Name: Cisco TrustSec
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

3-7

Cisco TrustSec Configuration Guide

OL-22192-02

Chapter 3 Configuring Identities, Connections, and SGTs

Configuring Cisco TrustSec and MACsec in Manual Mode on an Uplink Port

Step 4

Router(config-if-cts-manual)# [no] sap pmk

key [mode-list mode1 [mode2 [mode3

[mode4]]]]

(Optional) Configures the SAP pairwise master key

(PMK) and operation mode. SAP is disabled by

default in Cisco TrustSec manual mode.

• key—A hexadecimal value with an even number

of characters and a maximum length of 32

characters.

The SAP operation mode options are:

• gcm— Authentication and encryption

• gmac— Authentication, no encryption

• no-encap— No encapsulation

• null— Encapsulation, no authentication or

encryption

Note MACsec with SAP is not supported on the

Catalyst 3K switches.

Note If the interface is not capable of SGT

insertion or data link encryption, no-encap

is the default and the only available SAP

operating mode.

Step 5

Router(config-if-cts-manual)# [no] policy

dynamic identity peer-name

(Optional) Configures Identity Port Mapping (IPM)

to allow dynamic authorization policy download

from authorization server based on the identity of

the peer. See the additional usage notes following

this task.

• peer-name—The Cisco TrustSec device ID for

the peer device. The peer name is case sensitive.

Note Ensure that you have configured the Cisco

TrustSec credentials (see “Configuring

Credentials and AAA for a Cisco TrustSec

Seed Device” section on page 3-2).

Router(config-if-cts-manual)# [no] policy

static sgt tag [trusted]

(Optional) Configures a static authorization policy.

See the additional usage notes following this task.

• tag—The SGT in decimal format. The range is

1 to 65533.

• trusted—Indicates that ingress traffic on the

interface with this SGT should not have its tag

overwritten.

Step 6

Router(config-if-cts-manual)# [no]

propagate sgt

(Optional) The no form of this command is used

when the peer is incapable of processing an SGT.

The no propagate sgt command prevents the

interface from transmitting the SGT to the peer.

Step 7

Router(config-if-cts-manual)# exit

Exits Cisco TrustSec manual interface configuration

mode.

Step 8

Router(config-if)# shutdown

Disables the interface.

Command Purpose

Questions and Answers:

Need help?

Do you have a question about the Cisco TrustSec and is the answer not in the manual?

Cisco TrustSec Specifications

General

Category	Network Security
Functionality	Provides role-based access control, network segmentation, and policy enforcement.
Key Components	Security Group Tags (SGT), Security Exchange Protocol (SXP).
Authentication Methods	802.1X, MAC Authentication Bypass (MAB), Web Authentication
Security Group Tagging (SGT)	Assigns security group tags to users and devices for identity-based segmentation.
Security Exchange Protocol (SXP)	A protocol used to propagate SGT information across network devices.
Policy Enforcement	Enforces security policies based on SGTs and SGACLs.
Benefits	Enhanced security, simplified policy management, and improved compliance.
Encryption	Supports encryption for data in transit through IPsec and MACsec.
Scalability	Scalable to large enterprise networks with thousands of devices.
Compatibility	Compatible with a wide range of Cisco network devices.
Description	Cisco TrustSec is a security architecture framework designed to build secure networks. It uses identity-based access control to segment the network and enforce policies based on user roles and device types, rather than relying solely on IP addresses.