In security group access lists (SGACLs), you can control the operations that users can perform based on assigned security groups. The grouping of permissions into a role simplifies the management of the security policy. As you add users to a Cisco NX-OS device, you simply assign one or more security groups and they immediately receive the appropriate permissions. You can modify security groups to introduce new privileges or restrict current permissions.
Cisco TrustSec assigns a unique 16-bit tag, called the security group tag (SGT), to a security group. The number of SGTs in a Cisco NX-OS device is limited to the number of authenticated network entities. The SGT is a single label that indicates the privileges of the source within the entire enterprise. Its scope is global within a Cisco TrustSec network.
server derives the SGTs based on the security policy configuration. You do not
have to configure them manually.
Cisco TrustSec tags any packet that originates from a device with the SGT that
represents the security group to which the device is assigned. The packet
carries this SGT throughout the network within the Cisco TrustSec header.
Because this tag represents the group of the source, the tag is referred to as
the source SGT. At the egress edge of the network, Cisco TrustSec determines
the group that is assigned to the packet destination device and applies the
access control policy.
defines access control policies between the security groups. By assigning
devices within the network to security groups and applying access control
between and within the security groups, Cisco TrustSec essentially achieves
access control within the network.
Figure 3. SGACL Policy
Example. This figure
shows an example of an SGACL policy.
Figure 4. SGT and SGACL
in Cisco TrustSec Network. This figure
shows how the SGT assignment and the SGACL enforcement operate in a Cisco
The Cisco NX-OS
device defines the Cisco TrustSec access control policy for a group of devices
as opposed to IP addresses in traditional ACLs. With such a decoupling, the
network devices are free to move throughout the network and change IP
addresses. Entire network topologies can change. As long as the roles and the
permissions remain the same, changes to the network do not change the security
policy. This feature greatly reduces the size of ACLs and simplifies their
In traditional IP
networks, the number of access control entries (ACEs) configured is determined
Number of ACEs = (number of sources specified) X (number of destinations specified) X (number of permissions specified)
Cisco TrustSec uses
the following formula:
Number of ACEs = number of permissions specified
about SGACL policy enforcement with SGT caching, see
SGACL Policy Enforcement With Cisco TrustSec