Name: Cisco TrustSec
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

1-17

Cisco TrustSec Configuration Guide

OL-22192-01

Chapter 1 Cisco TrustSec Overview

Using Cisco TrustSec-Incapable Devices and Networks in a Cisco TrustSec Network

VRF-Aware SXP

The SXP implementation of Virtual Routing and Forwarding (VRF) binds an SXP connection with a

specific VRF. It is assumed that the network topology is correctly configured for Layer 2 or Layer 3

VPNs, with all VRFs configured before enabling Cisco TrustSec.

SXP VRF support can be summarized as follows:

• Only one SXP connection can be bound to one VRF.

• Different VRFs may have overlapping SXP peer or source IP addresses.

• IP–SGT mappings learned (added or deleted) in one VRF can be updated only in the same VRF

domain. The SXP connection cannot update a mapping bound to a different VRF. If no SXP

connection exits for a VRF, IP–SGT mappings for that VRF won’t be updated by SXP.

• Multiple address families per VRF is supported. Therefore, one SXP connection in a VRF domain

can forward both IPV4 and IPV6 IP-SGT mappings.

• SXP has no limitation on the number of connections and number of IP–SGT mappings per VRF.

Layer 2 VRF-Aware SXP and VRF Assignment

VRF to Layer 2 VLANs assignments are specified with the cts role-based l2-vrf vrf-name vlan-list

global configuration command. A VLAN is considered a Layer 2 VLAN as long as there is no switch

virtual interface (SVI) with an IP address configured on the VLAN. The VLAN becomes a Layer 3

VLAN once an IP address is configured on its SVI.

The VRF assignments configured by the cts role-based l2-vrf command are active as long as a VLAN

remains a Layer 2 VLAN. The IP–SGT bindings learned while a VRF assignment is active are also added

to the Forwarding Information Base (FIB) table associated with the VRF and the IP protocol version. If

an SVI becomes active for a VLAN, the VRF to VLAN assignment becomes inactive and all the bindings

learned on the VLAN are moved to the FIB table associated with the SVI’s VRF.

The VRF to VLAN assignment is retained even when the assignment becomes inactive. It is reactivated

when the SVI is removed or when the SVI IP address is deconfigured. When reactivated, the IP–SGT

bindings are moved back from the FIB table associated with the SVI's VRF to the FIB table associated

with the VRF assigned by the cts role-based l2-vrf command.

Questions and Answers:

Need help?

Do you have a question about the Cisco TrustSec and is the answer not in the manual?

Cisco TrustSec Specifications

General

Category	Network Security
Functionality	Provides role-based access control, network segmentation, and policy enforcement.
Key Components	Security Group Tags (SGT), Security Exchange Protocol (SXP).
Authentication Methods	802.1X, MAC Authentication Bypass (MAB), Web Authentication
Security Group Tagging (SGT)	Assigns security group tags to users and devices for identity-based segmentation.
Security Exchange Protocol (SXP)	A protocol used to propagate SGT information across network devices.
Policy Enforcement	Enforces security policies based on SGTs and SGACLs.
Benefits	Enhanced security, simplified policy management, and improved compliance.
Encryption	Supports encryption for data in transit through IPsec and MACsec.
Scalability	Scalable to large enterprise networks with thousands of devices.
Compatibility	Compatible with a wide range of Cisco network devices.
Description	Cisco TrustSec is a security architecture framework designed to build secure networks. It uses identity-based access control to segment the network and enforce policies based on user roles and device types, rather than relying solely on IP addresses.