TrustSec SGT Handling: L2 SGT Imposition and Forwarding

This feature allows the interfaces in a router to be manually enabled for Cisco TrustSec so that the router can insert the Security Group Tag (SGT) in the packet to be carried throughout the network in the Cisco TrustSec header.

Prerequisites for TrustSec SGT Handling: L2 SGT Imposition and Forwarding

The Cisco Trustsec network needs to be established with the following prerequisites before implementing the Cisco TrustSec SGT Handling: L2 SGT Imposition and Forwarding feature:

  • Connectivity exists between all network devices

  • Cisco Secure Access Control System (ACS) 5.1 operates with a Cisco TrustSec -SXP license

  • Directory, DHCP, DNS, certificate authority, and NTP servers function within the network

  • Configure the retry open timer command to a different value on different routers.

Information about TrustSec SGT Handling: L2 SGT Imposition and Forwarding

Cisco TrustSec (CTS) builds secure networks by establishing domains of trusted network devices. Each device in the domain is authenticated by its peers. Communication on the links between devices in the domain is secured with a combination of encryption, message integrity check, and data-path replay protection mechanisms.

The TrustSec SGT Handling: L2 SGT Imposition and Forwarding feature allows the interfaces in a router to be manually enabled for CTS so that the router can insert the Security Group Tag (SGT) in the packet to be carried throughout the network in the CTS header.

Security Groups and SGTs

A security group is a grouping of users, endpoint devices, and resources that share access control policies. Security groups are defined by the administrator in the ACS. As new users and devices are added to the Cisco TrustSec (CTS) domain, the authentication server assigns these new entities to appropriate security groups. CTS assigns to each security group a unique 16-bit security group number whose scope is global within a CTS domain. The number of security groups in the router is limited to the number of authenticated network entities. Security group numbers do not need to be manually configured.

Once a device is authenticated, CTS tags any packet that originates from that device with an SGT that contains the security group number of the device. The packet carries this SGT throughout the network within the CTS header. The SGT is a single label that determines the privileges of the source within the entire CTS domain. The SGT is identified as the source because it contains the security group of the source. The destination device is assigned a destination group tag (DGT).

Note

The CTS packet tag does not contain the security group number of the destination device.

How to Configure TrustSec SGT Handling: L2 SGT Imposition and Forwarding

This section describes how to configure L2 SGT imposition and forwarding.

Manually Enabling TrustSec SGT Handling: L2 SGT Imposition and Forwarding on an Interface

Perform the following steps to manually enable an interface on the device for Cisco TrustSec (CTS) so that the device can add Security Group Tag (SGT) in the packet to be propagated throughout the network and to implement a static authorization policy.

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface {GigabitEthernet port | Vlan number}

Example:

Device(config)# interface gigabitethernet 0

Enters the interface on which CTS SGT authorization and forwarding is enabled

Step 4

cts manual

Example:

Device(config-if)# cts manual

Enables the interface for CTS SGT authorization and forwarding, and enters CTS manual interface configuration mode.

Note 

To enable the cts manual command on a subinterface, you must increase the IP MTU size to accommodate the additional bytes for the Dot1Q tag. This is applicable only for releases earlier than Cisco IOS XE Release 3.17.

Step 5

policy static sgt tag [trusted]

Example:

Device(config-if-cts-manual)# policy static sgt 100 trusted

Configures a static authorization policy for a CTS security group with a tagged packet that defines the trustworthiness of the SGT.

Step 6

end

Example:

Device(config-if-cts-manual)# end

Exits CTS manual interface configuration mode and enters privileged EXEC mode.

Step 7

show cts interface [GigabitEthernet port | Vlan number | brief | summary]

Example:

Device# show cts interface brief

Displays CTS configuration statistics for the interface.

Disabling CTS SGT Propagation on an Interface

Follow these steps to disable CTS SGT Propagation on an interface in an instance when a peer device is not capable of receiving an SGT.

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface {GigabitEthernetport | Vlan number}

Example:

Device(config)# interface gigabitethernet 0

Enters the interface on which CTS SGT authorization and forwarding is enabled

Step 4

cts manual

Example:

Device(config-if)# cts manual

Enables the interface for CTS SGT authorization and forwarding.

CTS manual interface configuration mode is entered where CTS parameters can be configured.

Step 5

no propagate sgt

Example:

Device(config-if-cts-manual)# no propagate sgt

Disables CTS SGT propagation on an interface in situations where a peer device is not capable of receiving an SGT.

Note 

CTS SGT propagation is enabled by default. The propagate sgt command can be used if CTS SGT propagation needs to be turned on again for a peer device.

Once the no propagate sgt command is entered, the SGT tag is not added in the L2 header.

Step 6

end

Example:

Device(config-if-cts-manual)# end

Exits CTS manual interface configuration mode and enters privileged EXEC mode.

Step 7

show cts interface [GigabitEthernetport | Vlan number | brief | summary]

Example:


Device# show cts interface brief
Global Dot1x feature is Disabled
Interface GigabitEthernet0:
    CTS is enabled, mode:    MANUAL
    IFC state:               OPEN
    Authentication Status:   NOT APPLICABLE
        Peer identity:       "unknown"
        Peer's advertised capabilities: ""
    Authorization Status:    NOT APPLICABLE
    SAP Status:              NOT APPLICABLE
    Propagate SGT:           Disabled
    Cache Info:
        Cache applied to link : NONE

Displays CTS configuration statistics to verify that CTS SGT propagation was disabled on interface.

Example: Manually Enabling TrustSec SGT Handling: L2 SGT Imposition and Forwarding on an Interface

Example:

The following is sample output for the show cts interface brief command. 

Device# show cts interface brief

Interface GigabitEthernet0/1/0
    CTS is enabled, mode:     MANUAL
      Propagate SGT:          Enabled
      Static Ingress SGT Policy:
        Peer SGT:             100
        Peer SGT assignment:  Trusted

Feature History for TrustSec SGT Handling: L2 SGT Imposition and Forwarding

This table provides release and related information for features explained in this module.

These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.

Release

Feature

Feature Information

Cisco IOS XE Fuji 16.8.1a

TrustSec SGT Handling: L2 SGT Imposition and Forwarding

This feature allows the interfaces in a router to be manually enabled for Cisco TrustSec so that the router can insert the SGT in the packet to be carried throughout the network in the Cisco TrustSec header.

Support for this feature was introduced on all the models of the Cisco Catalyst 9500 Series Switches.

Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.