151
Cisco 3900 Series, Cisco 2900 Series, and Cisco 1900 Series Integrated Services Routers Generation 2 Software Configuration Guide
Chapter Configuring Security Features
SGT over Ethernet Tagging
SGT over Ethernet Tagging
Cisco TrustSec (CTS) is an end-to-end network infrastructure that provides a scalable architecture for
enforcement of role-based access control, identity-aware networking, and data confidentiality that helps
to secure the network and its resources. CTS works by identifying and authenticating each network user
and resource and assigning a 16-bit number called Security Group Tag (SGT). SGT is then propagated
between network hops to allow intermediary devices (switches and routers) to enforce policies based on
the identity tag.
CTS-capable devices have built-in hardware capabilities than can send and receive packets with SGT
embedded in the MAC (L2) layer. This feature is called L2-SGT imposition. This allows Ethernet
interfaces on the device to be enabled for L2-SGT imposition to enable the device to insert an SGT in
the packet that is to be carried to its next- hop Ethernet neighbor. SGT over Ethernet Tagging is a type
of hop-by-hop propagation of SGTs embedded in clear-text (unencrypted) Ethernet packets.
Restrictions for SGT over Ethernet Tagging
• SGT over Ethernet Tagging is supported on plain-text Ethernet frames only.
• SGT over Ethernet Tagging is supported on on-board Gigabit Ethernet interfaces on the following
Cisco ISR G2 Series routers:
–
Cisco ISR G2 2951
–
Cisco ISR G2 3945
–
Cisco ISR G2 3900 E Series
–
Cisco ISR G2 1921
–
ISR G2 1941
–
ISR G2 2901
–
ISR G2 2911
–
ISR G2 2921
Configuring SGT over Ethernet Tagging
Perform these steps to configure SGT over Ethernet Tagging.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/port
4. cts manual
5. propagate sgt
6. policy static sgt tag [trusted]
7. end
To Next Page
Loading...
