TrustSec SGT Handling: L2 SGT Imposition and Forwarding

First Published: July 25, 2011

Cisco TrustSec (CTS) builds secure networks by establishing domains of trusted network devices. Each device in the domain is authenticated by its peers. Communication on the links between devices in the domain is secured with a combination of encryption, message integrity check, and data-path replay protection mechanisms.

The TrustSec SGT Handling: L2 SGT Imposition and Forwarding feature allows the interfaces in a router to be manually enabled for CTS so that the router can insert the Security Group Tag (SGT) in the packet to be carried throughout the network in the CTS header.

Prerequisites for TrustSec SGT Handling: L2 SGT Imposition and Forwarding

The CTS network needs to be established with the following prerequisites before implementing the TrustSec SGT Handling: L2 SGT Imposition and Forwarding feature:

  • Connectivity exists between all network devices

  • Cisco Secure Access Control System (ACS) 5.1 operates with a CTS-SXP license

  • Directory, DHCP, DNS, certificate authority, and NTP servers function within the network

  • Configure the retry open timer command to a different value on different routers.

Information about TrustSec SGT Handling: L2 SGT Imposition and Forwarding

Security Groups and SGTs

A security group is a grouping of users, endpoint devices, and resources that share access control policies. Security groups are defined by the administrator in the ACS. As new users and devices are added to the Cisco TrustSec (CTS) domain, the authentication server assigns these new entities to appropriate security groups. CTS assigns to each security group a unique 16-bit security group number whose scope is global within a CTS domain. The number of security groups in the router is limited to the number of authenticated network entities. Security group numbers do not need to be manually configured.

Once a device is authenticated, CTS tags any packet that originates from that device with an SGT that contains the security group number of the device. The packet carries this SGT throughout the network within the CTS header. The SGT is a single label that determines the privileges of the source within the entire CTS domain. The SGT is identified as the source because it contains the security group of the source. The destination device is assigned a destination group tag (DGT).

Note

The CTS packet tag does not contain the security group number of the destination device.

How to Configure TrustSec SGT Handling: L2 SGT Imposition and Forwarding

Manually Enabling TrustSec SGT Handling: L2 SGT Imposition and Forwarding on an Interface

Perform the following steps to manually enable an interface on the device for Cisco TrustSec (CTS) so that the device can add Security Group Tag (SGT) in the packet to be propagated throughout the network and to implement a static authorization policy.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface {GigabitEthernet port | Vlan number}
  4. cts manual
  5. policy static sgt tag [trusted]
  6. end
  7. show cts interface [GigabitEthernet port | Vlan number | brief | summary]

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface {GigabitEthernet port | Vlan number}

Example:

Device(config)# interface gigabitethernet 0

Enters the interface on which CTS SGT authorization and forwarding is enabled

Step 4

cts manual

Example:

Device(config-if)# cts manual

Enables the interface for CTS SGT authorization and forwarding, and enters CTS manual interface configuration mode.

Note

 

To enable the cts manual command on a subinterface, you must increase the IP MTU size to accommodate the additional bytes for the Dot1Q tag. This is applicable only for releases earlier than Cisco IOS XE Release 3.17.

Step 5

policy static sgt tag [trusted]

Example:

Device(config-if-cts-manual)# policy static sgt 100 trusted

Configures a static authorization policy for a CTS security group with a tagged packet that defines the trustworthiness of the SGT.

Step 6

end

Example:

Device(config-if-cts-manual)# end

Exits CTS manual interface configuration mode and enters privileged EXEC mode.

Step 7

show cts interface [GigabitEthernet port | Vlan number | brief | summary]

Example:

Device# show cts interface brief

Displays CTS configuration statistics for the interface.

Example:

The following is sample output for the show cts interface brief command.

Cisco ASR 1000 Series Aggregation Services Routers and Cisco Cloud Services Router 1000V Series 
Device# show cts interface brief

Global Dot1x feature is Disabled
 Interface GigabitEthernet0/1/0:
     CTS is enabled, mode:    MANUAL
     IFC state:               OPEN
     Interface Active for 00:00:40.386
     Authentication Status:   NOT APPLICABLE
         Peer identity:       "unknown"
         Peer's advertised capabilities: ""
     Authorization Status:    NOT APPLICABLE
     SAP Status:              NOT APPLICABLE
     Propagate SGT:           Enabled
     Cache Info:
         Cache applied to link : NONE


Cisco 4400 Series Integrated Services Routers 
Device# show cts interface brief

Interface GigabitEthernet0/1/0
    CTS is enabled, mode:     MANUAL
      Propagate SGT:          Enabled
      Static Ingress SGT Policy:
        Peer SGT:             100
        Peer SGT assignment:  Trusted

Disabling CTS SGT Propagation on an Interface

Follow these steps to disable CTS SGT Propagation on an interface in an instance when a peer device is not capable of receiving an SGT.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface {GigabitEthernetport | Vlan number}
  4. cts manual
  5. no propagate sgt
  6. end
  7. show cts interface [GigabitEthernetport | Vlan number | brief | summary]

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface {GigabitEthernetport | Vlan number}

Example:

Device(config)# interface gigabitethernet 0

Enters the interface on which CTS SGT authorization and forwarding is enabled

Step 4

cts manual

Example:

Device(config-if)# cts manual

Enables the interface for CTS SGT authorization and forwarding.

CTS manual interface configuration mode is entered where CTS parameters can be configured.

Step 5

no propagate sgt

Example:

Device(config-if-cts-manual)# no propagate sgt
Disables CTS SGT propagation on an interface in situations where a peer device is not capable of receiving an SGT.

Note

 

CTS SGT propagation is enabled by default. The propagate sgt command can be used if CTS SGT propagation needs to be turned on again for a peer device.

Once the no propagate sgt command is entered, the SGT tag is not added in the L2 header.

Step 6

end

Example:

Device(config-if-cts-manual)# end

Exits CTS manual interface configuration mode and enters privileged EXEC mode.

Step 7

show cts interface [GigabitEthernetport | Vlan number | brief | summary]

Example:


Device# show cts interface brief
Global Dot1x feature is Disabled
Interface GigabitEthernet0:
    CTS is enabled, mode:    MANUAL
    IFC state:               OPEN
    Authentication Status:   NOT APPLICABLE
        Peer identity:       "unknown"
        Peer's advertised capabilities: ""
    Authorization Status:    NOT APPLICABLE
    SAP Status:              NOT APPLICABLE
    Propagate SGT:           Disabled
    Cache Info:
        Cache applied to link : NONE

Displays CTS configuration statistics to verify that CTS SGT propagation was disabled on interface.

Additional References for TrustSec SGT Handling: L2 SGT Imposition and Forwarding

Related Documents

Related Topic

Document Title

Security commands

Cisco IOS Security Command Reference: Commands A to C

Cisco IOS Security Command Reference: Commands D to L

Cisco IOS Security Command Reference: Commands M to R

Cisco IOS Security Command Reference: Commands S to Z

Cisco TrustSec switches

Cisco TrustSec Switch Configuration Guide

MIBs

MIB

MIBs Link

CISCO-TRUSTSEC-SXP-MIB

To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for TrustSec SGT Handling: L2 SGT Imposition and Forwarding

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1. Feature Information for TrustSec SGT Handling: L2 SGT Imposition and Forwarding

Feature Name

Releases

Feature Information

TrustSec SGT Handling: L2 SGT Imposition and Forwarding

This feature allows the interfaces in a router to be manually enabled for CTS so that the router can insert the Security Group Tag (SGT) in the packet to be carried throughout the network in the CTS header.

  • Cisco CSR 1000V Router

  • Cisco ISR 4400 Router

  • Catalyst 3850 Series Switches

  • Catalyst 3650 Series Switches

  • Cisco 5700 Series Wireless LAN Controllers

  • Cisco Catalyst 4500E Supervisor Engine 7-E

  • Cisco Catalyst 4500E Supervisor Engine 7L-E

  • Cisco Catalyst 4500-X Series Switches

  • Cisco Catalyst 4500E Supervisor Engine 8-E

  • Cisco Catalyst 3850 Series Switches

  • Cisco Catalyst 3650 Series Switches

The following commands were introduced or modified: cts manual , policy static sgt , propagate sgt , show cts interface .