Mataupu lalafi
1 CISCO Configuring Security Group Tag Fa'afanua
2 Fa'amatalaga o oloa
3 Fa'atonuga o le Fa'aaogaina o Mea
4 Tapulaa mo SGT Fa'afanua
5 Fa'amatalaga e uiga i le SGT Mapping
5.1 Ua umaview
5.2 Fa'amuamua Punavai
6 Fa'afefea ona fa'atulaga SGT Fa'afanua
6.1 Fa'atulagaina o Fa'afanua Subnet-i-SGT
6.2 Fa'atulagaina VLAN-i-SGT Fa'afanua
6.3 Fa'ata'ita'i ile Faleoloa Fa'atauga Meafaigaluega
7 Fa'amaonia SGT Fa'afanua
8 Fa'atonu Examples mo SGT Fa'afanua
9 Tala'aga Fa'apitoa mo Vaega Puipuiga Tag Fa'afanua
10 Pepa / Punaoa
10.1 Fa'asinomaga
11 Fa'amatalaga Fa'atatau

CISCO-logo

CISCO Configuring Security Group Tag Fa'afanua

CISCO-Configuring-Security-Vaega-Tag- Fa'afanua-oloa

Fa'amatalaga o oloa

O le oloa e mafai ai ona faʻapipiʻi vaega saogalemu tag (SGT) fa'afanua. O lenei vaega e fusifusia ai se SGT i tuatusi talimalo uma o se subnet fa'apitoa. O le taimi lava e faʻatinoina ai lenei faʻafanua, Cisco TrustSec e tuʻuina atu le SGT i luga o soʻo se pusa o loʻo sau o loʻo i ai se tuatusi IP punaʻoa o loʻo i le subnet faʻamaonia.

Tapulaa mo SGT Fa'afanua
O le poloaiga lenei e le lagolagoina mo le faʻatulagaina o le IP talimalo: Device(config)#cts role-based sgt-map 0.0.0.0 sgt 1000

Ua umaview o Subnet-i-SGT Mapping

  • Subnet-to-SGT fa'afanua e fusifusia ai se SGT i tuatusi talimalo uma o se upega fa'apitoa. Cisco TrustSec e tu'uina atu le SGT i luga o se afifi o lo'o sau pe a o le tuatusi IP puna'oa o le pusa o lo'o i le subnet fa'apitoa. Ole subnet ma le SGT o loʻo faʻamaonia ile CLI ma lects role-based sgt-map net_address/prefix sgt sgt_number fa'atonuga fa'atulagaina o le lalolagi. E mafai fo'i ona fa'afanua se 'au e tasi i lenei fa'atonuga.
  • I feso'ota'iga IPv4, Puipuiga o Fetufa'aiga o le Saogalemu (SXP)v3, ma isi fa'aliliuga lata mai, e mafai ona maua ma fa'asolo fa'asolo i lalo net_address/prefix manoa mai SXPv3 tupulaga. O fa'aliliuga muamua a le SXP e fa'aliliu ai le subnet prefix i lona seti o fa'amauga fa'afeiloa'i a'o le'i auina atu i fafo i se tagata fa'alogologo SXP.
  • O fa'amaufa'ailoga i lalo ole laiga e tumau, e leai se a'oa'oga o 'au malosi. E mafai ona fa'aoga ile lotoifale mo le fa'atulafonoina ole SGT ma le fa'amalosia ole SGACL. afifi tage mafai ona fa'asalalauina i luga ole laiga 2 po'o le Layer 3 Cisco TrustSec fa'afanua.
  • Mo feso'ota'iga IPv6, e le mafai e le SXPv3 ona fa'aulufale i fafo so'o feso'ota'iga i SXPv2 po'o SXPv1 tupulaga.

Ua umaview o VLAN-i-SGT Fa'afanua

  • Ole VLAN-i-SGT fa'afanua fa'afanua e fusifusia ai se SGT i fa'aputu mai se VLAN fa'apitoa. E faafaigofieina ai le femalagaiga mai le talatuu i Cisco TrustSec-mafai fesoʻotaʻiga.
  • O le VLAN-i-SGT fusifusia ua fa'atulagaina i le cts role-based sgt-map vlan-list fa'atonuga fa'atulagaina o le lalolagi.
  • A tuʻuina atu se VLAN i se faitotoʻa o se fesoʻotaʻiga mataʻutia (SVI) i luga o se Cisco TrustSec-mafai suiga, ma faʻaagaina le Suʻesuʻeina o Meafaigaluega IP i luga o lena ki, ona mafai lea e Cisco TrustSec ona fatuina se IP-i-SGT fusifusia mo soʻo se talimalo malosi. i luga o lena VLAN faafanua i le SVI subnet.
  • O fusia IP-SGT mo 'au VLAN o lo'o fa'agaoioia e fa'atau atu i tagata fa'alogologo SXP. O fusi mo VLAN ta'itasi ua fa'afanua o lo'o fa'aofi i totonu o le laulau IP-i-SGT e feso'ota'i ma le VRF o lo'o fa'afanua le VLAN e lana SVI po'o le cts role-based l2-vrf poloaiga.
  • VLAN-i-SGT fa'amauina o lo'o i ai le fa'amuamua pito i lalo o auala uma e fusifusia ai ma e le amana'ia pe a maua fa'amauga mai isi fa'apogai, e pei o le SXP po'o le CLI fa'atonuga talimalo. O mea e ave i ai le faamuamua o lo'o lisiina i le vaega o Fa'amuamua Punavai.

Fa'atonuga o le Fa'aaogaina o Mea

Fa'atulagaina o Fa'afanua Subnet-i-SGT

  1. Avanoa ile fa'aoga CLI ole masini.
  2. Ulufale i le faiga fa'atulagaina e fa'aaoga ai le config poloaiga.
  3. Fa'atino le fa'atonuga o lo'o i lalo e fa'atulaga ai fa'afanua subnet-to-SGT:
cts role-based sgt-map net_address/prefix sgt sgt_number
  1. Sui net_address/prefix ma le tuatusi subnet ma le umi o le prefix e te mana'o e fa'afanua (fa'ata'ita'iga, 192.168.1.0/24).
  2. Sui sgt_number fa'atasi ai ma le vaega saogalemu e mana'omia tag numera.
  3. Oomi le Enter e faʻaoga le faʻatulagaga.
  4. Tu'u ese mai le faiga fa'atulagaina.

Fa'atulagaina VLAN-i-SGT Fa'afanua

    1. Avanoa ile fa'aoga CLI ole masini.
    2. Ulufale i le faiga fa'atulagaina e fa'aaoga ai le config poloaiga.
    3. Fa'atino le fa'atonuga lea e fa'atulaga ai VLAN-i-SGT fa'afanua:
cts role-based sgt-map vlan-list
  1. Fa'ailoa VLAN e fa'afanua i SGT.
  2. Oomi le Enter e faʻaoga le faʻatulagaga.
  3. Tu'u ese mai le faiga fa'atulagaina.

Fa'amatalaga

  • Fesootaiga Lagolago: IPv4, IPv6
  • Polokalama Lagolago: Puipuiga Fetufaaiga Fetufaaiga (SXP)v3
  • Metotia Fa'asalaina Lagolago: Subnet-to-SGT Mapping, VLAN-to-SGT Mapping

Fesili e Fai soo (FAQ)

  • F: E mafai ona fa'aulu atu i fafo so'o feso'ota'iga i le SXPv2 po'o le SXPv1 i totonu o feso'ota'iga IPv6?
    A: Leai, e mafai ona fa'aulufale i fafo fa'atasiga i lalo ole laiga ile SXPv3 tupulaga ile IPv6 feso'ota'iga.
  • Q: O le a le fa'amuamua o VLAN-i-SGT fusifusia?
    A: VLAN-i-SGT fa'amauina e pito sili ona fa'amuamua i auala uma e fusifusia ai ma e le amana'ia pe a maua fa'amauga mai isi fa'apogai.

Subnet i le vaega saogalemu tag (SGT) fa'afanua o lo'o fusifusia ai se SGT i tuatusi talimalo uma o se subnet fa'apitoa. O le taimi lava e faʻatinoina ai lenei faʻafanua, Cisco TrustSec e tuʻuina atu le SGT i luga o soʻo se pusa o loʻo sau o loʻo i ai se tuatusi IP punaʻoa o loʻo i le subnet faʻamaonia.

Tapulaa mo SGT Fa'afanua

Tapula'a mo Fa'afanua Subnet-i-SGT

  • E le mafai ona fa'alauteleina se feso'ota'iga IPv4 fa'atasi ai ma le /31.
  • E le mafai ona fusifusia tuatusi fale talimalo i lalo ole Vaega Puipui Tags (SGT)s pe a la'ititi le parakalafa fa'a feso'ota'iga-fa'afanua nai lo le aofa'i o 'au' upega tafa'ilagi i totonu o la'au fa'atonu, po'o le 0 fo'i.
  • O le fa'alauteleina ma le fa'asalalauina o le IPv6 e na'o le taimi lava e fa'atino ai e le failauga ma le fa'alogologo a le Security Exchange Protocol (SXP) le SXPv3 po'o nisi fa'amatalaga lata mai.

Tapula'a mo Fa'afanua SGT Auala Fa'aletonu

  • E talia na'o le subnet /0 le fa'atonuga o le auala. O le ulufale na'o le host-ip e aunoa ma le subnet / 0 e fa'aalia ai le savali lenei:CISCO-Configuring-Security-Vaega-Tag-Fa'afanua-fi- (1)

Fa'amatalaga e uiga i le SGT Mapping

O lenei vaega e maua ai fa'amatalaga e uiga i fa'afanua SGT.

Ua umaview

Ua umaview o Subnet-i-SGT Mapping
Subnet-to-SGT fa'afanua e fusifusia ai se SGT i tuatusi talimalo uma o se upega fa'apitoa. Cisco TrustSec e tu'uina atu le SGT i luga o se afifi o lo'o sau pe a o le tuatusi IP puna'oa o le pusa o lo'o i le subnet fa'apitoa. Ole subnet ma le SGT o lo'o fa'amaoti mai ile CLI ma le cts role-based sgt-map net_address/prefix sgt sgt_number global configuration command. E mafai fo'i ona fa'afanua se 'au e tasi i lenei fa'atonuga. I feso'ota'iga IPv4, Puipuiga o Fetufa'aiga o le Saogalemu (SXP)v3, ma isi fa'aliliuga lata mai, e mafai ona maua ma fa'asolo fa'asolo i lalo net_address/prefix manoa mai SXPv3 tupulaga. O fa'aliliuga muamua a le SXP e fa'aliliu ai le subnet prefix i lona seti o fa'amauga fa'afeiloa'i a'o le'i auina atu i fafo i se tagata fa'alogologo SXP.

Mo example, o le IPv4 subnet 192.0.2.0/24 ua faʻalauteleina e pei ona taua i lalo (naʻo le 3 bits mo tuatusi talimalo):

  • Tulaga talimalo 198.0.2.1 i le 198.0.2.7—tagged ma fa'asalalau atu ile SXP peer.
  • Tulaga feso'ota'iga ma fa'asalalauga 198.0.2.0 ma le 198.0.2.8—e leai tagged ma le fa'asalalauina.

Ina ia fa'atapula'a le aofa'i o so'otaga so'o e mafai e SXPv3 ona fa'aulufale atu, fa'aoga le cts sxp mapping network-map global configuration command. O fa'amaufa'ailoga i lalo ole laiga e tumau, e leai se a'oa'oga o 'au malosi. E mafai ona fa'aoga ile lotoifale mo le fa'atulafonoina ole SGT ma le fa'amalosia ole SGACL. afifi tage mafai ona fa'asalalauina i luga ole laiga 2 po'o le Layer 3 Cisco TrustSec fa'afanua. Mo feso'ota'iga IPv6, e le mafai e le SXPv3 ona fa'aulufale i fafo so'o feso'ota'iga i SXPv2 po'o SXPv1 tupulaga.

Ua umaview o VLAN-i-SGT Fa'afanua
Ole VLAN-i-SGT fa'afanua fa'afanua e fusifusia ai se SGT i fa'aputu mai se VLAN fa'apitoa. E faafaigofieina ai le femalagaiga mai le talatuu i Cisco TrustSec-mafai fesoʻotaʻiga e pei ona taua i lalo:

  • Lagolago masini e le o Cisco TrustSec-mafai ae mafai VLAN, e pei o, suiga faʻaleaganuʻu, faʻatonutonu uaealesi, avanoa avanoa, VPNs, ma isi.
  • Tuuina atu fesoʻotaʻiga i tua mo topologies lea e vaelua ai e VLANs ma VLAN ACLs le fesoʻotaʻiga, e pei o le, vaega o le server i nofoaga autu o faʻamatalaga.
  • O le VLAN-i-SGT fusifusia ua fa'atulagaina i le cts role-based sgt-map vlan-list global configuration command.
  • A tuʻuina atu se VLAN i se faitotoʻa o se fesoʻotaʻiga mataʻutia (SVI) i luga o se Cisco TrustSec-mafai suiga, ma faʻaagaina le Suʻesuʻeina o Meafaigaluega IP i luga o lena ki, ona mafai lea e Cisco TrustSec ona fatuina se IP-i-SGT fusifusia mo soʻo se talimalo malosi. i luga o lena VLAN faafanua i le SVI subnet.
  • O fusia IP-SGT mo 'au VLAN o lo'o fa'agaoioia e fa'atau atu i tagata fa'alogologo SXP. O fa'amauga mo VLAN ta'itasi ua fa'apipi'iina i totonu o le laulau IP-i-SGT e feso'ota'i ma le VRF o lo'o fa'afanua le VLAN i lana SVI po'o le cts role-based l2-vrf command.
  • VLAN-i-SGT fa'amauina o lo'o i ai le fa'amuamua pito i lalo o auala uma e fusifusia ai ma e le amana'ia pe a maua fa'amauga mai isi fa'apogai, e pei o le SXP po'o le CLI fa'atonuga talimalo. O mea e ave i ai le faamuamua o lo'o lisiina i le vaega o Fa'amuamua Punavai.
Fa'amuamua Punavai

Cisco TrustSec e foia feteʻenaʻiga i le va o punaoa faʻapipiʻi IP-SGT ma se faiga faʻamuamua. Mo example, e mafai ona fa'aoga se SGT i se fa'aoga fa'atasi ma le faiga fa'avae {dynamic identity peer-name | tumau sgt tag} Cisco Trustsec Manual interface mode fa'atonuga (Identity Port Mapping). O le fa'atonuga o le fa'amalosia o le fa'amuamua, mai le maualalo (1) i le maualuga (7), e fa'apea:

  1. VLAN: Fa'amauina na a'oa'oina mai fa'ailoga ARP i luga o se VLAN o lo'o iai VLAN-SGT fa'afanua fa'atulagaina.
  2. CLI: Fa'amaufa'ailoga tuatusi fa'aogaina e fa'aaoga ai le IP-SGT fomu o le cts role-based sgt-map global configuration command.
  3. SXP: O fusi na aʻoaʻoina mai i tupulaga SXP.
  4. IP_ARP: O fusi na aʻoaʻoina pe a tago lo'o maua i luga o se feso'ota'iga e mafai e le CTS.
  5. NU'U: Fa'amauina o 'au fa'amaonia e a'oa'oina e ala i le EPM ma le su'eina o masini. O lenei ituaiga o fusi e aofia ai foʻi 'au taʻitoʻatasi e aʻoaʻoina e ala ile ARP snooping ile L2 [I] PM-configured ports.
  6. LOTO: Fa'amauina i le va o tuatusi IP fa'alotoifale ma le SGT a le masini.

Manatua
Afai ole tuatusi IP ole puna e fetaui ma le tele o subnet prefix ma SGT eseese ua tofia, ona faamuamua lea ole prefix sili ona umi se'i vagana ua ese le faamuamua.

Auala masani SGT

  • Vaega Puipuiga ole Auala Tag (SGT) e tu'uina atu se numera SGT i auala fa'aletonu.
  • Auala Fa'aleoleo o le auala lea e le fetaui ma se auala fa'apitoa ma o le ala lea i le nofoaga mulimuli. E fa'aoga auala fa'aletonu e fa'asa'o ai pepa o lo'o fa'atatau i feso'ota'iga e le o fa'ailoa manino mai ile laulau fa'ata'avale.

Fa'afefea ona fa'atulaga SGT Fa'afanua

O lenei vaega o lo'o fa'amatalaina ai le fa'atulagaina o fa'afanua SGT.

Fa'atulagaina o se masini SGT ma le lima
I le masani a Cisco TrustSec faʻagaioiga, e tuʻuina atu e le 'auʻaunaga faʻamaonia se SGT i le masini mo paʻu e afua mai i le masini. E mafai ona e fa'atulagaina ma le lima se SGT e fa'aoga pe afai e le mafai ona maua le fa'amaumau fa'amautu, ae o le SGT e tu'uina atu i ai le fa'amaoni o le a fa'amuamua i se SGT na tu'uina atu i le lima.

Ina ia fetuutuunai ma le lima se SGT i luga o le masini, fai le galuega lenei:

Taualumaga

  Poloaiga or Gaioiga Faamoemoega
Laasaga 1 mafai Fa'ataga le tulaga fa'apitoa EXEC.
  ExampLe:

Meafaigaluega# mafai

 • Ulufale lau upu faataga pe a uunaia.
Laasaga 2 fetuutuunai laina

ExampLe:

Meafaigaluega# fetuutuunai laina

 Ulufale atu i le faiga fa'atulagaina o le lalolagi.
Laasaga 3 cts sgt tag

ExampLe:

Meafaigaluega(config)# cts sgt 1234

 Fa'ataga le SXP mo Cisco TrustSec.
Laasaga 4 ulufafo

ExampLe:

Meafaigaluega(config)# ulufafo

 Tu'u ese le faiga fa'atulagaina o le lalolagi ma toe fo'i i le tulaga fa'apitoa EXEC
Fa'atulagaina o Fa'afanua Subnet-i-SGT

Taualumaga

  Poloaiga or Gaioiga Faamoemoega
Laasaga 1 mafai

ExampLe:

Meafaigaluega# mafai

 Fa'ataga le tulaga fa'apitoa EXEC.

• Ulufale lau upu faataga pe a uunaia.
Laasaga 2 fetuutuunai laina

ExampLe:

Meafaigaluega# fetuutuunai laina

 Ulufale atu i le faiga fa'atulagaina o le lalolagi.
Laasaga 3 cts sxp fa'afanua feso'otaiga-fa'afanua noataga

ExampLe:

Meafaigaluega(config)# cts sxp fa'afanua feso'otaiga-fa'afanua 10000

 •  Fa'atulaga le Laiti i le SGT Fa'afanua fa'atapula'aina o tagata talimalo. O le finauga o lo'o fa'amauina e fa'amaoti mai ai le numera aupito maualuga o subnet IP hosts e mafai ona fusifusia i SGT ma fa'atau atu i le SXP fa'alogologo.

•  fusifusia—(0 i le 65,535) fa'aletonu e 0 (leai ni fa'aopoopoga na faia)
Laasaga 4 cts fa'avae fa'afanua sgt-fa'avae ipv4_address/prefix

sgt numera

ExampLe:

Meafaigaluega(config)# cts fa'avae sgt-faafanua 10.10.10.10/29 sgt 1234

 (IPv4) Fa'ama'oti se subnet ile fa'ailoga CIDR.

•  Fa'aaoga le leai o le fa'atonuga e aveese ai le fa'afanua o le Subnet i le SGT. Ole numera o fa'amauina o lo'o fa'amaoti mai ile Laasaga 2 e tatau ona fetaui pe sili atu ile numera o tuatusi talimalo ile subnet (e le aofia ai tuatusi feso'ota'iga ma fa'asalalauga). O le upu sgt numera e fa'amaonia ai le Puipuiga
    Vaega Tag ia fusifusia i tagata uma

tuatusi i le subnet ua fa'amaonia.

•  ipv4_address—Fa'amaoti le tuatusi o feso'ota'iga IPv4 ile fa'ailoga tesima togitogi.

•  prefix—(0 i le 30) Fa'ailoa mai le aofa'i o fasi i le tuatusi feso'ota'iga.

•  sgt numera—(0–65,535) Fa'amaoti le Vaega Puipui Tag (SGT) numera.
Laasaga 5 cts fa'avae fa'afanua sgt-fa'avae ipv6_address::prefix

sgt numera

ExampLe:

Meafaigaluega(config)# cts fa'avae sgt-faafanua 2020::/64 sgt 1234

 (IPv6) Fa'ama'oti se la'au upega i fa'ailoga fa'aisedecimal colon. Fa'aaoga le leai o le fa'atonuga e fa'a'ese'ese ai le Subnet i le fa'afanua SGT.

Ole numera o fa'amauina o lo'o fa'amaoti mai ile Laasaga 2 e tatau ona fetaui pe sili atu ile numera o tuatusi talimalo ile subnet (e le aofia ai tuatusi feso'ota'iga ma fa'asalalauga). O le upu sgt numera e fa'amaonia ai le Vaega Puipui Tag ia fusifusia i tuatusi talimalo uma i totonu o le subnet faʻamaonia.

•  ipv6_address—Fa'ailoa mai le tuatusi o feso'ota'iga IPv6 ile fa'ailoga fa'afano'ona.

•  prefix—(0 i le 128) Fa'ailoa mai le aofa'i o fasi i le tuatusi feso'ota'iga.

•  sgt numera—(0–65,535) Fa'amaoti le Vaega Puipui Tag (SGT) numera.
Laasaga 6 ulufafo

ExampLe:

Meafaigaluega(config)# ulufafo

 Tu'u ese le faiga fa'atulagaina o le lalolagi ma toe fo'i i le tulaga fa'apitoa EXEC..
Fa'atulagaina VLAN-i-SGT Fa'afanua

Fa'agasolo Galuega mo le Fa'atulagaina o VLAN-SGT Fa'afanua i luga o se masini Cisco TrustSec.

  • Fausia se VLAN i luga o le masini ma le VLAN_ID tutusa o le VLAN sau.
  • Fausia se SVI mo le VLAN i luga o le masini e fai ma faitotoa fa'aletonu mo tagata fa'ai'uga.
  • Fa'atulaga le masini e fa'aoga ai se SGT i le VLAN felauaiga.
  • Fa'aaga le su'eina o le IP Device i luga o le masini.
  • Fa'apipi'i se faiga fa'avae e siaki ai masini ile VLAN.

Manatua
I se feso'ota'iga tele-switch, SISF-based device tracking e maua ai le agava'a e tufatufaina atu fa'amaufa'ailoga o le laulau i le va o ki o lo'o fa'agaoioia le ata. O le mea lea e fa'apea o fa'amaufa'ailoga e faia i luga o ki o lo'o fa'aalia ai le tagata talimalo i luga o se uafu avanoa, ma e leai se fa'ailoga e faia mo se talimalo e aliali mai i luga o se pusa ogalaau. Ina ia ausia lenei mea i se seti tele-switch, matou te fautuaina oe e faʻapipiʻi se isi faiga faʻavae ma faʻapipiʻi i le pusa ogalaau, e pei ona faʻamatalaina i le Configuring a Multi-Switch Network to Stop Creating Binding Entries from a Trunk Port procedure, i le Configuring SISF -Mata'iala Fa'avae Su'esu'ega mataupu o le Taiala Fa'atonu Saogalemu.

  • Fa'amaonia o fa'afanua VLAN-i-SGT o lo'o tupu ile masini.

Taualumaga

  Poloaiga or Gaioiga Faamoemoega
Laasaga 1 mafai

ExampLe:

Meafaigaluega# mafai

 Fa'ataga le tulaga fa'apitoa EXEC.

• Ulufale lau upu faataga pe a uunaia.
Laasaga 2 fetuutuunai laina

ExampLe:

Meafaigaluega# fetuutuunai laina

 Ulufale atu i le faiga fa'atulagaina o le lalolagi.
Laasaga 3 vlan vlan_id

ExampLe:

Meafaigaluega(config)# vlan 100

 Fausia VLAN 100 i luga o le TrustSec-mafai faitotoa faitotoa masini ma ulufale VLAN

faiga faatulagaina.
Laasaga 4 [leai] tapuni i lalo

ExampLe:

Meafaigaluega(config-vlan)# leai se tapunia

 Aiaiga VLAN 100.
Laasaga 5 ulufafo

ExampLe:

Meafaigaluega(config-vlan)# ulufafo

 Tu'u ese le VLAN fa'atulagaina ma toe fo'i i le fa'asologa o le lalolagi.
Laasaga 6 feso'ota'iga ituaiga slot/taulaga

ExampLe:

Meafaigaluega(config)# fa'aoga vlan 100

 Fa'amaoti le ituaiga fa'aoga ma ulu atu i le fa'aogaina o le fa'aogaina.
Laasaga 7 tuatusi ip avanoa/taulaga

ExampLe:

Meafaigaluega(config-afai)# tuatusi ip 10.1.1.2 255.0.0.0

 Fa'atonu le Feso'ota'iga Fa'atekonolosi Suia (SVI) mo VLAN 100.
Laasaga 8 [leai ] tapuni i lalo

ExampLe:

Meafaigaluega(config-afai)# leai se tapunia

 Fa'ataga le SVI.
Laasaga 9 ulufafo

ExampLe:

Meafaigaluega(config-afai)# ulufafo

 Tu'u ese le fa'aogaina o feso'ota'iga fa'aoga ma toe fo'i i le fa'atulagaga fa'ava-o-malo.
Laasaga 10 cts fa'avae fa'afanua sgt-fa'afanua vlan-lisi vlan_id sgt

sgt_numera

ExampLe:

Meafaigaluega(config)# cts fa'avae sgt-faafanua vlan-lisi 100 sgt 10

 Tofia le SGT fa'amaonia ile VLAN fa'amaonia.
Laasaga 11 faiga fa'avae e siaki ai masini igoa-faiga faavae

ExampLe:

Meafaigaluega(config)# faiga fa'avae mo le mata'ituina o masini1

 Fa'amaoti le faiga fa'avae ma ulufale i le faiga fa'atulagaina o faiga fa'avae mo le siakiina o masini.
Laasaga 12 mafai ona siaki

ExampLe:

Meafaigaluega(config-masini-su'e)# tulituliloaina mafai

 Fa'ato'a fa'aletonu le fa'aogaina o masini mo le uiga o faiga fa'avae.
Laasaga 13 ulufafo

ExampLe:

Meafaigaluega(config-masini-su'e)# ulufafo

 Tu'u ese le faiga o faiga fa'avae o faiga fa'avae su'esu'e masini ma toe fo'i i le fa'atulagaga fa'ava-o-malo.
Laasaga 14 seti vlan vlan_id

ExampLe:

Meafaigaluega(config)# vlan configuration 100

 Fa'amaoti le VLAN o le a fa'apipi'i i ai le faiga fa'avae o le su'esu'eina o masini, ma ulufale i le VLAN setup mode.
Laasaga 15 faiga fa'apipi'i fa'apipi'i masini igoa-faiga faavae

ExampLe:

Meafaigaluega(config-vlan-config)#

faiga fa'apipi'i-faiga fa'apolokalame1

 Fa'apipi'i se faiga fa'avae e siaki ai masini ile VLAN fa'apitoa.
Laasaga 16 i'uga

ExampLe:

Meafaigaluega(config-vlan-config)# i'uga

 Tu'ese le VLAN fa'atulagaina ma toe fo'i i le tulaga fa'apitoa EXEC.
Laasaga 17 fa'aali cts fa'afanua sgt-fa'avae {ipv4_netaddr

| ipv4_netaddr/prefix | ipv6_netaddr | ipv6_netaddr/prefix |uma [ipv4 |ipv6] |talimalo { ipv4 addr |ipv6_addr } |aotelega [ ipv4

|ipv6 ]

 (Filifili) Fa'aali fa'afanua VLAN-i-SGT.
  ExampLe:

Meafaigaluega# fa'aali cts fa'avae fa'afanua sgt-fa'afanua uma

  
Laasaga 18 fa'aali faiga fa'avae e siaki ai masini igoa-faiga faavae

ExampLe:

Meafaigaluega# fa'aali faiga fa'avae mo le mata'ituina o masini1

 (Filifili) Fa'aali uiga o faiga fa'avae o iai nei.
Fa'ata'ita'i ile Faleoloa Fa'atauga Meafaigaluega

I tulaga e le o iai se fale teuoloa meafaigaluega pe le mafai ona faʻaaogaina, e mafai ona e faʻaogaina le ki e faʻaoga ai se faʻataʻitaʻiga polokalama a le faleoloa autu. Ina ia fetuutuunai le faʻaogaina o se faleoloa komepiuta, fai le galuega lenei:

Taualumaga

  Poloaiga or Gaioiga Faamoemoega
Laasaga 1 mafai

ExampLe:

Meafaigaluega# mafai

 Fa'ataga le tulaga fa'apitoa EXEC.

• Ulufale lau upu faataga pe a uunaia.
Laasaga 2 fetuutuunai laina

ExampLe:

Meafaigaluega# fetuutuunai laina

 Ulufale atu i le faiga fa'atulagaina o le lalolagi.
Laasaga 3 cts keystore faataitai

ExampLe:

Meafaigaluega(config)# cts keystore faataitai

 Fa'atonu le ki e fa'aoga ai se fa'ata'ita'iga fa'akomepiuta a le fale 'oloa'i nai lo le fale fa'atau oloa.
Laasaga 4 ulufafo

ExampLe:

Meafaigaluega(config)# ulufafo

 Tu'ese le faiga fa'atulagaina.
Laasaga 5 fa'aali le faleoloa autu

ExampLe:

Meafaigaluega# fa'aali le faleoloa autu

 Fa'aalia le tulaga ma mea o lo'o i totonu o le faleoloa autu. O mealilo na teuina e le o fa'aalia.

Fa'atulagaina o le Auala Fa'atonu SGT

Ae e te le'i amataina
Ia mautinoa ua uma ona e faia se auala le lelei i luga o le masini e faʻaaoga ai le ip route 0.0.0.0 command. A leai, o le ala fa'aletonu (lea e sau ma le Default Route SGT) e maua ai se nofoaga e le iloa ma o le mea lea o le taunuuga mulimuli o le a faasino ile PPU.

Taualumaga

  Poloaiga or Gaioiga Faamoemoega
Laasaga 1 mafai

ExampLe:

Meafaigaluega> mafai

 Fa'ataga le tulaga fa'apitoa EXEC.

• Ulufale lau upu faataga pe a uunaia.
Laasaga 2 fetuutuunai laina

ExampLe:

Meafaigaluega # fetuutuunai laina

 Ulufale atu i le faiga fa'atulagaina o le lalolagi.
Laasaga 3 cts fa'avae sgt-faafanua 0.0.0.0/0 sgt numera

ExampLe:

Meafaigaluega(config)# cts fa'avae fa'afanua sgt-fa'afanua 0.0.0.0/0 sgt 3

 Fa'ama'oti le numera SGT mo le ala fa'aletonu. O tau aoga e mai le 0 i le 65,519.

Manatua                    • O le host_address/subnet e mafai ona avea ma tuatusi IPv4 (0.0.0.0/0) poʻo tuatusi IPv6 (0:0::/0)

•  Le auala e le masani ai

fa'atulagaina e talia na'o le subnet /0. O le ulufale na'o le host-ip e aunoa ma le subnet / 0 e fa'aalia ai le savali lenei:

Meafaigaluega(config)#cts fa'afanua sgt fa'avae

0.0.0.0 matua 1000 E le'o lagolagoina le fa'atonuga o le auala fa'apitoa mo le IP talimalo
Laasaga 4 ulufafo

ExampLe:

Meafaigaluega(config)# alu ese

 Tu'u ese le faiga fa'atulagaina o le lalolagi.

Fa'amaonia SGT Fa'afanua

O vaega nei o lo'o fa'aalia pe fa'apefea ona fa'amaonia le fa'afanua SGT:

Fa'amaonia le Fa'asologa o Fa'afanua Subnet-i-SGT
Ina ia fa'aali fa'amatalaga fa'atulagaina o fa'afanua Subnet-to-SGT, fa'aoga se tasi o fa'atonuga fa'aaliga nei:

Poloaiga Faamoemoega
fa'aali feso'ota'iga cts sxp Faʻaalia le SXP failauga ma faʻalogo fesoʻotaʻiga ma latou tulaga faʻagaioia.
faaali cts sxp sgt-faafanua Fa'aali le IP i le SGT fa'aulufale atu i le au fa'alogologo SXP.
fa'aali running-config Fa'amaonia o le subnet-to-SGT fa'atonuga o lo'o i totonu o le fa'atonuga file.

Fa'amaonia VLAN-i-SGT Fa'afanua

Ina ia faʻaalia le VLAN-i-SGT faʻamatalaga faʻatulagaina, faʻaaoga tulafono faʻaalia nei:

Laulau 1:

Poloaiga Faamoemoega
fa'aali faiga fa'avae e siaki ai masini Fa'aali uiga fa'apolokiki o lo'o iai nei o le faiga fa'avae mo le mata'ituina o masini.
fa'aali cts fa'afanua sgt-fa'avae Fa'aalia le tuatusi IP-i-SGT fusifusia.

Fa'amaonia le Fa'atonuga o le Auala SGT

Fa'amaonia le fa'atulagaina o le SGT Auala Fa'aletonu:
masini# fa'aalia fa'atatau i le fa'afanua sgt-fa'afanua uma Active IPv4-SGT Bindings Information

CISCO-Configuring-Security-Vaega-Tag-Fa'afanua-fi- (2)

Fa'atonu Examples mo SGT Fa'afanua

O vaega o lo'o mulimuli mai o lo'o fa'aalia ai le fa'atulagaga eampfa'afanua SGT:

Example: Fa'atulagaina o se masini SGT ma le lima

  • Meafaigaluega # fetuutuunai laina
  • Meafaigaluega(config)# cts sgt 1234
  • Meafaigaluega(config)# alu ese

Example: Fa'atonuga mo Subnet-to-SGT Mapping
O le exampO lo'o fa'aalia ai le fa'atulagaina o le IPv4 Subnet-to-SGT Mapping i le va o masini o lo'o fa'aogaina le SXPv3 (Device1 ma Device2):

  1. Fa'atulaga le SXP failauga/fa'alogo e va'ai i le va o masini.
    • Device1# fetuutuunai laina
    • Device1(config)# cts sxp mafai
    • Device1(config)# cts sxp fa'apogai fa'aletonu-ip 1.1.1.1
    • Device1(config)# cts sxp upu fa'aoga sese 1syzygy1
    • Device1(config)# cts sxp connection peer 2.2.2.2 password default mode speaker local
  2. Fa'atulaga Device2 e fai ma fa'alogo SXP o Device1.
    • Device2(config)# cts sxp mafai
    • Device2(config)# cts sxp fa'apogai fa'aletonu-ip 2.2.2.2
    • Device2(config)# cts sxp upu fa'aoga sese 1syzygy1
    • Device2(config)# cts sxp connection peer 1.1.1.1 password default mode tagata faalogologo i le lotoifale
  3. I luga o le Device2, faʻamautinoa o loʻo faʻaogaina le fesoʻotaʻiga SXP:
    Device2# fa'aali cts sxp feso'ota'iga pupuu | aofia ai le 1.1.1.1 1.1.1.1 2.2.2.2 I le 3:22:23:18 (dd:hr:mm:sec)
  4. Fa'atonu so'o feso'ota'iga e fa'alautele ile Device1.
    • Device1(config)# cts sxp fa'afanua feso'otaiga-fa'afanua 10000
    • Masini1(config)# cts fa'avae-fa'afanua sgt 10.10.10.0/30 sgt 101
    • Masini1(config)# cts fa'avae-fa'afanua sgt 11.11.11.0/29 sgt 11111
    • Masini1(config)# cts fa'avae-fa'afanua sgt 192.168.1.0/28 sgt 65000
  5. I luga o le Device2, fa'amaonia le fa'alauteleina o le subnet-to-SGT mai le Device1. E tatau ona lua fa'alautelega mo le 10.10.10.0/30 subnetwork, ono fa'alautelega mo le 11.11.11.0/29 subnetwork, ma le 14 fa'alautele mo le 192.168.1.0/28 subnetwork.
    Device2# fa'aali cts sxp sgt-faafanua puupuu | aofia ai le 101|11111|65000
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
  6. Fa'amaonia le faitau aofa'i o le Device1:
    Device1# fa'aali cts sxp sgt-faafanua
    • Fa'afanua IP-SGT fa'alautele:22
    • E leai ni fa'afanua IP-SGT
  7. Fa'asaoina fa'atonuga i luga ole Device1 ma le Device2 ma alu ese mai le fa'asologa o fa'asologa o le lalolagi.
    Device1(config)# kopi running-config startup-config
    Meafaigaluega1(config)# alu ese
    Device2(config)# kopi running-config startup-config
    Meafaigaluega2(config)# alu ese

ExampLe:
Fa'atonuga mo VLAN-i-SGT Fa'afanua mo se Ta'ita'i Ta'ito'atasi I luga ole So'oga Avanoa.

I le example, e fesoʻotaʻi se 'au e tasi i le VLAN 100 i luga o se masini avanoa. O se feso'ota'iga fa'akomepiuta sui i luga o le masini TrustSec o le faitoto'a fa'aletonu mo le VLAN 100 endpoint (IP Address 10.1.1.1). O le TrustSec masini e faʻatupuina le Vaega Puipuiga Tag (SGT) 10 i luga o afifi mai VLAN 100.

  1. Fausia VLAN 100 i luga o se masini avanoa.
    • access_device# configure terminal
    • access_device(config)# vlan 100
    • access_device(config-vlan)# leai se tapuni
    • access_device(config-vlan)# alu ese
    • access_device(config)#
  2. Fa'atulaga le fa'aoga i le masini TrustSec e fai ma feso'ota'iga avanoa. Fa'atonuga mo le fa'ai'uga
    1. ua ave'esea avanoa avanoa i lenei example.
    2. access_device(config)# interface gigabitEthernet 6/3
    3. access_device(config-afai)# switchport
    4. access_device(config-afai)# switchport mode avanoa
    5. access_device(config-afai)# switchport avanoa vlan 100
  3. Fausia VLAN 100 i luga ole masini TrustSec.
    • TS_device(config)# vlan 100
    • TS_device(config-vlan)# leai se tapuni
    • TS_device(config-vlan)# fa'ai'uga
    • TS_mea faigaluega#
  4. Fausia se SVI e fai ma faitoto'a mo VLAN 100 sau.
    • TS_device(config)# interface vlan 100
    • TS_device(config-afai)# ip tuatusi 10.1.1.2 255.0.0.0
    • TS_device(config-afai)# leai se tapuni
    • TS_device(config-afai)# iuga
    • TS_masini(config)#
  5. Tofi Vaega Puipuiga Tag (SGT) 10 i 'au ile VLAN 100.
    • TS_device(config)# cts fa'avae fa'afanua sgt vlan 100 sgt 10
  6. Fa'aagaoi le Su'esu'eina o Mea Fa'atonu IP ile masini TrustSec. Fa'amaonia o lo'o galue.
    • TS_device(config)# ip masini siaki
    • TS_device# fa'aali ip masini siaki umaCISCO-Configuring-Security-Vaega-Tag-Fa'afanua-fi- (3)
  7. (Filifili) PING le faitotoa fa'aletonu mai se pito (i lenei example, tuatusi IP talimalo 10.1.1.1). Fa'amautinoa o lo'o fa'afanua le SGT 10 i 'au VLAN 100.
    CISCO-Configuring-Security-Vaega-Tag-Fa'afanua-fi- (4)

Example: Fa'aa'oa'o i le Faleoloa Fa'apitoa
O lenei exampLe faʻaalia pe faʻafefea ona faʻapipiʻi ma faʻamaonia le faʻaogaina o se faleoloa komepiuta:

CISCO-Configuring-Security-Vaega-Tag-Fa'afanua-fi- (5)

Example: Fa'atulagaina o le Auala Masini SGT

  • Meafaigaluega # fetuutuunai laina
  • Meafaigaluega(config)# cts fa'avae fa'afanua sgt-fa'afanua 0.0.0.0/0 sgt 3
  • Meafaigaluega(config)# alu ese

Tala'aga Fa'apitoa mo Vaega Puipuiga Tag Fa'afanua

  • O lenei laulau o lo'o tu'uina atu ai fa'amatalaga ma fa'amatalaga e feso'ota'i mo vaega o lo'o fa'amatalaina i lenei module.
  • O lo'o avanoa nei vaega i fa'asalalauga uma pe a mae'a le fa'aaliga na fa'ailoa mai ai, se'i vagana ua fa'ailoa atu.
Fa'asa'oloto Fa'aaliga Fa'aaliga Fa'amatalaga
Cisco IOS XE Everest 16.5.1a Vaega Puipui Tag Fa'afanua Laiti i le SGT fa'afanua o lo'o fusifusia ai se SGT i tuatusi talimalo uma o se upega fa'apitoa. O le taimi lava e faʻatinoina ai lenei faʻafanua, Cisco TrustSec e tuʻuina atu le SGT i luga o soʻo se pusa o loʻo sau o loʻo i ai se tuatusi IP punaʻoa o loʻo i le subnet faʻamaonia.
Cisco IOS XE Gibraltar 16.11.1 Fa'avasegaina SGT Auala masani Fa'asinoala Auala SGT e tu'uina atu se SGT tag numera i na auala e le fetaui ma se auala patino.

Fa'aoga le Cisco Feature Navigator e su'e ai fa'amatalaga e uiga i fa'avae ma ata fa'akomepiuta lagolago. Ina ia maua Cisco Feature Navigator, alu i http://www.cisco.com/go/cfn.

Pepa / Punaoa

CISCO Configuring Security Group Tag Fa'afanua [pdf] Taiala mo Tagata Fa'aoga
Fa'atonu Vaega Puipuiga Tag Fa'afanua, Fa'atulagaina, Vaega Puipuiga Tag Fa'afanua, Vaega Tag Fa'afanua, Tag Fa'afanua

Fa'asinomaga

Fa'amatalaga Fa'atatau

Tuu se faamatalaga

E le fa'asalalauina lau tuatusi imeli. Fa'ailogaina fanua mana'omia *