Cisco TrustSec provides security improvements to Cisco network devices based on the capability to strongly identify users, hosts, and network devices within a network. TrustSec provides topology-independent and scalable access controls by uniquely classifying data traffic for a particular role. TrustSec ensures data confidentiality and integrity by establishing trust among authenticated peers and encrypting links with those peers.

The key component of Cisco TrustSec is the Cisco Identity Services Engine (ISE). Cisco ISE can provision switches with TrustSec Identities and Security Group ACLs (SGACLs), though these may be configured manually on the switch.

Note	This feature is not supported on the C9500-12Q, C9500-16X, C9500-24Q, C9500-40X models of the Cisco Catalyst 9500 Series Switches.

Security Group Tagging (SGT) caching feature creates a cache containing source IP address, VRF and SGT bindings when the switch receives new IP packets with a valid SGT. These IP-SGT bindings are used to add the CMD header back to the outgoing packet after DPI processing.

Deep Packet Inspection (DPI) services are required in data center deployments. In a network with non-Cisco products co-existing with Cisco products, it is possible that service layer is unaware of Cisco proprietary SGT. In such cases, SGT from the packet is stripped off and packets are forwarded to service layer for regular DPI processing. After DPI services are applied, SGT information needs to be added back to the packet so that to prevent loss of SGT information.

SGT caching is applicable in the following two scenarios:

1. One arm services

   One-arm services - In this scenario, SGT is stripped off from incoming packets before sending them to services. When packets come back to the switch after the service is applied, SGT caching allows the switch to use SGT from the cache to re-apply the SGT tag. This allows applying SGACL enforcement locally to packets or to forward the packets to other CTS capable devices.

2. Bump in the wire services

   In this scenario, packets go through the service and they do not come back to the redirecting switch. The SXP uses the cache created by SGT caching feature to export the learned bindings to the next hop switch. The post service switch or next hop switch re-applies the SGT on the packets.

Note

This feature works only on license, Network-Advantage with DNA-Advantage add on. SGT caching feature is supported only in ingress direction and only on CTS trusted L3 physical ports. Also, it is supported only for IPv4 packets and not IPv6. Packets sent to the CPU are rate limited and the ones denied by egress ACL/SGACL are not cached. SGT-Caching entries can be scaled up to 64K(65,536).

• Use this command to enable SGT caching on all interfaces in ingress direction. If SGT caching is already configured on any interface, this command is rejected.

  CLI1 – Config# [no] cts role-based sgt-caching

• Use this command to enable SGT caching on an interface in ingress direction. SGT caching does not support interface level configuration in egress direction. If SGT caching is already configured globally, this command will have no effect.

  CLI2 – Config-if# [no] cts role-based sgt-caching ingress