The attribute-based
access control list organizes and manages the Cisco TrustSec access control on
a network device. The security group access control list (SGACL) is a Layer 3-4
access control list to filter access based on the value of the security group
tag (SGT). The filtering usually occurs at an egress port of the Cisco TrustSec
domain. SGT is a Layer 2 tag that is used to classify traffic based on role,
and SGT tagging occurs at ingress of the CTS domain.
The terms role-based
ACL (RBACL) and SGACL can be used interchangeably, and they refer to a
topology-independent ACL used in an attribute-based access control (ABAC)
policy model. ABAC is an access control mechanism that uses subject attributes,
resource attributes, and environment attributes.
-
Subject
attributes (S) are associated with a subject—be it a user or an
application—that defines the identity and characteristics of that subject.
-
Resource
attributes (R) are associated with a resource, such as a web service, a system
function, or data.
-
Environment
attributes (E) describe the operational, technical, or situational environment
or context in which information is accessed.
ABAC policy rules
are generated as Boolean functions of S, R, and E attributes, and these rules
decide whether a subject S can access a resource R in a particular environment
E. Access control policy is defined between security groups and consists of
traditional security ACLs but without IP source and destination addresses.
Because networks are
bidirectional, access control is applied both between the subject (user) and
the object (resource or server) and between the object and the subject. This
requires the subjects to be grouped together into security groups and the
objects to be likewise grouped together into security groups. Rules based on
subject and object attributes group the subjects and objects into security
groups.
Once SGACL is
enabled globally, it is automatically enabled on every Layer 3 interface on the
device, and you can disable SGACL on specific Layer 3 interfaces. Granular
disablement at interface level is effective only if SGACL is enabled globally.
This feature is applicable even if packets sent or received are not tagged with
SGT at the source device of the packet.
Enabling or
disabling per-interface SGACL enforcement enables or disables SGACL monitor
mode on that interface.