Name: Cisco TrustSec
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

1-13

Cisco TrustSec Configuration Guide

OL-22192-01

Chapter 1 Cisco TrustSec Overview

Using Cisco TrustSec-Incapable Devices and Networks in a Cisco TrustSec Network

Using Cisco TrustSec-Incapable Devices and Networks in a

Cisco TrustSec Network

This section includes the following topics:

• SXP for SGT Propagation Across Legacy Access Networks, page 1-13

SXP for SGT Propagation Across Legacy Access Networks

Tagging packets with SGTs requires hardware support. You might have devices in your network that,

while capable of participating in Cisco TrustSec authentication, lack the hardware capability to tag

packets with SGTs. By using the SGT Exchange Protocol (SXP), these devices can pass

IP-address-to-SGT mappings to a Cisco TrustSec peer device that has Cisco TrustSec-capable hardware.

SXP typically operates between ingress access layer devices at the Cisco TrustSec domain edge and

distribution layer devices within the Cisco TrustSec domain. The access layer device performs Cisco

TrustSec authentication of external source devices to determine the appropriate SGTs for ingress

packets. The access layer device learns the IP addresses of the source devices using IP device tracking

and (optionally) DHCP snooping, then uses SXP to pass the IP addresses of the source devices along

with their SGTs to the distribution switches. Distribution switches with Cisco TrustSec-capable

hardware can use this IP-to-SGT mapping information to tag packets appropriately and to enforce

SGACL policies (see Figure 1-6).

Figure 1-6 SXP Protocol to Propagate SGT Information

Src IP=1.1.1.1/ SGT = 3

HostB

(1.1.1.1)

SGT tagging

Cisco TrustSec

Src IP =1.1.1.1

Cisco TrustSec capable software

Cisco TrustSec incapable hardware

SXP protocol exchange

IP:1.1.1.1: SGT:3

IP:1.1.1.2: SGT:5

Cisco TrustSec enabled software

and hardware

HostA

(1.1.1.2)

187011

Questions and Answers:

Need help?

Do you have a question about the Cisco TrustSec and is the answer not in the manual?

Cisco TrustSec Specifications

General

Category	Network Security
Functionality	Provides role-based access control, network segmentation, and policy enforcement.
Key Components	Security Group Tags (SGT), Security Exchange Protocol (SXP).
Authentication Methods	802.1X, MAC Authentication Bypass (MAB), Web Authentication
Security Group Tagging (SGT)	Assigns security group tags to users and devices for identity-based segmentation.
Security Exchange Protocol (SXP)	A protocol used to propagate SGT information across network devices.
Policy Enforcement	Enforces security policies based on SGTs and SGACLs.
Benefits	Enhanced security, simplified policy management, and improved compliance.
Encryption	Supports encryption for data in transit through IPsec and MACsec.
Scalability	Scalable to large enterprise networks with thousands of devices.
Compatibility	Compatible with a wide range of Cisco network devices.
Description	Cisco TrustSec is a security architecture framework designed to build secure networks. It uses identity-based access control to segment the network and enforce policies based on user roles and device types, rather than relying solely on IP addresses.