Zamkatimu kubisa
1 CISCO Configuring Security Group Tag Mapu
2 Zambiri Zamalonda
3 Malangizo Ogwiritsira Ntchito Zogulitsa
4 Zoletsa pa Mapu a SGT
5 Zambiri Za Mapu a SGT
5.1 Zathaview
5.2 Zomangamanga Zoyambira
6 Momwe Mungakhazikitsire Mapu a SGT
6.1 Kukonza Mapu a Subnet-to-SGT
6.2 Kukonza Mapu a VLAN-to-SGT
6.3 Kutengera Hardware Keystore
7 Kutsimikizira Mapu a SGT
8 Kusintha Examples za SGT Mapping
9 Mbiri Yakale ya Gulu la Chitetezo Tag Mapu
10 Zolemba / Zothandizira
10.1 Maumboni
11 Zolemba Zogwirizana

Chizindikiro cha CISCO

CISCO Configuring Security Group Tag Mapu

Gulu la CISCO-Configuring-Security-Group-Tag-Kupanga mapu

Zambiri Zamalonda

Chogulitsacho chimalola kukonza gulu lachitetezo tag (SGT) kupanga mapu. Izi zimamangiriza SGT ku maadiresi onse okhala ndi subnet yodziwika. Mapu awa akakhazikitsidwa, Cisco TrustSec imakakamiza SGT pa paketi iliyonse yomwe ikubwera yomwe ili ndi adilesi ya IP yomwe ili ya subnet yomwe yatchulidwa.

Zoletsa pa Mapu a SGT
Lamulo lotsatirali silikugwiritsidwa ntchito pakusintha kwa IP: Device(config)#cts role-based sgt-map 0.0.0.0 sgt 1000

Zathaview ya Mapu a Subnet-to-SGT

  • Kujambula kwa subnet-to-SGT kumangiriza SGT ku maadiresi onse okhala ndi subnet yodziwika. Cisco TrustSec imayika SGT pa paketi yomwe ikubwera pomwe adilesi ya IP ya paketiyo ndi ya subnet yomwe yatchulidwa. Subnet ndi SGT zafotokozedwa mu CLI ndicts role-based sgt-map net_address/prefix sgt sgt_number global configuration command. Wolandira m'modzi athanso kujambulidwa ndi lamulo ili.
  • Mumanetiweki a IPv4, Security Exchange Protocol (SXP) v3, ndi mitundu ina yaposachedwa, imatha kulandira ndi kusanthula zingwe za subnet_address/prefix kuchokera kwa anzawo a SXPv3. Matembenuzidwe akale a SXP amasintha prefix ya subnet kukhala zomangira zomangira musanazitumize kwa mnzake womvera wa SXP.
  • Zomangira za subnet ndizokhazikika, palibe kuphunzira kwa makamu omwe akugwira ntchito. Atha kugwiritsidwa ntchito kwanuko pakukhazikitsa kwa SGT ndi kukakamiza kwa SGACL. Paketi tagopangidwa ndi mapu a subnet-to-SGT akhoza kufalitsidwa pa Layer 2 kapena Layer 3 Cisco TrustSec maulalo.
  • Pamanetiweki a IPv6, SXPv3 singathe kutumiza zomangira za subnet kupita ku SXPv2 kapena SXPv1 anzawo.

Zathaview Mapu a VLAN-to-SGT

  • Kujambula kwa VLAN-to-SGT kumangiriza SGT kumapaketi kuchokera ku VLAN yodziwika. Izi zimathandizira kusamuka kuchoka ku cholowa kupita ku ma netiweki a Cisco TrustSec.
  • Kumangirira kwa VLAN-to-SGT kumakonzedwa ndi cts role-based sgt-map vlan-list global configuration command.
  • VLAN ikapatsidwa chipata chomwe ndi mawonekedwe osinthika (SVI) pa switch ya Cisco TrustSec-caable, ndipo IP Device Tracking imayatsidwa pa switch imeneyo, ndiye Cisco TrustSec imatha kupanga zomangira za IP-to-SGT kwa aliyense wogwira ntchito. pa VLAN yojambulidwa ku subnet ya SVI.
  • Zomangira za IP-SGT za omwe akugwira nawo ntchito a VLAN zimatumizidwa kwa omvera a SXP. Zomangira za VLAN iliyonse yojambulidwa zimayikidwa pa tebulo la IP-to-SGT lomwe likugwirizana ndi VRF VLAN imajambulidwa ndi SVI kapena ndi cts role-based l2-vrf lamula.
  • Zomangira za VLAN-to-SGT zimakhala ndi zofunika kwambiri pa njira zonse zomangira ndipo zimanyalanyazidwa pamene zomangira zochokera kuzinthu zina zalandiridwa, monga kuchokera ku SXP kapena CLI host masinthidwe. Zofunikira zomangirira zalembedwa mugawo la Binding Source Priorities.

Malangizo Ogwiritsira Ntchito Zogulitsa

Kukonza Mapu a Subnet-to-SGT

  1. Pezani mawonekedwe a CLI a chipangizocho.
  2. Lowetsani kasinthidwe akafuna ntchito ndi config lamula.
  3. Pangani lamulo ili kuti mukonze mapu a subnet-to-SGT:
cts role-based sgt-map net_address/prefix sgt sgt_number
  1. M'malo net_address/prefix ndi adilesi ya subnet ndi kutalika kwa prefix yomwe mukufuna kupanga mapu (monga 192.168.1.0/24).
  2. M'malo sgt_number ndi gulu lachitetezo lomwe mukufuna tag nambala.
  3. Dinani Enter kuti mugwiritse ntchito kasinthidwe.
  4. Tulukani munjira yosinthira.

Kukonza Mapu a VLAN-to-SGT

    1. Pezani mawonekedwe a CLI a chipangizocho.
    2. Lowetsani kasinthidwe akafuna ntchito ndi config lamula.
    3. Pangani lamulo ili kuti mukonze mapu a VLAN-to-SGT:
cts role-based sgt-map vlan-list
  1. Tchulani ma VLAN oti alembedwe ku ma SGT.
  2. Dinani Enter kuti mugwiritse ntchito kasinthidwe.
  3. Tulukani munjira yosinthira.

Zofotokozera

  • Maukonde Othandizira: IPv4, IPv6
  • Ma Protocol Othandizira: Security Exchange Protocol (SXP) v3
  • Njira Zomangira Zothandizira: Mapu a Subnet-to-SGT, Mapu a VLAN-to-SGT

Mafunso Ofunsidwa Kawirikawiri (FAQ)

  • Q: Kodi zomangira za subnet zitha kutumizidwa kwa anzawo a SXPv2 kapena SXPv1 mumanetiweki a IPv6?
    A: Ayi, zomangira za subnet zitha kutumizidwa kwa anzawo a SXPv3 mumanetiweki a IPv6.
  • Q: Kodi chofunika kwambiri cha zomangira VLAN-to-SGT ndi chiyani?
    A: Zomangira za VLAN-to-SGT ndizochepa kwambiri pakati pa njira zonse zomangira ndipo zimanyalanyazidwa pomwe zomangira zochokera kuzinthu zina zilandiridwa.

Subnet ku gulu lachitetezo tag (SGT) kupanga mapu kumangiriza SGT ku maadiresi onse okhala ndi subnet yodziwika. Mapu awa akakhazikitsidwa, Cisco TrustSec imakakamiza SGT pa paketi iliyonse yomwe ikubwera yomwe ili ndi adilesi ya IP yomwe ili ya subnet yomwe yatchulidwa.

Zoletsa pa Mapu a SGT

Zoletsa pa Mapu a Subnet-to-SGT

  • Intaneti yaying'ono ya IPv4 yokhala ndi /31 sichingakulitsidwe.
  • Ma adilesi olandirira a Subnet sangamangidwe ku Gulu la Chitetezo Tags (SGT)s pamene zomangira zomangira ma netiweki zili zochepera chiwerengero chonse cha ma subnet host mumagulu ang'onoang'ono, kapena zomangira zili 0.
  • Kukulitsa ndi kufalitsa kwa IPv6 kumachitika kokha pamene olankhula ndi omvera a Security Exchange Protocol (SXP) akugwiritsa ntchito SXPv3 kapena mitundu ina yaposachedwa.

Kuletsa Mapu a Njira Yosasinthika ya SGT

  • Kusasinthika kwa njira kumavomerezedwa kokha ndi subnet /0. Kulowetsa yekha host-ip popanda subnet /0 kukuwonetsa uthenga wotsatira:Gulu la CISCO-Configuring-Security-Group-Tag-Mapu-mkuyu- (1)

Zambiri Za Mapu a SGT

Gawoli likupereka zambiri zamapu a SGT.

Zathaview

Zathaview ya Mapu a Subnet-to-SGT
Kujambula kwa subnet-to-SGT kumangiriza SGT ku maadiresi onse okhala ndi subnet yodziwika. Cisco TrustSec imayika SGT pa paketi yomwe ikubwera pomwe adilesi ya IP ya paketiyo ndi ya subnet yomwe yatchulidwa. Subnet ndi SGT zafotokozedwa mu CLI ndi cts role-based sgt-map net_address/prefix sgt sgt_number global configuration command. Wolandira m'modzi athanso kujambulidwa ndi lamulo ili. Mumanetiweki a IPv4, Security Exchange Protocol (SXP) v3, ndi mitundu ina yaposachedwa, imatha kulandira ndi kusanthula zingwe za subnet_address/prefix kuchokera kwa anzawo a SXPv3. Matembenuzidwe akale a SXP amasintha prefix ya subnet kukhala zomangira zomangira musanazitumize kwa mnzake womvera wa SXP.

Za example, IPv4 subnet 192.0.2.0/24 iwonjezedwa motere (ma bits 3 okha a ma adilesi olandila):

  • Maadiresi olandira 198.0.2.1 mpaka 198.0.2.7—tagged ndikufalitsidwa kwa anzawo a SXP.
  • Maukonde ndi ma adilesi owulutsa 198.0.2.0 ndi 198.0.2.8-osati tagged komanso osafalitsidwa.

Kuti muchepetse kuchuluka kwa zomangira za subnet SXPv3 ikhoza kutumiza kunja, gwiritsani ntchito cts sxp mapping network-map global configuration command. Zomangira za subnet ndizokhazikika, palibe kuphunzira kwa makamu achangu. Atha kugwiritsidwa ntchito kwanuko pakukhazikitsa kwa SGT ndi kukakamiza kwa SGACL. Paketi tagopangidwa ndi mapu a subnet-to-SGT akhoza kufalitsidwa pa Layer 2 kapena Layer 3 Cisco TrustSec maulalo. Pamanetiweki a IPv6, SXPv3 singathe kutumiza zomangira za subnet kupita ku SXPv2 kapena SXPv1 anzawo.

Zathaview Mapu a VLAN-to-SGT
Kujambula kwa VLAN-to-SGT kumangiriza SGT kumapaketi kuchokera ku VLAN yodziwika. Izi zimathandizira kusamuka kuchoka ku cholowa kupita ku ma netiweki a Cisco TrustSec motere:

  • Imathandizira zida zomwe sizili za Cisco TrustSec-zokhoza koma zili ndi VLAN, monga, masiwichi olowa, owongolera opanda zingwe, malo olowera, VPNs, ndi zina zambiri.
  • Amapereka kuyanjana kobwerera m'mbuyo kwa ma topology komwe ma VLAN ndi ma VLAN ACL amagawa ma netiweki, monga, magawo a seva m'malo a data.
  • Kumanga kwa VLAN-to-SGT kumakonzedwa ndi cts role-based sgt-map vlan-list global configuration command.
  • VLAN ikapatsidwa chipata chomwe ndi mawonekedwe osinthika (SVI) pa switch ya Cisco TrustSec-caable, ndipo IP Device Tracking imayatsidwa pa switch imeneyo, ndiye Cisco TrustSec imatha kupanga zomangira za IP-to-SGT kwa aliyense wogwira ntchito. pa VLAN yojambulidwa ku subnet ya SVI.
  • Zomangira za IP-SGT za omwe akugwira nawo ntchito a VLAN zimatumizidwa kwa omvera a SXP. Zomangira za VLAN iliyonse yojambulidwa zimayikidwa patebulo la IP-to-SGT lolumikizidwa ndi VRF VLAN imajambulidwa ndi SVI yake kapena ndi cts role-based l2-vrf command.
  • Zomangira za VLAN-to-SGT zimakhala ndi zofunika kwambiri pa njira zonse zomangira ndipo zimanyalanyazidwa pamene zomangira zochokera kuzinthu zina zalandiridwa, monga kuchokera ku SXP kapena CLI host masinthidwe. Zofunikira zomangirira zalembedwa mugawo la Binding Source Priorities.
Zomangamanga Zoyambira

Cisco TrustSec imathetsa mikangano pakati pa magwero omangirira a IP-SGT ndi chiwembu chofunikira kwambiri. Za example, SGT ikhoza kugwiritsidwa ntchito polumikizana ndi mfundo yakuti {dynamic identity peer-name | static sgt tag} Cisco Trustsec Manual interface mode command (Identity Port Mapping). Lamulo lokhazikitsira patsogolo pano, kuyambira otsika (1) mpaka apamwamba kwambiri (7), ndi motere:

  1. VLAN: Kumangirira komwe kumaphunziridwa kuchokera pamapaketi a ARP owoneka bwino pa VLAN yomwe ili ndi mapu a VLAN-SGT okonzedwa.
  2. CLI: Zomangira ma adilesi zokonzedwa pogwiritsa ntchito mawonekedwe a IP-SGT a cts role-based sgt-map global configuration command.
  3. SXP: Zomangiriza zomwe adaphunzira kuchokera kwa anzawo a SXP.
  4. IP_ARP: Kumanga anaphunzira pamene tagmapaketi a ARP amalandiridwa pa ulalo wokhoza CTS.
  5. MALO: Kumanga kwa makamu otsimikizika omwe amaphunziridwa kudzera pa EPM ndi kutsatira zida. Kumanga kwamtunduwu kumaphatikizaponso makamu omwe amaphunzitsidwa kudzera pa ARP snooping pa L2 [I] madoko osinthidwa ndi PM.
  6. ZAMKATI: Kulumikizana pakati pa ma adilesi a IP okhazikitsidwa kwanuko ndi SGT ya chipangizocho.

Zindikirani
Ngati magwero a IP adiresi ikugwirizana ndi ma prefixes angapo okhala ndi ma SGT osiyanasiyana, ndiye kuti mawu oyambira atali kwambiri a SGT amakhala patsogolo pokhapokha ngati zofunikira zisiyanitse.

Njira Yofikira pa SGT

  • Gulu Losasinthika la Route Security Tag (SGT) imapatsa nambala ya SGT kumayendedwe okhazikika.
  • Njira Yosasinthika ndi njira yomwe sikugwirizana ndi njira yomwe mwasankha ndipo ndiyo njira yopita kumalo omaliza. Njira zosinthira zimagwiritsidwa ntchito kuwongolera mapaketi omwe amatumizidwa kumanetiweki omwe sanatchulidwe patebulo lamayendedwe.

Momwe Mungakhazikitsire Mapu a SGT

Gawoli likufotokoza momwe mungasinthire mapu a SGT.

Kukonza Chipangizo cha SGT Pamanja
Mu ntchito yanthawi zonse ya Cisco TrustSec, seva yotsimikizira imagawira SGT ku chipangizo cha mapaketi ochokera ku chipangizocho. Mutha kukonza pamanja SGT kuti igwiritsidwe ntchito ngati seva yotsimikizira siyikupezeka, koma SGT yoperekedwa ndi seva ikhala patsogolo kuposa SGT yoperekedwa pamanja.

Kuti mukonze pamanja SGT pa chipangizochi, chitani ntchitoyi:

Ndondomeko

  Lamulo or Zochita Cholinga
Gawo 1 athe Imathandizira mawonekedwe amtundu wa EXEC.
  ExampLe:

Chipangizo# athe

 • Lowetsani mawu achinsinsi anu mukafunsidwa.
Gawo 2 konza terminal

ExampLe:

Chipangizo# konza terminal

 Ikulowetsani masinthidwe apadziko lonse lapansi.
Gawo 3 cts sgt tag

ExampLe:

Chipangizo(config)# cts 1234

 Imathandizira SXP ya Cisco TrustSec.
Gawo 4 Potulukira

ExampLe:

Chipangizo(config)# Potulukira

 Imachoka pamasinthidwe apadziko lonse lapansi ndikubwerera kumayendedwe amwayi a EXEC
Kukonza Mapu a Subnet-to-SGT

Ndondomeko

  Lamulo or Zochita Cholinga
Gawo 1 athe

ExampLe:

Chipangizo# athe

 Imathandizira mawonekedwe amtundu wa EXEC.

• Lowetsani mawu achinsinsi anu mukafunsidwa.
Gawo 2 konza terminal

ExampLe:

Chipangizo# konza terminal

 Ikulowetsani masinthidwe apadziko lonse lapansi.
Gawo 3 cts sxp kupanga mapu a netiweki zomanga

ExampLe:

Chipangizo(config)# cts sxp kupanga mapu maukonde-mapu 10000

 •  Imakonza zoletsa zowerengera za Subnet kupita ku SGT Mapping. Mtsutso womangirira umatchula kuchuluka kwa makamu a subnet IP omwe angagwirizane ndi ma SGT ndi kutumizidwa kwa omvera a SXP.

•  zomanga—(0 mpaka 65,535) kusakhulupirika ndi 0 (palibe zowonjezera)
Gawo 4 cts-based role-based sgt-mapu ipv4_address/prefix

sgt nambala

ExampLe:

Chipangizo(config)# cts-based sgt-mapu 10.10.10.10/29 sgt 1234

 (IPv4) Imatchula subnet mu CIDR notation.

•  Gwiritsani ntchito njira yopanda lamulo kuti musasinthe mapu a Subnet kupita ku SGT. Chiwerengero cha zomangirira zomwe zafotokozedwa mu Gawo 2 zikuyenera kufanana kapena kupitilira kuchuluka kwa maadiresi omwe ali mu subnet (kupatula netiweki ndi ma adilesi owulutsa). Nambala ya sgt imatanthawuza Chitetezo
    Gulu Tag kukhala womangidwa kwa wolandira aliyense

adilesi mu subnet yotchulidwa.

•  ipv4_address—Imatchula ma adilesi a netiweki a IPv4 mumadontho a decimal.

•  prefix—(0 mpaka 30) Imatchula kuchuluka kwa ma bits mu adilesi ya netiweki.

•  sgt nambala—(0–65,535) Imatchula Gulu la Chitetezo Tag (SGT) nambala.
Gawo 5 cts-based role-based sgt-mapu ipv6_address::prefix

sgt nambala

ExampLe:

Chipangizo(config)# cts-based sgt-mapu 2020::/64 sgt 1234

 (IPv6) Imatchula subnet mu colon hexadecimal notation. Gwiritsani ntchito njira yopanda lamulo kuti musasinthe mapu a Subnet kukhala SGT.

Chiwerengero cha zomangirira zomwe zafotokozedwa mu Gawo 2 zikuyenera kufanana kapena kupitilira kuchuluka kwa maadiresi omwe ali mu subnet (kupatula netiweki ndi ma adilesi owulutsa). Nambala ya sgt imatchula Gulu la Chitetezo Tag kumangika ku adilesi iliyonse yomwe ili mu subnet yotchulidwa.

•  ipv6_address—Imatchula adilesi ya netiweki ya IPv6 mu colon hexadecimal notation.

•  prefix—(0 to128) Imatchula kuchuluka kwa ma bits mu adilesi ya netiweki.

•  sgt nambala—(0–65,535) Imatchula Gulu la Chitetezo Tag (SGT) nambala.
Gawo 6 Potulukira

ExampLe:

Chipangizo(config)# Potulukira

 Imachoka pamasinthidwe apadziko lonse lapansi ndikubwerera kumayendedwe amwayi a EXEC.
Kukonza Mapu a VLAN-to-SGT

Kuyenda kwa Ntchito Kukonza Mapu a VLAN-SGT pa chipangizo cha Cisco TrustSec.

  • Pangani VLAN pachipangizo ndi VLAN_ID yomweyo ya VLAN yomwe ikubwera.
  • Pangani SVI ya VLAN pa chipangizo kuti ikhale chipata chosasinthika kwa makasitomala omaliza.
  • Konzani chipangizochi kuti chigwiritse ntchito SGT pamagalimoto a VLAN.
  • Thandizani IP Chipangizo kutsatira pa chipangizo.
  • Gwirizanitsani ndondomeko yolondolera chipangizo ku VLAN.

Zindikirani
Mu netiweki ya masinthidwe ambiri, kutsatira kwa zida za SISF kumapereka kuthekera kogawa zolembedwa patebulo lomangiriza pakati pa masiwichi omwe akuyendetsa mawonekedwewo. Izi zikuganiza kuti zolembera zomangiriza zimapangidwa pa masiwichi pomwe wolandila amawoneka pa doko lolowera, ndipo palibe cholowera chomwe chimapangidwira wolandila omwe amawoneka padoko la thunthu. Kuti mukwaniritse izi posintha masinthidwe ambiri, tikupangira kuti mukonzenso mfundo ina ndikuyilumikiza ku doko la thunthu, monga momwe zafotokozedwera mu Configuring a Multi-Switch Network to Stop Createing Binding Inries from a Trunk Port process, mu Configuring SISF. -Based Chronicle Tracking chapter ya Security Configuration Guide.

  • Onetsetsani kuti mapu a VLAN-to-SGT amapezeka pazida.

Ndondomeko

  Lamulo or Zochita Cholinga
Gawo 1 athe

ExampLe:

Chipangizo# athe

 Imathandizira mawonekedwe amtundu wa EXEC.

• Lowetsani mawu achinsinsi anu mukafunsidwa.
Gawo 2 konza terminal

ExampLe:

Chipangizo# konza terminal

 Ikulowetsani masinthidwe apadziko lonse lapansi.
Gawo 3 vlan vlan_id

ExampLe:

Chipangizo(config)# gawo 100

 Amapanga VLAN 100 pa chida cha TrustSec-caable gateway ndikulowa mu VLAN

kasinthidwe mode.
Gawo 4 [ayi] Tsekani

ExampLe:

Chipangizo(config-vlan)# palibe shutdown

 Zopereka VLAN 100.
Gawo 5 Potulukira

ExampLe:

Chipangizo(config-vlan)# Potulukira

 Kutuluka mu VLAN configuration mode ndi kubwerera ku global kasinthidwe mode.
Gawo 6 mawonekedwe mtundu kagawo/doko

ExampLe:

Chipangizo(config)# mawonekedwe vlan 100

 Imatchula mtundu wa mawonekedwe ndikulowetsa mawonekedwe a mawonekedwe.
Gawo 7 ip adilesi kagawo/doko

ExampLe:

Chipangizo(config-ngati)# ip adilesi 10.1.1.2 255.0.0.0

 Imakonza Switched Virtual Interface (SVI) ya VLAN 100.
Gawo 8 [ayi ] Tsekani

ExampLe:

Chipangizo(config-ngati)# palibe shutdown

 Imathandizira SVI.
Gawo 9 Potulukira

ExampLe:

Chipangizo(config-ngati)# Potulukira

 Kutuluka mu mawonekedwe a mawonekedwe ndi kubwerera ku machitidwe adziko lonse.
Gawo 10 cts role-based sgt-map vlan-list vlan_id sgt

nambala_sgt

ExampLe:

Chipangizo(config)# cts role-based sgt-map vlan-list 100 sgt 10

 Amapereka SGT yotchulidwa ku VLAN yotchulidwa.
Gawo 11 ndondomeko yotsata chipangizo ndondomeko-dzina

ExampLe:

Chipangizo(config)# ndondomeko yotsata chipangizo1

 Imatchula mfundoyi ndikulowetsa zokonda zotsatirira zida.
Gawo 12 kutsatira kumathandiza

ExampLe:

Chipangizo(config-chipangizo-kutsatira)# kutsatira athe

 Imachotsa zochunira zotsatiridwa ndi chipangizocho pamalingaliro awo.
Gawo 13 Potulukira

ExampLe:

Chipangizo(config-chipangizo-kutsatira)# Potulukira

 Ichoka pamachitidwe ochunira zida ndikubwerera kumachitidwe apadziko lonse lapansi.
Gawo 14 vlan configuration vlan_id

ExampLe:

Chipangizo(config)# vlan kasinthidwe 100

 Imatchula VLAN yomwe mfundo yolondolera chipangizo idzalumikizidwa, ndikulowetsamo zochunira za VLAN.
Gawo 15 Kutsata ndondomeko yolumikizira chipangizo ndondomeko-dzina

ExampLe:

Chipangizo(config-vlan-config)#

Mfundo yotsatizana ndi chipangizo1

 Amamata mfundo yolondolera chipangizo ku VLAN yotchulidwa.
Gawo 16 TSIRIZA

ExampLe:

Chipangizo(config-vlan-config)# TSIRIZA

 Ituluka mumayendedwe a VLAN ndikubwerera kumayendedwe amwayi a EXEC.
Gawo 17 onetsani cts-based role-based sgt-mapu {ipv4_netaddr

| | ipv4_netaddr/prefix | ipv6_netaddr | ipv6_netaddr/prefix |zonse [ipv4 |ipv6] |wolandira {ipv4 addr |ipv6_addr} |mwachidule [ ipv4

|ipv6 ]

 (Mwachidziwitso) Kuwonetsa mapu a VLAN-to-SGT.
  ExampLe:

Chipangizo# onetsani cts-based role-based sgt-map onse

  
Gawo 18 onetsani ndondomeko yotsata chipangizo ndondomeko-dzina

ExampLe:

Chipangizo# onetsani ndondomeko yotsata chipangizo1

 (Mwachidziwitso) Imawonetsa zomwe zilipo panopa.
Kutengera Hardware Keystore

Zikakhala kuti sitolo yosungiramo zinthu za hardware palibe kapena ndi yosagwiritsidwa ntchito, mukhoza kusintha kusintha kuti mugwiritse ntchito pulogalamu yotsatsira ma keystore. Kuti mugwiritse ntchito pulogalamuyi, chitani izi:

Ndondomeko

  Lamulo or Zochita Cholinga
Gawo 1 athe

ExampLe:

Chipangizo# athe

 Imathandizira mawonekedwe amtundu wa EXEC.

• Lowetsani mawu achinsinsi anu mukafunsidwa.
Gawo 2 konza terminal

ExampLe:

Chipangizo# konza terminal

 Ikulowetsani masinthidwe apadziko lonse lapansi.
Gawo 3 cts keystore kutsanzira

ExampLe:

Chipangizo(config)# cts keystore kutsanzira

 Imakonza zosinthira kuti zigwiritse ntchito kutsanzira kosungirako makiyi m'malo mwa sitolo ya hardware.
Gawo 4 Potulukira

ExampLe:

Chipangizo(config)# Potulukira

 Yatuluka mumayendedwe
Gawo 5 onetsani keystore

ExampLe:

Chipangizo# onetsani keystore

 Imawonetsa momwe ziliri ndi zomwe zili mu sitolo ya keystore. Zinsinsi zosungidwa sizikuwonetsedwa.

Kukonza Njira Yosasinthika ya SGT

Musanayambe
Onetsetsani kuti mwapanga kale njira yokhazikika pa chipangizocho pogwiritsa ntchito lamulo la ip 0.0.0.0. Kupanda kutero, njira yokhazikika (yomwe imabwera ndi Default Route SGT) imapeza komwe ikupita ndipo chifukwa chake malo omaliza amalozera ku CPU.

Ndondomeko

  Lamulo or Zochita Cholinga
Gawo 1 athe

ExampLe:

Chipangizo> yambitsani

 Imathandizira mawonekedwe amtundu wa EXEC.

• Lowetsani mawu achinsinsi anu mukafunsidwa.
Gawo 2 konza terminal

ExampLe:

Chipangizo # sinthani terminal

 Ikulowetsani masinthidwe apadziko lonse lapansi.
Gawo 3 cts-based role-based sgt-map 0.0.0.0/0 sgt nambala

ExampLe:

Chipangizo(config)# cts-based sgt-map 0.0.0.0/0 sgt 3

 Imatchula nambala ya SGT panjira yokhazikika. Miyezo yovomerezeka ikuchokera pa 0 mpaka 65,519.

Zindikirani                    • The host_address/subnet ikhoza kukhala IPv4 adilesi (0.0.0.0/0) kapena IPv6 adilesi (0:0::/0)

•  Njira yokhazikika

kasinthidwe amavomerezedwa kokha ndi subnet /0. Kulowetsa yekha host-ip popanda subnet /0 kukuwonetsa uthenga wotsatira:

Chipangizo(config)#cts gawo-based sgt-mapu

0.0.0.0 sgt 1000 Kusinthitsa njira sikutheka kwa ip host
Gawo 4 Potulukira

ExampLe:

Chipangizo(config)# kutuluka

 Ichoka pamachitidwe adziko lonse lapansi.

Kutsimikizira Mapu a SGT

Magawo otsatirawa akuwonetsa momwe mungatsimikizire mapu a SGT:

Kutsimikizira Kusintha kwa Mapu a Subnet-to-SGT
Kuti muwonetse zambiri zakusintha kwa Mapu a Subnet-to-SGT, gwiritsani ntchito limodzi mwamalamulo awa:

Lamulo Cholinga
onetsani ma cts sxp kulumikizana Imawonetsa kulumikizana kwa olankhula a SXP ndi omvera ndi momwe amagwirira ntchito.
onetsani cts sxp sgt-mapu Imawonetsa zomangira za IP ku SGT zotumizidwa kwa omvera a SXP.
kuwonetsa kuthamanga-config Zimatsimikizira kuti malamulo a subnet-to-SGT ali mu kasinthidwe kameneka file.

Kutsimikizira Mapu a VLAN-to-SGT

Kuti muwonetse zambiri zakusintha kwa VLAN-to-SGT, gwiritsani ntchito malamulo otsatirawa:

Gulu 1:

Lamulo Cholinga
onetsani ndondomeko yotsata chipangizo Imawonetsa ndondomeko yamakono ya ndondomeko yolondolera chipangizo.
onetsani cts-based role-based sgt-mapu Imawonetsa zomangira za IP-to-SGT.

Kutsimikizira Kusintha Kwa Njira ya SGT

Tsimikizirani masinthidwe a Default Route SGT:
chipangizo# wonetsani ma sgt-mapu onse a Active IPv4-SGT Bindings Information

Gulu la CISCO-Configuring-Security-Group-Tag-Mapu-mkuyu- (2)

Kusintha Examples za SGT Mapping

Magawo otsatirawa akuwonetsa masinthidwe exampMapu a SGT:

Example: Kukonza Chipangizo cha SGT Pamanja

  • Chipangizo # sinthani terminal
  • Chipangizo(config)# cts sgt 1234
  • Chipangizo(config)# kutuluka

Example: Kusintha kwa Mapu a Subnet-to-SGT
Example akuwonetsa momwe mungasinthire Mapu a IPv4 Subnet-to-SGT pakati pa zida zomwe zikuyenda SXPv3 (Device1 ndi Device2):

  1. Konzani zokamba za SXP/omvera akuyang'ana pakati pa zida.
    • Chipangizo1# sinthani terminal
    • Chipangizo1(config)# cts sxp yambitsani
    • Chipangizo1(config)# cts sxp gwero lokhazikika-ip 1.1.1.1
    • Chipangizo1(config)# cts sxp achinsinsi osasintha 1syzygy1
    • Chipangizo1(config)# cts sxp Connection peer 2.2.2.2 mawu achinsinsi achinsinsi olankhula m'deralo
  2. Konzani Chipangizo2 ngati chomvera cha SXP cha Chipangizo1.
    • Chipangizo2(config)# cts sxp yambitsani
    • Chipangizo2(config)# cts sxp gwero lokhazikika-ip 2.2.2.2
    • Chipangizo2(config)# cts sxp achinsinsi osasintha 1syzygy1
    • Chipangizo2(config)# cts sxp kulumikizana ndi anzawo 1.1.1.1 achinsinsi omvera anthawi zonse
  3. Pa Chipangizo2, onetsetsani kuti kulumikizana kwa SXP kukugwira ntchito:
    Device2# ikuwonetsa kulumikizana kwa cts sxp mwachidule | phatikiza 1.1.1.1 1.1.1.1 2.2.2.2 Pa 3:22:23:18 (dd:hr:mm:sec)
  4. Konzani ma subnetworks kuti akulitse pa Chipangizo1.
    • Chipangizo1(config)# cts sxp mapu maukonde-mapu 10000
    • Chipangizo1(config)# cts potengera mapu a sgt 10.10.10.0/30 sgt 101
    • Chipangizo1(config)# cts potengera mapu a sgt 11.11.11.0/29 sgt 11111
    • Chipangizo1(config)# cts potengera mapu a sgt 192.168.1.0/28 sgt 65000
  5. Pa Chipangizo2, tsimikizirani kukula kwa subnet-to-SGT kuchokera ku Chipangizo1. Payenera kukhala zowonjezera ziwiri za 10.10.10.0/30 subnetwork, zowonjezera zisanu ndi chimodzi za 11.11.11.0/29 subnetwork, ndi zowonjezera 14 za 192.168.1.0/28 subnetwork.
    Device2# onetsani cts sxp sgt-map mwachidule | zikuphatikizapo 101 | 11111 | 65000
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
    • IPv4,SGT:
  6. Tsimikizirani kuchuluka kwa Device1:
    Chipangizo1# onetsani cts sxp sgt-map
    • Mapu a IP-SGT adawonjezedwa: 22
    • Palibe Mapu a IP-SGT
  7. Sungani masanjidwe pa Device1 ndi Device2 ndikutuluka pamasinthidwe apadziko lonse lapansi.
    Chipangizo1(config)# koperani kuyambitsa-config
    Chipangizo1(config)# kutuluka
    Chipangizo2(config)# koperani kuyambitsa-config
    Chipangizo2(config)# kutuluka

ExampLe:
Kukonzekera kwa Mapu a VLAN-to-SGT kwa Okhala Mmodzi Pamodzi Pa Ulalo Wofikira.

Mu example, gulu limodzi limalumikizana ndi VLAN 100 pa chipangizo chofikira. Mawonekedwe osinthika pazida za TrustSec ndiye njira yosasinthika ya VLAN 100 endpoint (IP Address 10.1.1.1). Chida cha TrustSec chimayika Gulu la Chitetezo Tag (SGT) 10 pamapaketi ochokera ku VLAN 100.

  1. Pangani VLAN 100 pa chipangizo chofikira.
    • access_device# sinthani terminal
    • access_device(config)# vlan 100
    • access_device(config-vlan)# palibe kuzimitsa
    • access_device(config-vlan)# kutuluka
    • access_device(config)#
  2. Konzani mawonekedwe ku chipangizo cha TrustSec ngati cholumikizira. Zosintha zakumapeto
    1. doko lolowera zasiyidwa mu fanizoliample.
    2. access_device(config)# mawonekedwe gigabitEthernet 6/3
    3. access_device(config-if)# switchport
    4. access_device(config-if)# switchport mode access
    5. access_device(config-if)# switchport access vlan 100
  3. Pangani VLAN 100 pa chipangizo cha TrustSec.
    • TS_device(config)# vlan 100
    • TS_device(config-vlan)# palibe kuzimitsa
    • TS_device(config-vlan)# end
    • TS_chipangizo#
  4. Pangani SVI ngati chipata cha VLAN 100 yomwe ikubwera.
    • TS_device(config)# mawonekedwe vlan 100
    • TS_device(config-if)# ip adilesi 10.1.1.2 255.0.0.0
    • TS_device(config-if)# palibe kuzimitsa
    • TS_device(config-if)# end
    • TS_device(config)#
  5. Perekani Gulu la Chitetezo Tag (SGT) 10 kukhala nawo pa VLAN 100.
    • TS_device(config)# cts role-based sgt-map vlan 100 sgt 10
  6. Yambitsani Kutsata Chipangizo cha IP pa chipangizo cha TrustSec. Onetsetsani kuti ikugwira ntchito.
    • TS_device(config)# ip chipangizo kutsatira
    • TS_device # sonyezani IP chipangizo kutsatira zonseGulu la CISCO-Configuring-Security-Group-Tag-Mapu-mkuyu- (3)
  7. (Mwachidziwitso) PING chipata chosasinthika kuchokera kumapeto (mu example, adilesi ya IP 10.1.1.1). Tsimikizirani kuti SGT 10 ikujambulidwa ku makamu a VLAN 100.
    Gulu la CISCO-Configuring-Security-Group-Tag-Mapu-mkuyu- (4)

Example: Kutengera Hardware Keystore
Ex iziample akuwonetsa momwe mungasinthire ndikutsimikizira kugwiritsidwa ntchito kwa sitolo yamapulogalamu:

Gulu la CISCO-Configuring-Security-Group-Tag-Mapu-mkuyu- (5)

Example: Kukonza Njira ya Chipangizo SGT

  • Chipangizo # sinthani terminal
  • Chipangizo(config)# cts-based sgt-map 0.0.0.0/0 sgt 3
  • Chipangizo(config)# kutuluka

Mbiri Yakale ya Gulu la Chitetezo Tag Mapu

  • Gome ili limapereka kumasulidwa ndi chidziwitso chokhudzana ndi zomwe zafotokozedwa mugawoli.
  • Zinthu izi zimapezeka m'mabuku onse pambuyo pa zomwe zidayambitsidwa, pokhapokha zitadziwika mwanjira ina.
Kumasula Mbali Mbali Zambiri
Cisco IOS XE Everest 16.5.1a Gulu Lachitetezo Tag Mapu Mapu a Subnet kupita ku SGT amamanga SGT ku maadiresi onse okhala ndi subnet yodziwika. Mapu awa akakhazikitsidwa, Cisco TrustSec imakakamiza SGT pa paketi iliyonse yomwe ikubwera yomwe ili ndi adilesi ya IP yomwe ili ya subnet yomwe yatchulidwa.
Cisco IOS XE Gibraltar 16.11.1 Gulu Losasinthika la Njira ya SGT Njira Yosasinthika SGT imapatsa SGT tag nambala kunjira zomwe sizikugwirizana ndi njira yodziwika.

Gwiritsani ntchito Cisco Feature Navigator kuti mupeze zambiri zokhudzana ndi nsanja ndi pulogalamu yothandizira zithunzi. Kuti mupeze Cisco Feature Navigator, pitani ku http://www.cisco.com/go/cfn.

Zolemba / Zothandizira

CISCO Configuring Security Group Tag Mapu [pdf] Buku Logwiritsa Ntchito
Kukonza Gulu la Chitetezo Tag Kujambula, Kukonzekera, Gulu la Chitetezo Tag Mapu, Gulu Tag Mapu, Tag Mapu

Maumboni

Zolemba Zogwirizana

Siyani ndemanga

Imelo yanu sisindikizidwa. Minda yofunikira yalembedwa *