Published On: August 5ᵗʰ, 2019 19:04

Cisco TrustSec Switch Configuration Guide

Configuring Cisco TrustSec Reflector and Caching

Revised: May 28, 2010

This module describes the Cisco TrustSec Reflector for Cisco TrustSec Reflector and the Cisco Trustsec Caching features.

Note The Cisco TrustSec supervisor ingress reflector and the Cisco TrustSec egress reflector are mutually exclusive. Do not enable both functions.

Egress reflector should be disabled when ERSPAN is configured.

To configure the Cisco TrustSec supervisor ingress reflector function, perform this task.

Detailed Steps for Catalyst 6500

Command
Purpose

Step 1

Switch# configure terminal

Enters configuration mode.

Step 2

Switch(config)# [ no ] platform cts ingress

Activates the Cisco TrustSec supervisor ingress reflector.

Step 3

Switch(config)# exit

Exits configuration mode.

Step 4

Switch# show platform cts

Displays Cisco TrustSec reflector mode (Ingress, Egress, Pure, or No CTS).

This example shows how to configure a Cisco TrustSec ingress reflector:

Switch# configure terminal
Switch(config)# platform cts ingress
Switch(config)# exit
Switch# show platform cts
CTS Ingress mode enabled

Note Before disabling the Cisco TrustSec ingress reflector, you must remove power from the Cisco TrustSec-incapable switching modules.

To configure the Cisco TrustSec egress reflector function, perform this task.

Detailed Steps for Catalyst 6500

Command
Purpose

Step 1

Switch# configure terminal

Enters configuration mode.

Step 2

Switch(config)# [ no ] platform cts egress

Activates the Cisco TrustSec egress reflector.

Step 3

Switch(config)# exit

Exits configuration mode.

Step 4

Switch# show platform cts

Displays Cisco TrustSec reflector mode (Ingress, Egress, Pure, or No CTS).

This example shows how to configure a Cisco TrustSec egress reflector:

Switch# configure terminal
Switch(config)# platform cts egress
Switch(config)# exit
Switch# show platform cts
CTS Egress mode enabled

Note Before disabling the Cisco TrustSec egress reflector, you must remove power from the Cisco TrustSec-incapable switching modules.

Configuring Cisco TrustSec Caching

For quick recovery from brief outages, you can enable caching of authentication, authorization, and policy information for Cisco TrustSec connections. Caching allows Cisco TrustSec devices to use unexpired security information to restore links after an outage without requiring a full reauthentication of the Cisco TrustSec domain. The Cisco TrustSec devices will cache security information in DRAM. If non-volatile (NV) storage is also enabled, the DRAM cache information will also be stored to the NV memory. The contents of NV memory populate DRAM during a reboot.

Enabling Cisco TrustSec Caching

Note During extended outages, the Cisco TrustSec cache information is likely to become outdated.

To enable Cisco TrustSec caching, perform this task:

Detailed Steps for Catalyst 6500

Command
Purpose

Step 1

Switch# configure terminal

Enters configuration mode.

Step 2

Switch(config)# [ no ] cts cache enable

Enables caching of authentication, authorization and environment-data information to DRAM. The default is disabled.

The no form of this command deletes all cached information from DRAM and non-volatile storage.

Step 3

Switch(config)# [ no ] cts cache nv-storage { bootdisk: | bootflash: | disk0: } [ directory dir-name ]

When DRAM caching is enabled, enables DRAM cache updates to be written to non-volatile storage. Also enables DRAM cache to be initially populated from non-volatile storage when the device boots.

Step 4

Switch(config)# exit

Exits configuration mode.

This example shows how to configure Cisco TrustSec caching, including non-volatile storage:

Switch# configure terminal
Switch(config)# cts cache enable
Switch(config)# cts cache nv-storage bootdisk:
Switch(config)# exit

Clearing the Cisco TrustSec Cache

To clear the cache for Cisco TrustSec connections, perform this task:

Detailed Steps for Catalyst 6500

Command
Purpose

Step 1

Switch# clear cts cache [ authorization-policies [ peer ] | environment-data | filename filename | interface-controller [ type slot/port ]]

Clears the cache for Cisco TrustSec connection information.

This example shows how to clear the Cisco TrustSec cache:

Switch# clear cts cache
 

Feature Information for Cisco TrustSec Reflector and Caching

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 1 Feature Information for Cisco TrustSec Reflector and Caching

Feature Name
Releases
Feature Information

Cisco TrustSec Reflector

Cisco IOS Release 12.2(50) SY

This feature was introduced on Cisco Catalyst 6500 Series Switches.

Cisco TrustSec Caching

Cisco IOS Release 12.2(50) SY

This feature was introduced on Cisco Catalyst 6500 Series Switches.