- clear cts policy
- clear cts role-based counters
- cts device-id
- cts manual
- cts role-based access-list
- cts role-based counters enable
- cts role-based enforcement
- cts role-based sgt
- cts role-based sgt-map
- cts sgt
- cts sxp connection peer
- cts sxp default password
- cts sxp default source-ip
- cts sxp enable
- cts sxp reconcile-period
- cts sxp retry-period
C Commands
This chapter describes the Cisco NX-OS TrustSec commands that begin with C.
clear cts policy
To clear the Cisco TrustSec security group access control list (SGACL) policies, use the clear cts policy command.
clear cts policy { all | peer device-id | sgt sgt-value }
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
When you clear the SGACL policies, the operation does not take effect until the interface is flapped. If the interface is a static SGT interface, the SGT value is set to zero (0) after the flapping. To undo this operation, use the following commands:
If the interface is a dynamic SGT interface, the SGT is downloaded again from the RADIUS server after the flapping.
Examples
This example shows how to clear all the Cisco TrustSec SGACL policies on the device:
Related Commands
|
|
---|---|
clear cts role-based counters
To clear the role-based access control list (RBACL) statistics so that all counters are reset to 0, use the clear cts role-based counters command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
Examples
This example shows how to clear the RBACL statistics:
Related Commands
|
|
---|---|
Displays the configuration status of RBACL statistics and lists statistics for all RBACL policies. |
cts device-id
To configure a Cisco TrustSec device identifier, use the cts device-id command.
cts device-id device-id password [ 7 ] password
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
Examples
This example shows how to configure a Cisco TrustSec device identifier:
Related Commands
|
|
---|---|
cts manual
To enter the Cisco TrustSec manual configuration for an interface, use the cts manual command. To remove the manual configuration, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
After using this command, you must enable and disable the interface using the shutdown and no shutdown command sequence for the configuration to take effect.
Examples
This example shows how to enter Cisco TrustSec manual configuration mode for an interface:
This example shows how to remove the Cisco TrustSec manual configuration from an interface:
Related Commands
|
|
---|---|
Displays Cisco TrustSec configuration information for interfaces. |
cts role-based access-list
To create or specify a Cisco TrustSec security group access control list (SGACL) and enter role-based access control list configuration mode, use the cts role-based access-list command. To remove an SGACL, use the no form of this command.
cts role-based access-list list-name
no cts role-based access-list list-name
Syntax Description
Name for the SGACL. The name is alphanumeric and case-sensitive. The maximum length is 32 characters. |
Command Default
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
When you remove an SGACL, the access list can no longer be referenced by any SGT-DGT pair in the system.
Examples
This example shows how to create a Cisco TrustSec SGACL and enter the role-based access list configuration mode:
This example shows how to remove a Cisco TrustSec SGACL:
Related Commands
|
|
---|---|
cts role-based counters enable
To enable role-based access control list (RBACL) statistics, use the cts role-based counters enable command. To disable RBACL statistics, use the no form of this command.
cts role-based counters enable
no cts role-based counters enable
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
To use this command, you must enable RBACL policy enforcement on the VLAN.
When you enable RBACL statistics, each policy requires one entry in the hardware. If you do not have enough space remaining in the hardware, an error message appears, and you cannot enable the statistics.
RBACL statistics are lost during an ISSU or when an access control entry is added to or removed from a RBACL.
Examples
This example shows how to enable RBACL statistics:
This example shows how to disable RBACL statistics:
Related Commands
|
|
---|---|
Clears the RBACL statistics so that all counters are reset to 0. |
|
Displays the configuration status of RBACL statistics and lists statistics for all RBACL policies. |
cts role-based enforcement
To enable role-based access control list (RBACL) enforcement on a VLAN, use the cts role-based enforcement command. To disable RBACL enforcement on a VLAN, use the no form of this command.
Note If you do not enable cts role-based enforcement on a VLAN, ingress tagging does not occur even though the ingress and egress interfaces have cts manual and policy static SGT. Thus, you must enable cts role-based enforcement on a VLAN for ingress tagging to occur.
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
RBACL enforcement is enabled on per-VLAN basis. RBACL enforcement cannot be enabled on routed VLANs or interfaces. For RBACL enforcement changes to take effect, you must exit from the VLAN configuration mode.
Examples
This example shows how to enable RBACL enforcement on a VLAN and verifies the status:
This example shows how to disable RBACL enforcement on a VLAN:
Related Commands
|
|
---|---|
cts role-based sgt
To manually configure mapping of Cisco TrustSec security group tags (SGTs) to a security group access control list (SGACL), use the cts role-based sgt command. To remove the SGT mapping to an SGACL, use the no form of this command.
cts role-based sgt { sgt-value | any | unknown } dgt { dgt-value | any | unknown } access-list list-name
no cts role-based sgt { sgt-value | any | unknown } dgt { dgt-value | any | unknown }
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
You must configure the SGACL before you can configure SGT mapping.
Examples
This example shows how to configure SGT mapping for an SGACL:
This example shows how to configure any SGT mapping to any destination SGT:
This example shows how to remove SGT mapping for an SGACL:
Related Commands
|
|
---|---|
cts role-based sgt-map
To manually configure the Cisco TrustSec security group tag (SGT) mapping to IP addresses, use the cts role-based sgt-map command. To remove an SGT, use the no form of this command.
cts role-based sgt-map ipv4-address sgt-value
no cts role-based sgt-map ipv4-address
Syntax Description
Command Default
Command Modes
Global configuration mode
VLAN configuration mode
VRF configuration mode
Command History
|
|
Usage Guidelines
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
Examples
This example shows how to configure mapping for a Cisco TrustSec SGT:
This example shows how to remove a Cisco TrustSec SGT mapping:
Related Commands
|
|
---|---|
cts sgt
To configure the security group tag (SGT) for Cisco TrustSec, use the cts sgt command. To revert to the default settings, use the no form of this command.
Syntax Description
Local SGT for the device that is a hexadecimal value with the format 0x hhhh. The range is from 0x2 to 0xffef. |
Command Default
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
Examples
This example shows how to configure the Cisco TrustSec SGT for the device:
Related Commands
|
|
---|---|
cts sxp connection peer
To configure a Security Group Tag (SGT) Exchange Protocol (SXP) peer connection for Cisco TrustSec, use the cts sxp connection peer command. To remove the SXP connection, use the no form of this command.
cts sxp connection peer peer-ipv4-addr [ source src-ipv4-addr ] password { default | none | required { password | 7 encrypted-password }} mode listener [ vrf vrf-name ]
no cts sxp connection peer peer-ipv4-addr [ source src-ipv4-addr ] password { default | none | required { password | 7 encrypted-password }} mode listener [ vrf vrf-name ]
Syntax Description
Command Default
Configured default SXP password for the device
Configured default SXP source IPv4 address for the device
Default VRF
Command Modes
Command History
|
|
---|---|
Usage Guidelines
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
You can use only IPv4 addressing with Cisco TrustSec.
If you do not specify a source IPv4 address, you must configure a default SXP source IPv4 address using the cts sxp default source-ip command.
If you specify default as the password mode, you must configure a default SXP password using the cts sxp default password command.
Examples
This example shows how to configure an SXP peer connection:
This example shows how to remove an SXP peer connection:
Related Commands
|
|
---|---|
Configures the default SXP source IPv4 address for the device. |
|
Displays the Cisco TrustSec SXP peer connection information. |
cts sxp default password
To configure the default Security Group Tag (SGT) Exchange Protocol (SXP) password for the device, use the cts sxp default password command. To remove the default, use the no form of this command.
cts sxp default password { password | 7 encrypted-password }
Syntax Description
Clear text password. The password is alphanumeric and case-sensitive. The maximum length is 32 characters. |
|
Specifies an encrypted password. The maximum length is 32 characters. |
Command Default
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
Examples
This example shows how to configure the default SXP password for the device:
This example shows how to remove the default SXP password:
Related Commands
|
|
---|---|
cts sxp default source-ip
To configure the default Security Group Tag (SGT) Exchange Protocol (SXP) source IPv4 address for the device, use the cts sxp default source-ip command. To revert to the default, use the no form of this command.
cts sxp default source-ip ipv4-address
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
Examples
This example shows how to configure the default SXP source IP address for the device:
This example shows how to remove the default SXP source IP address:
Related Commands
|
|
---|---|
cts sxp enable
To enable the Security Group Tag (SGT) Exchange Protocol (SXP) peer on a device, use the cts sxp enable command. To revert to the default, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
Examples
This example shows how to enable SXP:
This example shows how to disable SXP:
Related Commands
|
|
---|---|
cts sxp reconcile-period
To configure a Security Group Tag (SGT) Exchange Protocol (SXP) reconcile period timer, use the cts sxp reconcile-period command. To revert to the default, use the no form of this command.
cts sxp reconcile-period seconds
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
After a peer terminates an SXP connection, an internal hold-down timer starts. If the peer reconnects before the internal hold-down timer expires, the SXP reconcile period timer starts.
Note Setting the SXP reconcile period to 0 seconds disables the timer.
Examples
This example shows how to configure the SXP reconcile period:
This example shows how to revert to the default SXP reconcile period value:
Related Commands
|
|
---|---|
cts sxp retry-period
To configure a Security Group Tag (SGT) Exchange Protocol (SXP) retry period timer, use the cts sxp retry-period command. To revert to the default, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
The SXP retry period determines how often the Cisco NX-OS software retries an SXP connection. When an SXP connection is not successfully set up, the Cisco NX-OS software makes a new attempt to set up the connection after the SXP retry period timer expires.
Note Setting the SXP retry period to 0 seconds disables the timer and retries are not attempted.
Examples
This example shows how to configure the SXP retry period:
This example shows how to revert to the default SXP retry period value:
Related Commands
|
|
---|---|
Displays the Cisco TrustSec SXP peer connection information. |