SGT Inline Tagging

Feature History for SGT Inline Tagging

This table provides release and platform support information for the features explained in this module.

These features are available in all the releases subsequent to the one they were introduced in, unless noted otherwise.

Release

Feature Name and Description

Supported Platform

Cisco IOS XE 17.18.1

SGT Inline Tagging:

SGT inline tagging enables Cisco TrustSec to propagate security group identity information directly within Ethernet frames, allowing network devices to enforce security policies efficiently based on the source's security group membership.

Cisco C9350 Series Smart Switches

Cisco C9610 Series Smart Switches

Layer 2 SGT Imposition

Cisco TrustSec-capable devices have hardware support to send and receive packets with SGT embedded at the MAC (Layer 2) level. This capability, known as Layer 2 (L2) SGT Imposition, enables Ethernet interfaces to insert the SGT directly into packets, which are then forwarded to neighboring Ethernet devices. The SGT-over-Ethernet method allows hop-by-hop, clear-text propagation of the SGT, providing scalable and efficient identity tagging without adding control plane overhead.

SGT Handling with SXPv4

The Cisco TrustSec solution, with SGT Exchange Protocol Version 4 (SXPv4), supports metadata-based L2-SGT. When a packet enters a TrustSec-enabled interface, the device references its IP-SGT mapping database—built dynamically via SXP or statically by configuration—to determine the correct SGT based on the source IP address. This SGT is then inserted into the packet and carried throughout the TrustSec domain.

SGT Handling with SGACL

At the network’s egress edge, the group of the packet’s destination is determined, and access control can be enforced. Security Group Access Control Lists (SGACLs) define whether to permit or restrict communication between different security groups. Each packet’s policy enforcement is determined by its source and destination security group tags.

SGT Propagation and Use Cases

  • Trusted Interface Propagation: SGTs received from trusted interfaces are propagated across the network and can be utilized for identity-based firewall classification.

  • IPsec Integration: When IPsec is used, the SGT received in a packet can be shared with IPsec for proper SGT tagging.

Determining the SGT of a Packet

When a device at the ingress of the Cisco TrustSec domain receives a packet, it must determine the appropriate SGT to tag the packet. This can be done in two primary ways:

  • SGT Field in TrustSec Header:

    If the packet arrives from a trusted peer device, the SGT field in the Cisco TrustSec header is assumed to be accurate.

  • SGT Lookup by Source IP:

    Administrators can manually configure policies or leverage the SXP protocol to populate an IP-to-SGT mapping table for assigning SGTs based on source IP addresses.

SGT Inline Tagging on NAT-Enabled Devices

This section describes how SGT values are determined and enforced for packets traversing from a primary device, which has Network Address Translation (NAT) enabled on both ingress and egress ports, to a secondary device.


Note

All ports involved in the flow must have Cisco TrustSec (CTS) manual and trusted mode configured on both devices

Inline Tagging Enabled, SGT Tag Not Changed via CLI

  • On the primary device, Cisco TrustSec enforces the SGT tag corresponding to the packet’s original source IP.

  • After NAT translation, the NAT IP is associated with the same SGT tag.

  • On the secondary device, Cisco TrustSec enforces the SGT tag based on the source IP (as represented by the SGT tag).

Example

A packet arrives at the primary device with source IP 192.0.2.5 and SGT tag 133.

  • Cisco TrustSec enforces SGT tag 133 on the primary device.

  • After NAT, the packet’s IP changes to 198.51.100.10 but remains tagged with SGT 133.

  • The secondary device receives the packet with IP 198.51.100.10 and SGT 133, and enforces TrustSec policy based on SGT 133.

Inline Tagging Enabled, SGT Tag Changed via CLI

  • On the primary device, Cisco TrustSec enforces the SGT tag based on the packet’s original source IP.

  • The SGT tag may be changed via CLI, but the NAT IP is still tagged with the original source IP’s SGT.

  • On the secondary device, TrustSec continues to enforce policy according to the SGT tag corresponding to the packet's original source IP.

Example

A packet arrives at the primary device with source IP 192.0.2.5 and SGT tag 133.

  • SGT tag is changed to 200 via CLI, but after NAT (IP changes to 198.51.100.10), the packet is still tagged with SGT 133.

  • The secondary device receives the packet with IP 198.51.100.10 and SGT 133, and enforces TrustSec policy based on SGT 133.

Inline Tagging Disabled, SGT Learned via SXP Protocol and Changed via CLI

  • On the primary device, TrustSec enforces the SGT tag based on the original source IP.

  • The SGT for the post-NAT IP is defined through CLI and learned on the primary device.

  • On the secondary device, if there is no direct TrustSec link, IP-to-SGT bindings are learned through the SXP protocol, and TrustSec is enforced based on the SGT associated with the NAT IP.

Example

A packet arrives at the primary device with source IP 192.0.2.5 and SGT tag 133.

  • After NAT, the source IP becomes 198.51.100.10, and the SGT for this IP is set to 200 via CLI.

  • TrustSec enforces SGT 133 on the primary device.

  • On the secondary device, the IP-to-SGT binding (198.51.100.10—200) is learned via SXP, and TrustSec is enforced using SGT 200.

SGT Inline Tagging with IPv6 Multicast Traffic

Layer 2 inline tagging is also supported for IPv6 multicast traffic, provided the multicast packets originate from unicast IPv6 source addresses.

Guidelines for SGT Inline Tagging

These restriction are applicable to Cisco C9610 Series Smart Switches:

  • System generated packets for the egress interface are not sent with Cisco TrustSec tag on the Cisco TrustSec enabled interface.

  • VLAN-based SGT assignment and VLAN-based enforcement is not supported.

  • Q-in-QVLAN tagging is not supported with Cisco TrustSec header.

  • In a multisite VXLAN fabric, handoff is not supported.

  • Flexible NetFlow, Policy-based Routing (PBR), Quality of Service (QoS), etc SGT features are not supported.

  • Broadcast, unknown unicast, and multicast (BUM) traffic will not be tagged with a SGT or Cisco TrustSec header.

  • With the Dynamic Host Control Protocol (DHCP) Snooping enabled, DHCP packets ingress on Cisco TrustSec enabled ports will be discarded.

  • Irrespective of the cts manual configuration on the egress interface, the device neither adds nor removes the Cisco MetaData header for Layer 2 traffic.

Configure SGT Inline Tagging

To configure SGT inline tagging, perform this task.

Procedure

Step 1

enable

Example:

Device# enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface {gigabitethernet port | vlan number}

Example:

Device(config)# interface gigabitethernet 1/0/1

Configures the interface on which Cisco TrustSec SGT authorization and forwarding is enabled, and enters interface configuration mode.

Step 4

cts manual

Example:

Device(config-if)# cts manual

Enables Cisco TrustSec SGT authorization and forwarding on the interface, and enters Cisco TrustSec manual interface configuration mode.

Step 5

propagate sgt

Example:

Device(config-if-cts-manual)# propagate sgt

Enables Cisco TrustSec SGT propagation on an interface.

Note

 

Use this command in situations where the peer device is capable of receiving SGT over Ethernet packets (that is, when a peer device support Cisco Ethertype CMD 0x8909 frame format).

Step 6

policy static sgt tag [trusted]

Example:

Device(config-if-cts-manual)# policy static sgt 77 trusted

Configures a static SGT ingress policy on the interface and defines the trustworthiness of an SGT received on the interface.

Note

 

The trusted keyword indicates that the interface is trustworthy for Cisco TrustSec. The SGT value received in the Ethernet packet on this interface is trusted and will be used by the device for any SG-aware policy enforcement or for the purpose of egress-tagging.

Step 7

end

Example:

Device(config-if-cts-manual)# end

Exits Cisco TrustSec manual interface configuration mode and enters privileged EXEC mode.

Example: Configure SGT Static Inline Tagging

This example shows how to enable an interface on the device for L2-SGT tagging or imposition and defines whether the interface is trusted for Cisco TrustSec. 

Device# configure terminal
Device(config)# interface gigabitethernet 1/0/1
Device(config-if)# cts manual
Device(config-if-cts-manual)# propagate sgt
Device(config-if-cts-manual)# policy static sgt 77 trusted