TrustSec Identity Port Mapping

A network device at the ingress of a Cisco TrustSec domain must have the security group tag (SGT) for the entering packet so that it can then tag it with this SGT before it forwards the packet into the domain. The egress network device determines the SGT of the packet in order to apply a security group access control list (SGACL).

The Identity Port Mapping (IPM) feature enables the ingress network device to determine the source SGT based on the source identity. IPM is implemented by configuring the link with the identity of the connected peer so that the ingress network device can request policy information, including SGT and trust state, from the authentication server.

Prerequisites for TrustSec Identity Port Mapping

IPM is supported for the following ports:

  • Routed ports

  • Switchports in access mode

  • Switchports in trunk mode

Restrictions for TrustSec Identity Port Mapping

When manually configuring Cisco TrustSec on an interface, consider these usage guidelines and restrictions:
  • If no SAP parameters are defined, Media Access Control Security (MACsec) encapsulation or encryption is not performed.

  • If the selected SAP mode allows SGT insertion and an incoming packet carries an SGT, the tagging policy is as follows:
    • If the policy static command is configured, the packet is tagged with the SGT configured in the policy static command.
    • If the policy dynamic command is configured, the packet is not tagged.
  • If the selected SAP mode allows SGT insertion and an incoming packet carries an SGT, the tagging policy is as follows:
    • If the policy static command is configured without the trusted keyword, the SGT is replaced with the SGT configured in the policy static command.
    • If the policy static command is configured with the trusted keyword, no change is made to the SGT.
    • If the policy dynamic command is configured and the authorization policy downloaded from the authentication server indicates that the packet source is untrusted, the SGT is replaced with the SGT specified by the downloaded policy.
    • If thepolicy dynamic command is configured and the downloaded policy indicates that the packet source is trusted, no change is made to the SGT.

Information About TrustSec Identity Port Mapping

TrustSec L2 Identity Port Mapping

TrustSec layer 2 IPM uses the policy static sgt command to configure a physical port so that a single SGT is imposed on all traffic entering the port. This SGT is then applied on all IP traffic exiting the port until a new binding is learned.

TrustSec L3 Identity Port Mapping

The Cisco TrustSec L3 IPM feature provides a dynamic method where the Cisco access control system (ACS) access server assigns the SGT based on the device ID mapping in the ACS for filtering at egress interfaces where no directly connected hosts (other than the next hop router) exists.

TrustSec layer 3 IPM uses the policy dynamic identity command to designate a peer name as non-trusted in the Cisco ACS or Cisco ISE configuration.

This feature can be used to identify places in the network egress interfaces (e.g. campus, extranet, internet) that need to be filtered so that guest access (group SGT) to the extranet (the business partner connection) is denied.

How to Configure TrustSec Identity Port Mapping

Configuring TrustSec Identity Port Mapping

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface type slot/port
  4. cts manual
  5. policy dynamic identity peer-name
  6. policy static sgt tag [trusted ]
  7. exit
  8. no shutdown

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface type slot/port

Example:

Device(config)# interface ethernet 1/0

Enters interface configuration mode for the uplink interface.

Step 4

cts manual

Example:

Device(config-if)# cts manual

Enters Cisco TrustSec manual configuration mode.

Step 5

policy dynamic identity peer-name

Example:

Device(config-if-cts-manual)# policy dynamic identity my_peer_device_name
(Optional) Configures Identity Port Mapping (IPM) to allow dynamic authorization policy download from authorization server based on the identity of the peer. See the additional usage notes in the “Restrictions for Configuring TrustSec Identity” Port Mapping section.
  • peer-name —The Cisco TrustSec device ID for the peer device. The peer name is case sensitive.

Note 

Ensure that you have configured the Cisco TrustSec credentials.

Step 6

policy static sgt tag [trusted ]

Example:

Device(config-if-cts-manual)# policy static sgt 7 trusted
(Optional) Configures a static authorization policy. See the additional usage notes in the “Restrictions for Configuring TrustSec Identity” Port Mapping section.
  • tag — The SGT in decimal format. The range is 1 to 65533.

  • trusted —Indicates that ingress traffic on the interface with this SGT should not have its tag overwritten.

Step 7

exit

Example:

Device(config-if-cts-manual)# exit

Exits Cisco TrustSec manual interface configuration mode.

Step 8

no shutdown

Example:

Device(config-if)# no shutdown

Enables the interface and enables Cisco TrustSec authentication on the interface.

TrustSec Identity Port Mapping Example

The following example shows how to configure Cisco TrustSec authentication in manual mode on an interface:

Device# configure terminal
Device(config)# interface gi2/1
Device(config-if)# cts manual 
Device(config-if-cts-manual)# sap pmk 1234abcdef mode-list gcm null no-encap
Device(config-if-cts-manual)# exit 
Device(config-if)# shutdown
Device(config-if)# no shutdown
Device(config-if)# exit 
Device(config)# exit

Additional References

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

Security commands

Cisco TrustSec and SXP configuration

Cisco TrustSec Switch Configuration Guide

IPsec configuration

Configuring Security for VPNs with IPsec

IKEv2 configuration

Configuring Internet Key Exchange Version 2 (IKEv2) and FlexVPN Site-to-Site

Cisco Secure Access Control Server

Configuration Guide for the Cisco Secure ACS

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for TrustSec Identity Port Mapping

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for TrustSec Identity Port Mapping

Feature Name

Releases

Feature Information

TrustSec Identity Port Mapping

15.1(1)SY

The Identity Port Mapping (IPM) feature enables the ingress network device to determine the source security group tag (SGT) based on the source identity. IPM is implemented by configuring the link with the identity of the connected peer so that the ingress network device can request policy information, including SGT and trust state, from the authentication server.

The following command was introduced: policy static sgt .

Cisco TrustSec L3 Identity Port Mapping

15.1(1)SY

The Cisco TrustSec L3 Identity Port Mapping feature provides a dynamic method where the Cisco access control system (ACS) access server assigns the SGT based on the device ID mapping in the ACS for filtering at egress interfaces where no directly connected hosts (other than the next hop router) exists.

The following command was introduced: policy dynamic identity .