Cisco TrustSec uses security group tags (SGTs) to ensure that packets passing through the Cisco TrustSec network can be properly identified and applied with security and other access control policies.
The SGT implementation of VRF binds a Security Group Tag (SGT) Exchange Protocol (SXP) connection to a specific VRF. The assumption is that the network topology is configured for Layer 2 or Layer 3 VPNs, with all VRFs configured before enabling Cisco TrustSec.
SXP VRF support can be summarized as follows:
- The same VRF can have multiple SXP connections, with different source and peer IP address. SXP has no limitation on the number of connections and number of IP–SGT mappings per VRF.
- Different VRFs may have overlapping SXP peer or source IP addresses.
- IP–SGT mappings learned (added or deleted) in one VRF can be updated only in the same VRF domain. The SXP connection cannot update a mapping bound to a different VRF. If no SXP connection exits for a VRF, IP–SGT mappings for that VRF is not updated by SXP.
- Multiple address families per VRF is supported. Therefore, one SXP connection in a VRF domain can forward both IPV4 and IPV6 IP-SGT mappings.
You can map an SGT to a VRF using the cts role-based sgt-map vrf vrf-name command.
VRF-to-Layer 2 VLAN assignments are specified with the cts role-based l2-vrf vrf-name vlan-list command. A VLAN is considered a Layer 2 VLAN when there is no switch virtual interface (SVI) with an IP address configured on the VLAN. The VLAN becomes a Layer 3 VLAN once an IP address is configured on its SVI.
VRF assignments configured by the cts role-based l2-vrf command are active as long as a VLAN remains a Layer 2 VLAN.
Note Cisco IOS XE 3.9.2E on Catalyst 4500 Series Switch supports VRF aware SGT only for Layer 3 VLAN.
The IP–SGT bindings learned while a VRF assignment is active are also added to the Forwarding Information Base (FIB) table associated with the VRF and the IP protocol version. If an SVI becomes active for a VLAN, the VRF-to-VLAN assignment becomes inactive and all bindings learned on the VLAN are moved to the FIB table associated with the SVI’s VRF.
The VRF-to-VLAN assignment is retained even when the assignment becomes inactive. It is reactivated when the SVI is removed or when the SVI IP address is removed. When reactivated, the IP–SGT bindings are moved back from the FIB table associated with the SVI’s VRF to the FIB table associated with the VRF assigned by the cts role-based l2-vrf command.
Starting with Cisco IOS XE 3.9.2E, you can assign SGT to End-point IDs (EIDs) in LISP configuration, with the VRF aware SGT feature.