TrustSec SGT Handling: L2 SGT Imposition and Forwarding

First Published: July 25, 2011

Cisco TrustSec (CTS) builds secure networks by establishing domains of trusted network devices. Each device in the domain is authenticated by its peers. Communication on the links between devices in the domain is secured with a combination of encryption, message integrity check, and data-path replay protection mechanisms.

The TrustSec SGT Handling: L2 SGT Imposition and Forwarding feature allows the interfaces in a router to be manually enabled for CTS so that the router can insert the Security Group Tag (SGT) in the packet to be carried throughout the network in the CTS header.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for TrustSec SGT Handling: L2 SGT Imposition and Forwarding

The CTS network needs to be established with the following prerequisites before implementing the TrustSec SGT Handling: L2 SGT Imposition and Forwarding feature:

  • Connectivity exists between all network devices

  • Cisco Secure Access Control System (ACS) 5.1 operates with a CTS-SXP license

  • Directory, DHCP, DNS, certificate authority, and NTP servers function within the network

  • Configure the retry open timer command to a different value on different routers.

Information about TrustSec SGT Handling: L2 SGT Imposition and Forwarding

Security Groups and SGTs

A security group is a grouping of users, endpoint devices, and resources that share access control policies. Security groups are defined by the administrator in the ACS. As new users and devices are added to the Cisco TrustSec (CTS) domain, the authentication server assigns these new entities to appropriate security groups. CTS assigns to each security group a unique 16-bit security group number whose scope is global within a CTS domain. The number of security groups in the router is limited to the number of authenticated network entities. Security group numbers do not need to be manually configured.

Once a device is authenticated, CTS tags any packet that originates from that device with an SGT that contains the security group number of the device. The packet carries this SGT throughout the network within the CTS header. The SGT is a single label that determines the privileges of the source within the entire CTS domain. The SGT is identified as the source because it contains the security group of the source. The destination device is assigned a destination group tag (DGT).

Note

The CTS packet tag does not contain the security group number of the destination device.

How to Configure TrustSec SGT Handling: L2 SGT Imposition and Forwarding

Manually Enabling TrustSec SGT Handling: L2 SGT Imposition and Forwarding on an Interface

Perform the following steps to manually enable an interface on the device for Cisco TrustSec (CTS) so that the device can add Security Group Tag (SGT) in the packet to be propagated throughout the network and to implement a static authorization policy.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    interface {GigabitEthernet port | Vlan number}

    4.    cts manual

    5.    policy static sgt tag [trusted]

    6.    end

    7.    show cts interface [GigabitEthernet port | Vlan number | brief | summary]


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 interface {GigabitEthernet port | Vlan number}


    Example: 
    Device(config)# interface gigabitethernet 0
     

    Enters the interface on which CTS SGT authorization and forwarding is enabled

     
    Step 4 cts manual


    Example:
    Device(config-if)# cts manual
     

    Enables the interface for CTS SGT authorization and forwarding, and enters CTS manual interface configuration mode.

    Note   

    To enable the cts manual command on a subinterface, you must increase the IP MTU size to accommodate the additional bytes for the Dot1Q tag. This is applicable only for releases earlier than Cisco IOS XE Release 3.17.

     
    Step 5 policy static sgt tag [trusted]


    Example: 
    Device(config-if-cts-manual)# policy static sgt 100 trusted
     

    Configures a static authorization policy for a CTS security group with a tagged packet that defines the trustworthiness of the SGT.

     
    Step 6 end


    Example:
    Device(config-if-cts-manual)# end
     

    Exits CTS manual interface configuration mode and enters privileged EXEC mode.

     
    Step 7 show cts interface [GigabitEthernet port | Vlan number | brief | summary]


    Example: 
    Device# show cts interface brief
     

    Displays CTS configuration statistics for the interface.

     

    Example:

    The following is sample output for the show cts interface briefcommand.

    Cisco ASR 1000 Series Aggregation Services Routers and Cisco Cloud Services Router 1000V Series
    Device# show cts interface brief

Global Dot1x feature is Disabled
 Interface GigabitEthernet0/1/0:
     CTS is enabled, mode:    MANUAL
     IFC state:               OPEN
     Interface Active for 00:00:40.386
     Authentication Status:   NOT APPLICABLE
         Peer identity:       "unknown"
         Peer's advertised capabilities: ""
     Authorization Status:    NOT APPLICABLE
     SAP Status:              NOT APPLICABLE
     Propagate SGT:           Enabled
     Cache Info:
         Cache applied to link : NONE


    Cisco 4400 Series Integrated Services Routers
    Device# show cts interface brief

Interface GigabitEthernet0/1/0
    CTS is enabled, mode:     MANUAL
      Propagate SGT:          Enabled
      Static Ingress SGT Policy:
        Peer SGT:             100
        Peer SGT assignment:  Trusted

    Disabling CTS SGT Propagation on an Interface

    Follow these steps to disable CTS SGT Propagation on an interface in an instance when a peer device is not capable of receiving an SGT.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    interface {GigabitEthernetport | Vlan number}

      4.    cts manual

      5.    no propagate sgt

      6.    end

      7.    show cts interface [GigabitEthernetport | Vlan number | brief | summary]


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example: 
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2 configure terminal


      Example: 
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 interface {GigabitEthernetport | Vlan number}


      Example: 
      Device(config)# interface gigabitethernet 0
       

      Enters the interface on which CTS SGT authorization and forwarding is enabled

       
      Step 4 cts manual


      Example: 
      Device(config-if)# cts manual
       

      Enables the interface for CTS SGT authorization and forwarding.

      CTS manual interface configuration mode is entered where CTS parameters can be configured.

       
      Step 5 no propagate sgt


      Example: 
      Device(config-if-cts-manual)# no propagate sgt
       
      Disables CTS SGT propagation on an interface in situations where a peer device is not capable of receiving an SGT.
      Note   

      CTS SGT propagation is enabled by default. The propagate sgt command can be used if CTS SGT propagation needs to be turned on again for a peer device.

      Once the no propagate sgt command is entered, the SGT tag is not added in the L2 header.

       
      Step 6 end


      Example: 
      Device(config-if-cts-manual)# end
       

      Exits CTS manual interface configuration mode and enters privileged EXEC mode.

       
      Step 7 show cts interface [GigabitEthernetport | Vlan number | brief | summary]


      Example: 
      Device# show cts interface brief
Global Dot1x feature is Disabled
Interface GigabitEthernet0:
    CTS is enabled, mode:    MANUAL
    IFC state:               OPEN
    Authentication Status:   NOT APPLICABLE
        Peer identity:       "unknown"
        Peer's advertised capabilities: ""
    Authorization Status:    NOT APPLICABLE
    SAP Status:              NOT APPLICABLE
    Propagate SGT:           Disabled
    Cache Info:
        Cache applied to link : NONE
       

      Displays CTS configuration statistics to verify that CTS SGT propagation was disabled on interface.

       

      Additional References for TrustSec SGT Handling: L2 SGT Imposition and Forwarding

      Related Documents

      Related Topic

      Document Title

      Cisco IOS commands

      Cisco IOS Master Command List, All Releases

      Security commands

      Cisco IOS Security Command Reference: Commands A to C

      Cisco IOS Security Command Reference: Commands D to L

      Cisco IOS Security Command Reference: Commands M to R

      Cisco IOS Security Command Reference: Commands S to Z

      Cisco TrustSec switches

      Cisco TrustSec Switch Configuration Guide

      MIBs

      MIB

      MIBs Link

      CISCO-TRUSTSEC-SXP-MIB

      To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

      http:/​/​www.cisco.com/​go/​mibs

      Technical Assistance

      Description

      Link

      The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

      Feature Information for TrustSec SGT Handling: L2 SGT Imposition and Forwarding

      The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
      Table 1 Feature Information for TrustSec SGT Handling: L2 SGT Imposition and Forwarding

      Feature Name

      Releases

      Feature Information

      TrustSec SGT Handling: L2 SGT Imposition and Forwarding

      Cisco IOS XE 3.4S

      Cisco IOS XE 3.10S

      This feature allows the interfaces in a router to be manually enabled for CTS so that the router can insert the Security Group Tag (SGT) in the packet to be carried throughout the network in the CTS header.

      In Cisco IOS XE Release 3.10S, this feature is supported on the following platforms:

      • Cisco CSR 1000V Router

      • Cisco ISR 4400 Router

      The following commands were introduced or modified: cts manual, policy static sgt, propagate sgt, show cts interface.