IPsec uses the IKE protocol for negotiating algorithms, keys, and capabilities. IKEv2 is used to negotiate and inform IPsec
about the SGT capability. Once the peers acknowledge the SGT tagging capability, an SGT tag number (a 16-bit) is added as
the SGT Cisco Meta Data (CMD) payload into IPsec and sent to the receiving peer.
The access layer device authenticates the incoming packets. The access layer device receives an SGT from the authentication
server and assigns the SGT along with an IP address to the incoming packets. In other words, an IP address is bound to an
SGT. This IP address/SGT binding is propagated to upstream devices to enforce SGT-based policy and inline tagging.
If IKEv2 is configured to negotiate the SGT capability in the initiator, the initiator proposes the SGT capability information
in the SA_INIT request. If IKEv2 is configured to negotiate the SGT capability in the responder, the responder acknowledges
in the SA_INIT response and the initiator and the responder inform IPsec to use inline tagging for all packets to the peer.
During egress, IPsec adds the SGT capability and prefixes to the IPsec payload if the peer supports inline tagging; otherwise
the packet is not tagged.
During ingress, IPsec inspects the packet for the SGT capability. If a tag is available, IPsec extracts the tag information
and passes the information to the device only if inline tagging is negotiated. If there is no tag, IPsec processes the packet
as a normal packet.
The tables below describe how IPsec behaves during egress and ingress.
Table 1. IPsec Behavior on the Egress Path
Inline Tagging Negotiated
|
CTS Provides SGT
|
IPsec Behavior
|
Yes
|
Yes
|
An SGT CMD is added to the packet.
|
Yes
|
No
|
The packet is sent without the SGT CMD.
|
No
|
Yes or no
|
The packet is sent without the SGT CMD.
|
Table 2. IPsec Behavior on the Ingress Path
Packet Is Tagged
|
Inline Tagging Negotiated
|
IPsec Behavior
|
Yes
|
Yes
|
The SGT CMD in the packet is processed.
|
Yes
|
No
|
The SGT CMD in the packet is not processed.
|
No
|
Yes or no
|
The packet is processed as a normal IPsec packet.
|