Inline Tagging

SGT Inline Tagging

Each security group in a Cisco TrustSec domain is assigned a unique 16 bit tag called the Security Group Tag (SGT). The SGT is a single label indicating the privileges of the source within the entire network. It is in turn propagated between network hops allowing any intermediary devices (switches, routers) to enforce polices based on the identity tag.

Cisco TrustSec-capable devices have built-in hardware capabilities that can send and receive packets with SGT embedded in the MAC (L3) layer. This feature is called Layer 3 (L3)-SGT Imposition. It allows ethernet interfaces on the device to be enabled for L3-SGT imposition so that the device can insert an SGT in the packet to be carried to its next hop ethernet neighbor. SGT-over-Ethernet is a method of hop-by-hop propagation of SGT embedded in clear-text (unencrypted) ethernet packets. The inline identity propagation is scalable, provides near line-rate performance, and avoids control plane overhead.

The Cisco TrustSec with SGT Exchange Protocol V4 (SXPv4) feature supports Cisco TrustSec metadata-based L3-SGT. When a packet enters a Cisco TrustSec-enabled interface, the IP-SGT mapping database (with dynamic entries built by SXP and/or static entries built by configuration commands) is analyzed to learn the SGT corresponding to the source IP address of the packet, which is then inserted into the packet and carried throughout the network within the Cisco TrustSec header.

Cisco TrustSec enforces role-based access control using Security Group Tags (SGTs) and Destination Group Tags (DGTs). An SGT is assigned to traffic at the ingress point or can be propagated from a trusted peer device, identifying the security group of the source. At the egress point, the Destination Group Tag (DGT) is determined. Access decisions are made using Security Group Access Control Lists (SGACLs), which define permitted interactions between source and destination groups.

A network device at the ingress of Cisco TrustSec cloud needs to determine the SGT of the packet entering the Cisco TrustSec cloud so that it can tag the packet with that SGT when it forwards it into the Cisco TrustSec cloud. The SGT of a packet can be determined with these methods:

  • SGT field on Cisco TrustSec header: If a packet is coming from a trusted peer device, it is assumed that the Cisco TrustSec header carries the correct SGT field. This situation applies to a network that is not the first network device in the Cisco TrustSec cloud for the packet.

  • SGT lookup based on source IP address: In some cases, the administrator may manually configure a policy to decide the SGT of a packet based upon the source IP address. An IP address to SGT table can also be populated by the SXP protocol.

The following figures explains the topologies:

Figure 1. Cisco TrustSec Network
A Cisco TrustSec Network with SGT support
Cisco TrustSec Network Devices

Guidelines for Inline Tagging

Restrictions and Supported Features for L2 and L3 Interfaces

This principle defines the restrictions and supported features for CTS (Cisco TrustSec) functionality on Pure L3 interfaces and convertible switch ports operating in L3 mode.

  • Traffic Switching: Inter-VLAN communication is not supported on Layer 2 ports.

  • CTS Trust and Propagation: Convertible switch ports functioning as L3 interfaces are enabled for CTS trust and propagation. Conversely, switch ports acting as L2 interfaces do not support CTS functionality.

  • Supported only on IPv4 hosts.

  • Static classification (IP-SGT and SVI-SGT) is supported on L2/L3 interfaces.

  • Enforcement: CTS enforcement is not supported.

Configuring SGT Static Inline Tagging

Procedure

  Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet port

Example:


Device(config)# interface gigabitethernet 0/0/0

Configures the interface on which Cisco TrustSec SGT authorization and forwarding is enabled, and enters interface configuration mode.

Step 4

cts manual

Example:


Device(config-if)# cts manual

Enables Cisco TrustSec SGT authorization and forwarding on the interface, and enters Cisco TrustSec manual interface configuration mode.

Step 5

propagate sgt

Example:


Device(config-if-cts-manual)# propagate sgt

Enables Cisco TrustSec SGT propagation on an interface.

Note

 

Use this command in situations where the peer device is not capable of receiving SGT over Ethernet packets (that is, when a peer device does not support Cisco Ethertype CMD 0x8909 frame format).

Step 6

policy static sgt tag [trusted]

Example:


Device(config-if-cts-manual)# policy static sgt 77 trusted

Configures a static SGT ingress policy on the interface and defines the trustworthiness of an SGT received on the interface.

Note

 

The trusted keyword indicates that the interface is trustworthy for Cisco TrustSec. The SGT value received in the Ethernet packet on this interface is trusted and will be used by the device for any SG-aware policy enforcement or for the purpose of egress-tagging.

Step 7

exit

Example:


Device(config-if-cts-manual)# exit

Exits Cisco TrustSec manual interface configuration mode and enters interface configuration mode.

Step 8

end

Example:


Device(config-if)# end

Exits interface configuration mode and enters privileged EXEC mode.

Example: Configuring SGT Static Inline Tagging

This is an example showing how to enable an interface connecting to a non-trustsec capable endpoint. 

Device# configure terminal
Device(config)# interface gigabitethernet 0/0/0
Device(config-if)# cts manual
Device(config-if-cts-manual)# propagate sgt
Device(config-if-cts-manual)# policy static sgt 77 trusted

Troubleshoot the Security Group Tagging Configuration

You can use the following commands to troubleshoot the Cisco TrustSec configuration:

  • debug cts all