- Finding Feature Information
- Prerequisites for TrustSec SGT Handling: L2 SGT Imposition and Forwarding
- Information about TrustSec SGT Handling: L2 SGT Imposition and Forwarding
- How to Configure TrustSec SGT Handling: L2 SGT Imposition and Forwarding
- Additional References for TrustSec SGT Handling: L2 SGT Imposition and Forwarding
- Feature Information for TrustSec SGT Handling: L2 SGT Imposition and Forwarding
TrustSec SGT Handling: L2 SGT Imposition and Forwarding
First Published: July 25, 2011
Cisco TrustSec (CTS) builds secure networks by establishing domains of trusted network devices. Each device in the domain is authenticated by its peers. Communication on the links between devices in the domain is secured with a combination of encryption, message integrity check, and data-path replay protection mechanisms.
The TrustSec SGT Handling: L2 SGT Imposition and Forwarding feature allows the interfaces in a router to be manually enabled for CTS so that the router can insert the Security Group Tag (SGT) in the packet to be carried throughout the network in the CTS header.
- Finding Feature Information
- Prerequisites for TrustSec SGT Handling: L2 SGT Imposition and Forwarding
- Information about TrustSec SGT Handling: L2 SGT Imposition and Forwarding
- How to Configure TrustSec SGT Handling: L2 SGT Imposition and Forwarding
- Additional References for TrustSec SGT Handling: L2 SGT Imposition and Forwarding
- Feature Information for TrustSec SGT Handling: L2 SGT Imposition and Forwarding
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for TrustSec SGT Handling: L2 SGT Imposition and Forwarding
The CTS network needs to be established with the following prerequisites before implementing the TrustSec SGT Handling: L2 SGT Imposition and Forwarding feature:
Information about TrustSec SGT Handling: L2 SGT Imposition and Forwarding
Security Groups and SGTs
A security group is a grouping of users, endpoint devices, and resources that share access control policies. Security groups are defined by the administrator in the ACS. As new users and devices are added to the Cisco TrustSec (CTS) domain, the authentication server assigns these new entities to appropriate security groups. CTS assigns to each security group a unique 16-bit security group number whose scope is global within a CTS domain. The number of security groups in the router is limited to the number of authenticated network entities. Security group numbers do not need to be manually configured.
Note | The CTS packet tag does not contain the security group number of the destination device. |
How to Configure TrustSec SGT Handling: L2 SGT Imposition and Forwarding
- Manually Enabling TrustSec SGT Handling: L2 SGT Imposition and Forwarding on an Interface
- Disabling CTS SGT Propagation on an Interface
Manually Enabling TrustSec SGT Handling: L2 SGT Imposition and Forwarding on an Interface
Perform the following steps to manually enable an interface on the device for Cisco TrustSec (CTS) so that the device can add Security Group Tag (SGT) in the packet to be propagated throughout the network and to implement a static authorization policy.
1.
enable
2.
configure
terminal
3.
interface {GigabitEthernetport |
Vlan
number}
4.
cts manual
5.
policy static sgt tag [trusted]
6.
end
7.
show cts interface [GigabitEthernetport |
Vlan
number |
brief |
summary]
DETAILED STEPS
Example:
The following is sample output for the show cts interface briefcommand.
Cisco ASR 1000 Series Aggregation Services Routers and Cisco Cloud Services Router 1000V SeriesDevice# show cts interface brief Global Dot1x feature is Disabled Interface GigabitEthernet0/1/0: CTS is enabled, mode: MANUAL IFC state: OPEN Interface Active for 00:00:40.386 Authentication Status: NOT APPLICABLE Peer identity: "unknown" Peer's advertised capabilities: "" Authorization Status: NOT APPLICABLE SAP Status: NOT APPLICABLE Propagate SGT: Enabled Cache Info: Cache applied to link : NONE
Device# show cts interface brief Interface GigabitEthernet0/1/0 CTS is enabled, mode: MANUAL Propagate SGT: Enabled Static Ingress SGT Policy: Peer SGT: 100 Peer SGT assignment: Trusted
Disabling CTS SGT Propagation on an Interface
Follow these steps to disable CTS SGT Propagation on an interface in an instance when a peer device is not capable of receiving an SGT.
1.
enable
2.
configure
terminal
3.
interface {GigabitEthernetport |
Vlan
number}
4.
cts
manual
5.
no propagate
sgt
6.
end
7.
show cts
interface [GigabitEthernetport |
Vlan
number
|
brief
|
summary]
DETAILED STEPS
Additional References for TrustSec SGT Handling: L2 SGT Imposition and Forwarding
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
Cisco TrustSec switches |
MIBs
MIB |
MIBs Link |
---|---|
CISCO-TRUSTSEC-SXP-MIB |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for TrustSec SGT Handling: L2 SGT Imposition and Forwarding
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to . An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
TrustSec SGT Handling: L2 SGT Imposition and Forwarding |
Cisco IOS XE 3.3SE Cisco IOS XE 3.6E |
This feature allows the interfaces in a router to be manually enabled for CTS so that the router can insert the Security Group Tag (SGT) in the packet to be carried throughout the network in the CTS header. The following commands were introduced or modified: cts manual, policy static sgt, propagate sgt, show cts interface. |