- Cisco TrustSec SGT Exchange Protocol IPv4
- TrustSec SGT Handling: L2 SGT Imposition and Forwarding
- Cisco TrustSec with SXPv4
- Enabling Bidirectional SXP Support
- Cisco TrustSec Interface-to-SGT Mapping
- Cisco TrustSec Subnet to SGT Mapping
- Flexible NetFlow Export of Cisco TrustSec Fields
- Cisco TrustSec SGT Caching
- Finding Feature Information
- Restrictions for Cisco TrustSec SGT Caching
- Information About Cisco TrustSec SGT Caching
- How to Configure Cisco TrustSec SGT Caching
- Configuration Examples for Cisco TrustSec SGT Caching
- Additional References for Cisco TrustSec SGT Caching
- Feature Information for Cisco TrustSec SGT Caching
Cisco TrustSec SGT Caching
The Cisco TrustSec SGT Caching feature enhances the ability of Cisco TrustSec to make Security Group Tag (SGT) transportability flexible. This feature identifies the IP-SGT binding and caches the corresponding SGT so that network packets are forwarded through all network services for normal deep packet inspection processing and at the service egress point the packets are re-tagged with the appropriate SGT.
- Finding Feature Information
- Restrictions for Cisco TrustSec SGT Caching
- Information About Cisco TrustSec SGT Caching
- How to Configure Cisco TrustSec SGT Caching
- Configuration Examples for Cisco TrustSec SGT Caching
- Additional References for Cisco TrustSec SGT Caching
- Feature Information for Cisco TrustSec SGT Caching
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Cisco TrustSec SGT Caching
The global Security Group Tag (SGT) caching configuration and the interface-specific ingress configuration are mutually exclusive. In the following scenarios, a warning message is displayed if you attempt to configure SGT caching both globally and on an interface:
-
If an interface has ingress SGT caching enabled using the cts role-based sgt-cache ingress command in interface configuration mode, and a global configuration is attempted using the cts role-based sgt-caching command, a warning message is displayed as shown in this example:
Device> enable Device# configure terminal Device(config)# interface gigabitEthernet0/0 Device(config-if)# cts role-based sgt-cache ingress Device(config-if)# exit Device(config)# cts role-based sgt-caching There is at least one interface that has ingress sgt caching configured. Please remove all interface ingress sgt caching configuration(s) before attempting global enable.
-
If global configuration is enabled using the cts role-based sgt-caching command, and an interface configuration is attempted using the cts role-based sgt-cache ingress command in interface configuration mode, a warning message is displayed as shown in this example:
Device> enable Device# configure terminal Device(config)# cts role-based sgt-caching Device(config)# interface gigabitEthernet0/0 Device(config-if)# cts role-based sgt-cache ingress Note that ingress sgt caching is already active on this interface due to global sgt-caching enable.
-
SGT Caching for Tunneling of IPv6 packet over V4 transport & IPv4 packet over V6 transport is not supported.
-
High availability and syncing of IPv6 SGACL policies on the routing platforms are not supported for IPv6-SGT caching.
-
IPv6 IPSec SGT Caching is not supported on ISR4K based platforms.
-
SGT propagation fails over IPv6 IPSec tunnel.
-
SGT caching is not performed for the link-local IPv6 source address.
A link-local address is a network address that is valid only for communications within the network segment (link) or the broadcast domain that the host is connected to. Link-local addresses are not guaranteed to be unique beyond a single network segment. Therefore, routers do not forward packets with link-local addresses. Because they are not unique, SGT tags for the packets with source as link-local IPv6 address are not assigned.
Information About Cisco TrustSec SGT Caching
Identifying and Reapplying SGT Using SGT Caching
Cisco TrustSec uses Security Group Tag (SGT) caching to ensure that traffic tagged with SGT can also pass through services that are not aware of SGTs. Examples of services that cannot propagate SGTs are WAN acceleration or optimization, intrusion prevention systems (IPS), and upstream firewalls.
-
The Cisco TrustSec SGT Caching feature enables the device to identify the IP-SGT binding information from the incoming packet and caches this information.
-
The device redirects the packet to the service or services that cannot propagate SGTs.
-
After the completion of the service, the packet returns to the device.
-
The appropriate SGT is reapplied to the packet at the service egress point.
-
Role-based enforcements are applied to the packet that has returned to the device from the service or services.
-
The packet with SGTs is forwarded to other Cisco TrustSec-capable devices downstream.
-
The packets that go through a service or services do not come back to the device.
-
Single-hop SGT Exchange Protocol (SXP) is used to identify and export the identified IP-SGT bindings.
-
The upstream device in the network identifies the IP-SGT bindings through SXP and reapplies the appropriate tags or uses them for SGT-based enforcement. During egress caching, the original pre-Network Address Translation (NAT) source IP address is cached as part of the identified IP-SGT binding information.
-
IP-SGT bindings that do not receive traffic for 300 seconds are removed from the cache.
SGT Caching for IPv6 Traffic
The following are the considerations for SGT caching for IPv6 traffic:
-
Global unicast IPv6 packet: Ingress and egress caching is done for the source IPv6 address on the packet.
-
Multicast IPv6 address: Ingress and egress caching is done for the unicast source IPv6 address on the packet.
-
Export of cached IPv6-SGT binding via SXP: The IPv6-SGT binding from data plane is sent to control plane Role Based Manager (RBM). The bindings learnt in control plane can then be exported using SXP.
How to Configure Cisco TrustSec SGT Caching
- Configuring SGT Caching Globally
- Configuring SGT Caching on an Interface
- Verifying Cisco TrustSec SGT Caching
- Verifying IP-to-SGT Bindings
Configuring SGT Caching Globally
1.
enable
2.
configure
terminal
3.
cts role-based
sgt-caching
4.
end
DETAILED STEPS
Configuring SGT Caching on an Interface
When an interface is configured to be on a Virtual Routing and Forwarding (VRF) network, the IP-SGT bindings identified on that interface are added under the specific VRF. (To view the bindings identified on a corresponding VRF, use the show cts role-based sgt-map vrf vrf-name all command.)
1.
enable
2.
configure
terminal
3.
interface
type
slot/port
4.
cts role-based
sgt-cache [ingress |
egress]
5.
end
DETAILED STEPS
Verifying Cisco TrustSec SGT Caching
1.
enable
2.
show cts
3.
show cts
interface
4.
show cts interface
brief
5.
show cts role-based sgt-map
all ipv4
6.
show cts role-based sgt-map
vrf
7.
show platform hardware qfp
active feature cts datapath cache-data
DETAILED STEPS
Verifying IP-to-SGT Bindings
Displays the IP-to-SGT bindings learnt in the data-plane. This command also lists the information such as IP, SGT, age of the session, time to expiry, and VRF_ID:
Router#show platform hardware qfp active feature cts datapath cache-data ipv4 Sgt-caching is Active Total number of bindings = 5 ============================================================================== IP Address SGT Interface Age Exptime Mode VRFID (hh:mm:ss) (sec) ============================================================================== 10.104.33.37 4 GigabitEthernet3 05:42:27 293 In 0 1.1.1.4 4 GigabitEthernet3 00:44:27 128 In 0 4.4.4.1 4 GigabitEthernet3 02:55:48 298 In 0 1.1.1.2 4 GigabitEthernet3 19:57:42 208 In 0 10.104.33.79 4 GigabitEthernet3 00:09:08 298 In 0 Router#show platform hardware qfp active feature cts datapath cache-data ipv6 Sgt-caching is Active Total number of bindings = 5 ============================================================================== IP Address SGT Interface Age Exptime Mode VRFID (hh:mm:ss) (sec) ============================================================================== 100::1 4 GigabitEthernet3 05:42:27 293 In 0 200::2 4 GigabitEthernet3 00:44:27 128 In 0 300::3 4 GigabitEthernet3 02:55:48 298 In 0 400::4 4 GigabitEthernet3 19:57:42 208 In 0 500::5 4 GigabitEthernet3 00:09:08 298 In 0 Router#show platform hardware qfp active feature cts datapath cache-data Sgt-caching is Active Total number of bindings = 10 ============================================================================== IP Address SGT Interface Age Exptime Mode VRFID (hh:mm:ss) (sec) ============================================================================== 100::1 4 GigabitEthernet3 05:42:27 293 In 0 200::2 4 GigabitEthernet3 00:44:27 128 In 0 300::3 4 GigabitEthernet3 02:55:48 298 In 0 10.104.33.37 4 GigabitEthernet3 05:42:27 293 In 0 1.1.1.4 4 GigabitEthernet3 00:44:27 128 In 0 4.4.4.1 4 GigabitEthernet3 02:55:48 298 In 0 1.1.1.2 4 GigabitEthernet3 19:57:42 208 In 0 10.104.33.79 4 GigabitEthernet3 00:09:08 298 In 0 400::4 4 GigabitEthernet3 19:57:42 208 In 0 500::5 4 GigabitEthernet3 00:09:08 298 In 0
Configuration Examples for Cisco TrustSec SGT Caching
- Example: Configuring SGT Caching Globally
- Example: Configuring SGT Caching for an Interface
- Example: Disabling SGT Caching on an Interface
Example: Configuring SGT Caching Globally
Device> enable Device# configure terminal Device(config)# cts role-based sgt-caching Device(config)# end
Example: Configuring SGT Caching for an Interface
Device> enable Device# configure terminal Device(config)# interface gigabitEthernet 0/1/0 Device(config-if)# cts role-based sgt-cache ingress Device(config-if)# end
Example: Disabling SGT Caching on an Interface
The following example shows how to disable SGT caching on an interface and displays the status of SGT caching on the interface when caching is enabled globally, but disabled on the interface.
Device> enable Device# configure terminal Device(config)# cts role-based sgt-caching Device(config)# interface gigabitEthernet 0/1 Device(config-if)# no cts role-based sgt-cache ingress Device(config-if)# end Device# show cts interface GigabitEthernet0/1 Interface GigabitEthernet0/1 CTS sgt-caching Ingress: Disabled CTS sgt-caching Egress : Disabled CTS is enabled, mode: MANUAL Propagate SGT: Enabled Static Ingress SGT Policy: Peer SGT: 200 Peer SGT assignment: Trusted L2-SGT Statistics Pkts In : 200890684 Pkts (policy SGT assigned) : 0 Pkts Out : 14 Pkts Drop (malformed packet): 0 Pkts Drop (invalid SGT) : 0
Additional References for Cisco TrustSec SGT Caching
Related Documents
Technical Assistance
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for Cisco TrustSec SGT Caching
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Cisco TrustSec SGT Caching |
Cisco IOS XE Release 3.15S |
The Cisco TrustSec SGT Caching feature enhances the ability of Cisco TrustSec to make Security Group Tag (SGT) transportability flexible. This feature identifies the IP-SGT binding and caches the corresponding SGT so that network packets are forwarded through all network services for normal deep packet inspection processing and at the service egress point the packets are re-tagged with the appropriate SGT. In Cisco IOS XE Release 3.15S, support was added for Cisco ASR 1000 Series Aggregation Services Routers, Cisco Cloud Services Router 1000V Series (Cisco CSR 1000V Series), and Cisco Integrated Services Router Generation 3 (Cisco ISR G3). The following commands were introduced or modified: cts role-based sgt-caching, cts role-based sgt-cache [ingress | egress]. |
IPv6 enablement - SGT Caching |
Cisco IOS XE Fuji 16.8.1 |
The support for IPv6 is introduced. |