# cts sgt 1234
• Ntaus (config) # tawm

Example: Configuration rau Subnet-to-SGT Mapping
Cov nram qab no example qhia yuav ua li cas rau configure IPv4 Subnet-to-SGT Mapping ntawm cov khoom siv khiav SXPv3 (Device1 thiab Device2):

1. Configure SXP speaker/listener peering between devices.
   • Device1# configure terminal
   • Device1(config)# cts sxp pab
   • Device1(config)# cts sxp default source-ip 1.1.1.1
   • Device1(config)# cts sxp default password 1syzygy1
   • Device1(config)# cts sxp kev sib txuas cov phooj ywg 2.2.2.2 lo lus zais default hom neeg hais lus hauv zos
2. Configure Device2 as SXP listener of Device1.
   • Device2(config)# cts sxp pab
   • Device2(config)# cts sxp default source-ip 2.2.2.2
   • Device2(config)# cts sxp default password 1syzygy1
   • Device2(config)# cts sxp kev sib txuas phooj ywg 1.1.1.1 lo lus zais default hom hauv zos mloog
3. Ntawm Device2, txheeb xyuas tias SXP kev sib txuas ua haujlwm:
   Device2# qhia cts sxp kev sib txuas luv luv | suav nrog 1.1.1.1 1.1.1.1 2.2.2.2 On 3:22:23:18 (dd:hr:mm:sec)
4. Configure subnetworks kom nthuav dav ntawm Device1.
   • Device1(config)# cts sxp map network-map 10000
   • Device1(config)# cts lub luag hauj lwm raws li sgt-map 10.10.10.0/30 sgt 101
   • Device1(config)# cts lub luag hauj lwm raws li sgt-map 11.11.11.0/29 sgt 11111
   • Device1(config)# cts lub luag hauj lwm raws li sgt-map 192.168.1.0/28 sgt 65000
5. Ntawm Device2, txheeb xyuas qhov subnet-rau-SGT nthuav tawm los ntawm Device1. Yuav tsum muaj ob qhov kev nthuav dav rau 10.10.10.0/30 subnetwork, rau kev nthuav dav rau 11.11.11.0/29 subnetwork, thiab 14 expansions rau 192.168.1.0/28 subnetwork.
   Device2# qhia cts sxp sgt-daim ntawv qhia luv luv | suav nrog 101|11111|65000
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
   • IPv4, SGT:
6. Txheeb xyuas qhov nthuav dav ntawm Device1:
   Device1# qhia cts sxp sgt-map
   • IP-SGT Mappings nthuav dav: 22
   • Tsis muaj IP-SGT Mappings
7. Txuag cov configurations ntawm Device1 thiab Device2 thiab tawm thoob ntiaj teb configuration hom.
   Device1(config)# theej run-config startup-config
   Device1(config)# tawm
   Device2(config)# theej run-config startup-config
   Device2(config)# tawm

Example:
Configuration rau VLAN-rau-SGT Mapping rau ib tus tswv tsev ib leeg dhau ntawm kev nkag mus.

Hauv qab no example, ib tus tswv tsev txuas rau VLAN 100 ntawm ib qho khoom siv nkag. Ib qho hloov pauv virtual interface ntawm TrustSec ntaus ntawv yog lub rooj vag qub rau VLAN 100 kawg (IP Chaw Nyob 10.1.1.1). Lub TrustSec ntaus ntawv imposes Security Group Tag (SGT) 10 ntawm pob ntawv los ntawm VLAN 100.

1. Tsim VLAN 100 ntawm ib qho khoom siv nkag.
   • access_device# configure terminal
   • access_device(config)# vlan 100
   • access_device(config-vlan)# tsis txhob kaw
   • access_device(config-vlan)# exit
   • access_device(config)#
2. Configure lub interface rau TrustSec ntaus ntawv raws li ib tug nkag mus txuas. Configurations rau qhov kawg
   1. nkag mus rau qhov chaw nres nkoj raug tshem tawm hauv qhov example.
   2. access_device(config)# interface gigabitEthernet 6/3
   3. access_device(config-if)# switchport
   4. access_device(config-if)# switchport hom nkag
   5. access_device(config-if)# switchport access vlan 100
3. Tsim VLAN 100 ntawm TrustSec ntaus ntawv.
   • TS_device(config)# vlan 100
   • TS_device(config-vlan)# no shutdown
   • TS_device(config-vlan)# end
   • TS_device#
4. Tsim ib qho SVI ua lub rooj vag rau VLAN 100 tuaj.
   • TS_device(config)# interface vlan 100
   • TS_device(config-if)# ip chaw nyob 10.1.1.2 255.0.0.0
   • TS_device(config-if)# no shutdown
   • TS_device(config-if)# end
   • TS_device(config)#
5. Assign Security Group Tag (SGT) 10 rau hosts ntawm VLAN 100.
   • TS_device(config)# cts role-based sgt-map vlan 100 sgt 10
6. Pab kom IP Ntaus Ntaus Ntaus ntawm TrustSec ntaus ntawv. Xyuas kom tseeb tias nws ua haujlwm.
   • TS_device(config)# ip ntaus ntawv taug qab
   • TS_device# qhia ip ntaus ntawv taug qab txhua yam
7. (Yeem) PING lub qhov rooj default los ntawm qhov kawg (hauv qhov example, host IP Chaw Nyob 10.1.1.1). Xyuas kom tseeb tias SGT 10 tab tom npaj rau VLAN 100 tus tswv.
   

Example: Emulating Hardware Keystore
Qhov no example qhia yuav ua li cas rau configure thiab txheeb xyuas kev siv lub software keystore:

Example: Configuring Device Route SGT

• Ntaus # configure terminal
• Device(config)# cts role-based sgt-map 0.0.0.0/0 sgt 3
• Ntaus (config) # tawm

Feature Keeb Kwm rau Security Group Tag Daim ntawv qhia

• Cov lus no muab kev tso tawm thiab cov ntaub ntawv ntsig txog rau cov yam ntxwv tau piav qhia hauv qhov module no.
• Cov yam ntxwv no muaj nyob rau hauv txhua qhov kev tshaj tawm tom qab ib qho uas lawv tau qhia hauv, tshwj tsis yog sau tseg lwm yam.

Tso tawm	Feature	Feature Cov ntaub ntawv
Cisco IOS XE Everest 16.5.1a	Pab pawg kev ruaj ntseg Tag Daim ntawv qhia	Subnet rau SGT daim ntawv qhia khi SGT rau txhua tus tswv chaw nyob ntawm lub subnet. Thaum daim ntawv qhia no tau ua tiav, Cisco TrustSec yuam SGT ntawm ib pob khoom tuaj uas muaj qhov chaw nyob IP uas yog nyob rau hauv subnet teev.
Cisco IOS XE Gibraltar 16.11.1	Default Route SGT Classification	Default Route SGT muab SGT tag tus naj npawb mus rau cov kev uas tsis phim ib txoj hauv kev.

Siv Cisco Feature Navigator los nrhiav cov ntaub ntawv hais txog lub platform thiab software duab txhawb. Txhawm rau nkag mus rau Cisco Feature Navigator, mus rau http://www.cisco.com/go/cfn.

Cov ntaub ntawv / Cov ntaub ntawv

CISCO Configuring Security Group Tag Daim ntawv qhia [ua pdf] Cov neeg siv phau ntawv qhia Configuring Security Group Tag Daim ntawv qhia, Configuring, Security Group Tag Daim ntawv qhia, Group Tag Daim ntawv qhia, Tag Daim ntawv qhia

Cov ntaub ntawv

• Cov neeg siv phau ntawv