Security Group Tag Support

Feature Summary and Revision History

Summary Data

Table 1. Summary Data

Applicable Product (s) or Functional Area

5G-UPF

Applicable Platforms

VPC-SI

Feature Default Setting

Enabled – Always-on

Related Changes in this Release

Not Applicable

Related Documentation

UCC 5G UPF Configuration and Administration Guide

Revision History

Revision Details

Release

First introduced.

2023.03.0

2023.02.0

Feature Description

The Security Group Tag (SGT) specifies the privileges of a traffic source within a trusted network. Security Group Access (a feature of both Cisco TrustSec and Cisco ISE) automatically generates the SGT when a user adds a security group in TrustSec or ISE.


Note

Security Group Tag (SGT) is also referred to as Scalable Group Tag.

The Identity Services Engine (ISE) sends SGT values over the RADIUS interface, that are propagated over the N6 interface. The SGT value needs to be checkpointed for both session recovery and ICSR/GR scenarios for availability to the peer session manager.

How it Works

Call Flow

The following figure illustrates ISE handling.

Step

Description

1

SMF sends the SGT value in PFCP Session Establishment Request to UPF.

2

UPF decodes the SGT value and adds this value as part of the Cisco Meta Data (CMD) in Ethernet header for all packets sent over the N6 interface.

Limitations

This feature has the following known limitation:

  • The PFCP Session Establishment Request must send the SGT value over the N4 interface. The SGT value will not be modified or removed during the life of the session.

  • UPF does not support SGT traffic in the downlink direction.

Monitoring and Troubleshooting

Show Commands and Outputs

This section provides information about show commands and their outputs in support of this feature.

show subscriber user-plane-only full all

The output of this command is enhanced to include the following field:

  • SGT Value : Displays the SGT value.

Fastpath Stream

The SGT value received in Establishment Request is carried with OHR (Outer Header Removal) option for the Uplink stream. This operation enables VPP to add SGT in the corresponding Uplink packets towards N6. The per stream SGT is provisioned in fastpath as part of the remove-outer-header operation.

The following is a sample output of the fastpath stream command: 

vpp# fastpath stream list allinfo

p ~odc qta teid immediate=0xd, 2817:r104354:d14069, 2831:r51892:d51892) Policer, 
(Next: V6:254, V4254), (2829:r753755:d753755, 2828:r753755:d753755) Policer, 
(Next: V6: 24, V4 25), (2829:r753758:d753758, 2828:r753758:d753758) hcfUL, 
(Next: V6: 22, V4 23), (2827:r9964:d9964, 2830:r189893:d189893, 
2831:r51892:d51892) remOuterHdr, (Next: V6: 7, V4 7), 
(2817:r104354:d14069, immediate=0x2d000120) L1:Sx35b93 
holding queue: Empty  x3-index: 0 dep-id: 0 dup-x3-index: 0 dup-dep-id: 0