The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Cisco TrustSec SGT Caching feature enhances the ability of Cisco TrustSec to make Security Group Tag (SGT) transportability flexible. This feature identifies the IP-SGT binding and caches the corresponding SGT so that network packets are forwarded through all network services for normal deep packet inspection processing and at the service egress point the packets are re-tagged with the appropriate SGT.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
The global Security Group Tag (SGT) caching configuration and the interface-specific ingress configuration are mutually exclusive. In the following scenarios, a warning message is displayed if you attempt to configure SGT caching both globally and on an interface:
If an interface has ingress SGT caching enabled using the cts role-based sgt-cache ingress command in interface configuration mode, and a global configuration is attempted using the cts role-based sgt-caching command, a warning message is displayed as shown in this example:
Device> enable Device# configure terminal Device(config)# interface gigabitEthernet0/0 Device(config-if)# cts role-based sgt-cache ingress Device(config-if)# exit Device(config)# cts role-based sgt-caching There is at least one interface that has ingress sgt caching configured. Please remove all interface ingress sgt caching configuration(s) before attempting global enable.
If global configuration is enabled using the cts role-based sgt-caching command, and an interface configuration is attempted using the cts role-based sgt-cache ingress command in interface configuration mode, a warning message is displayed as shown in this example:
Device> enable Device# configure terminal Device(config)# cts role-based sgt-caching Device(config)# interface gigabitEthernet0/0 Device(config-if)# cts role-based sgt-cache ingress Note that ingress sgt caching is already active on this interface due to global sgt-caching enable.
Cisco TrustSec uses Security Group Tag (SGT) caching to ensure that traffic tagged with SGT can also pass through services that are not aware of SGTs. Examples of services that cannot propagate SGTs are WAN acceleration or optimization, intrusion prevention systems (IPS), and upstream firewalls.
The Cisco TrustSec SGT Caching feature enables the device to identify the IP-SGT binding information from the incoming packet and caches this information.
The device redirects the packet to the service or services that cannot propagate SGTs.
After the completion of the service, the packet returns to the device.
The appropriate SGT is reapplied to the packet at the service egress point.
Role-based enforcements are applied to the packet that has returned to the device from the service or services.
The packet with SGTs is forwarded to other Cisco TrustSec-capable devices downstream.
The packets that go through a service or services do not come back to the device.
Single-hop SGT Exchange Protocol (SXP) is used to identify and export the identified IP-SGT bindings.
The upstream device in the network identifies the IP-SGT bindings through SXP and reapplies the appropriate tags or uses them for SGT-based enforcement. During egress caching, the original pre-Network Address Translation (NAT) source IP address is cached as part of the identified IP-SGT binding information.
IP-SGT bindings that do not receive traffic for 300 seconds are removed from the cache.
1.
enable
2.
configure
terminal
3.
cts role-based
sgt-caching
4.
end
When an interface is configured to be on a Virtual Routing and Forwarding (VRF) network, the IP-SGT bindings identified on that interface are added under the specific VRF. (To view the bindings identified on a corresponding VRF, use the show cts role-based sgt-map vrf vrf-name all command.)
1.
enable
2.
configure
terminal
3.
interface
type
slot/port
4.
cts role-based
sgt-cache [ingress |
egress]
5.
end
1.
enable
2.
show cts
3.
show cts
interface
4.
show cts interface
brief
5.
show cts role-based sgt-map
all ipv4
6.
show cts role-based sgt-map
vrf
7.
show cts platform
sgt-caching
Device> enable Device# configure terminal Device(config)# cts role-based sgt-caching Device(config)# end
Device> enable Device# configure terminal Device(config)# interface gigabitEthernet 0/1/0 Device(config-if)# cts role-based sgt-cache ingress Device(config-if)# end
The following example shows how to disable SGT caching on an interface and displays the status of SGT caching on the interface when caching is enabled globally, but disabled on the interface.
Device> enable Device# configure terminal Device(config)# cts role-based sgt-caching Device(config)# interface gigabitEthernet 0/1 Device(config-if)# no cts role-based sgt-cache ingress Device(config-if)# end Device# show cts interface GigabitEthernet0/1 Interface GigabitEthernet0/1 CTS sgt-caching Ingress: Disabled CTS sgt-caching Egress : Disabled CTS is enabled, mode: MANUAL Propagate SGT: Enabled Static Ingress SGT Policy: Peer SGT: 200 Peer SGT assignment: Trusted L2-SGT Statistics Pkts In : 200890684 Pkts (policy SGT assigned) : 0 Pkts Out : 14 Pkts Drop (malformed packet): 0 Pkts Drop (invalid SGT) : 0
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Cisco TrustSec SGT Caching |
Cisco IOS 15.5(2)T |
The Cisco TrustSec SGT Caching feature enhances the ability of Cisco TrustSec to make Security Group Tag (SGT) transportability flexible. This feature identifies the IP-SGT binding and caches the corresponding SGT so that network packets are forwarded through all network services for normal deep packet inspection processing and at the service egress point the packets are re-tagged with the appropriate SGT. In Cisco IOS Release 15.5(2)T, support was added for Cisco Integrated Services Router Generation 2 (Cisco ISR G2). The following commands were introduced or modified: cts role-based sgt-caching, cts role-based sgt-cache [ingress | egress]. |