Information about Cisco TrustSec
Cisco TrustSec provides security improvements to Cisco network devices based on the capability to strongly identify users, hosts, and network devices within a network. TrustSec provides topology-independent and scalable access controls by uniquely classifying data traffic for a particular role. TrustSec ensures data confidentiality and integrity by establishing trust among authenticated peers and encrypting links with those peers.
The key component of Cisco TrustSec is the Cisco Identity Services Engine (ISE). Cisco ISE can provision switches with TrustSec Identities and Security Group ACLs (SGACLs), though these may be configured manually on the switch.
![]() Note |
You should manually clear the CTS environment data using the clear cts environment-data command before changing CTS server to a new one. This ensures that you get the updated data while running show cts environment-data command. |
![]() Note |
SGT inline tagging is not supported when port channel uplink is in use on the controller. |
MTU Guidelines
CTS tagged packets greater than 1518 bytes may get dropped on the controller. This is due to a restriction on the size of incoming packets on the UCS server, which is hosting controller instances. The UCS server have a default MTU of 1500 thereby allowing packets of 1518 bytes only. Here, the additional 18 bytes includes 4 bytes of 802.1Q and 14 bytes of Ethernet header.
An Ethernet link configured for CTS tagging imposes a 8-byte encapsulation called Cisco metadata. As a result, the total size of the Ethernet packet is increased by 8 bytes to 1526 bytes (1518+8 = 1526). Hence, the MTU of the receiving interface has to be increased by 8-bytes to accommodate the additional 8 bytes in the Ethernet.
While CTS interfaces on the routers and switches (for example, Cisco ASR 1000 Series Routers, Cisco 4000 Series Integrated Services Routers, Cisco Catalyst 3000 Series Switches, Cisco Catalyst 9000 Series Switches) auto-adjusts MTU to 1508 bytes to accommodate additional 8-byte. However, other devices like UCS servers requires manual update to increase the MTU to 1508. For information on how to configure jumbo MTU on UCS, see the following link:
https://www.cisco.com/c/en/us/support/docs/servers-unified-computing/ucs-b-series-blade-servers/117601-configure-UCS-00.html