TrustSec SGT Handling L2 SGT Imposition and Forwarding

TrustSec SGT Handling: L2 SGT Imposition and Forwarding

Last Updated: July 25, 2011

First Published: July 25, 2011

Cisco TrustSec (CTS) builds secure networks by establishing domains of trusted network devices. Each device in the domain is authenticated by its peers. Communication on the links between devices in the domain is secured with a combination of encryption, message integrity check, and data-path replay protection mechanisms.

The TrustSec SGT Handling: L2 SGT Imposition and Forwarding feature allows the interfaces in a router to be manually enabled for CTS so that the router can insert the Security Group Tag (SGT) in the packet to be carried throughout the network in the CTS header.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for TrustSec SGT Handling: L2 SGT Imposition and Forwarding

The CTS network needs to be established with the following prerequisites before implementing the TrustSec SGT Handling: L2 SGT Imposition and Forwarding feature:

  • Connectivity exists between all network devices
  • Cisco Secure Access Control System (ACS) 5.1 operates with a CTS-SXP license
  • Directory, DHCP, DNS, certificate authority, and NTP servers function within the network
  • Configure the retry open timer command to a different value on different routers.

Information about TrustSec SGT Handling: L2 SGT Imposition and Forwarding

Security Groups and SGTs

A security group is a grouping of users, endpoint devices, and resources that share access control policies. Security groups are defined by the administrator in the ACS. As new users and devices are added to the Cisco TrustSec (CTS) domain, the authentication server assigns these new entities to appropriate security groups. CTS assigns to each security group a unique 16-bit security group number whose scope is global within a CTS domain. The number of security groups in the router is limited to the number of authenticated network entities. Security group numbers do not need to be manually configured.

Once a device is authenticated, CTS tags any packet that originates from that device with an SGT that contains the security group number of the device. The packet carries this SGT throughout the network within the CTS header. The SGT is a single label that determines the privileges of the source within the entire CTS domain. The SGT is identified as the source because it contains the security group of the source. The destination device is assigned a destination group tag (DGT).

Note


The CTS packet tag does not contain the security group number of the destination device.

How to Configure TrustSec SGT Handling: L2 SGT Imposition and Forwarding

Manually Enabling TrustSec SGT Handling: L2 SGT Imposition and Forwarding on an Interface

Follow these steps to manually enable an interface on the router for CTS so that the router can add SGT in the packet to be propagated throughout the network:

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    interface {GigabitEthernetport | Vlan number}

4.    cts manual

5.    end

6.    show cts interface [GigabitEthernetport | Vlan number | brief | summary]


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
interface {GigabitEthernetport | Vlan number}


Example:

Router(config)# interface gigabitethernet 0

 

Enters the interface on which CTS SGT authorization and forwarding is enabled

 
Step 4
cts manual


Example:

Router(config-if)# cts manual

 

Enables the interface for CTS SGT authorization and forwarding.

CTS manual interface configuration mode is entered.

 
Step 5
end


Example:

Router(config-if-cts-manual)# end

 

Exits CTS manual interface configuration mode and enters privileged EXEC mode.

 
Step 6
show cts interface [GigabitEthernetport | Vlan number | brief | summary]


Example:

Router# show cts interface brief Global Dot1x feature is Disabled Interface GigabitEthernet0/1/0: CTS is enabled, mode: MANUAL IFC state: OPEN Interface Active for 00:00:40.386 Authentication Status: NOT APPLICABLE Peer identity: "unknown" Peer's advertised capabilities: "" Authorization Status: NOT APPLICABLE SAP Status: NOT APPLICABLE Propagate SGT: Enabled Cache Info: Cache applied to link : NONE

 

Displays CTS configuration statistics for the interface.

 

Disabling CTS SGT Propagation on an Interface

Follow these steps to disable CTS SGT Propagation on an interface in an instance when a peer device is not capable of receiving an SGT.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    interface {GigabitEthernetport | Vlan number}

4.    cts manual

5.    no propagate sgt

6.    end

7.    show cts interface [GigabitEthernetport | Vlan number | brief | summary]


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
interface {GigabitEthernetport | Vlan number}


Example:

Router(config)# interface gigabitethernet 0

 

Enters the interface on which CTS SGT authorization and forwarding is enabled

 
Step 4
cts manual


Example:

Router(config-if)# cts manual

 

Enables the interface for CTS SGT authorization and forwarding.

CTS manual interface configuration mode is entered where CTS parameters can be configured.

 
Step 5
no propagate sgt


Example:

Router(config-if-cts-manual)# no propagate sgt

 
Disables CTS SGT propagation on an interface in situations where a peer device is not capable of receiving an SGT.
Note   CTS SGT propagation is enabled by default. The propagate sgt command can be used if CTS SGT propagation needs to be turned on again for a peer device.

Once the no propagate sgt command is entered, the SGT tag is not added in the L2 header.

 
Step 6
end


Example:

Router(config-if-cts-manual)# end

 

Exits CTS manual interface configuration mode and enters privileged EXEC mode.

 
Step 7
show cts interface [GigabitEthernetport | Vlan number | brief | summary]


Example:

Router# show cts interface brief Global Dot1x feature is Disabled Interface GigabitEthernet0: CTS is enabled, mode: MANUAL IFC state: OPEN Authentication Status: NOT APPLICABLE Peer identity: "unknown" Peer's advertised capabilities: "" Authorization Status: NOT APPLICABLE SAP Status: NOT APPLICABLE Propagate SGT: Disabled Cache Info: Cache applied to link : NONE

 

Displays CTS configuration statistics to verify that CTS SGT propagation was disabled on interface.

 

Additional References

MIBs

MIB

MIBs Link

None

To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for TrustSec SGT Handling: L2 SGT Imposition and Forwarding

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1Feature Information for TrustSec SGT Handling: L2 SGT Imposition and Forwarding
Feature Name Releases Feature Information

TrustSec SGT Handling: L2 SGT Imposition and Forwarding

Cisco IOS XE Release 3.4S

15.1(3)S

This feature allows the interfaces in a router to be manually enabled for CTS so that the router can insert the Security Group Tag (SGT) in the packet to be carried throughout the network in the CTS header.

This feature was introduced in Cisco IOS Release 15.1(3)S.

This feature was introduced in Cisco IOS XE Release 3.4S.

The following commands were introduced or modified: cts manual, propagate sgt, show cts interface.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.