Name: Cisco TrustSec
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

3-8

Cisco TrustSec Configuration Guide

OL-22192-02

Chapter 3 Configuring Identities, Connections, and SGTs

Configuring Cisco TrustSec and MACsec in Manual Mode on an Uplink Port

Identity Port Mapping (IPM) configures a physical port such that a single SGT is imposed on all traffic

entering the port; this SGT is applied on all IP traffic exiting the port until a new binding is learned. IPM

is configured as follows:

• CTS Manual interface configuration mode with the policy static sgt tag command

• CTS Manual interface configuration mode with the policy dynamic identity peer-name command

where peer-name is designated as non-trusted in the Cisco ACS or Cisco ISE configuration.

IPM is supported for the following ports:

• Routed ports

• Switchports in access mode

• Switchports in trunk mode

When manually configuring Cisco TrustSec on an interface, consider these usage guidelines and

restrictions:

• If no SAP parameters are defined, no Cisco TrustSec encapsulation or encryption will be performed.

• If the selected SAP mode allows SGT insertion and an incoming packet carries no SGT, the tagging

policy is as follows:

–

If the policy static command is configured, the packet is tagged with the SGT configured in the

policy static command.

–

If the policy dynamic command is configured, the packet is not tagged.

• If the selected SAP mode allows SGT insertion and an incoming packet carries an SGT, the tagging

policy is as follows:

–

If the policy static command is configured without the trusted keyword, the SGT is replaced

with the SGT configured in the policy static command.

–

If the policy static command is configured with the trusted keyword, no change is made to the

SGT.

–

If the policy dynamic command is configured and the authorization policy downloaded from

the authentication server indicates that the packet source is untrusted, the SGT is replaced with

the SGT specified by the downloaded policy.

–

If the policy dynamic command is configured and the downloaded policy indicates that the

packet source is trusted, no change is made to the SGT.

Configuration Examples for Manual Mode and MACsec on an Uplink Port

Catalyst 6500 TrustSec interface configuration in manual mode:

Router# configure terminal

Router(config)# interface gi 2/1

Router(config-if)# cts manual

Router(config-if-cts-manual)# sap pmk 1234abcdef mode-list gcm null no-encap

Router(config-if-cts-manual)# policy static sgt 111

Router(config-if-cts-manual)# exit

Step 9

Router(config-if)# no shutdown

Enables the interface and enables Cisco TrustSec

authentication on the interface.

Step 10

Router(config-if)# exit

Exits interface configuration mode.

Command Purpose

Questions and Answers:

Need help?

Do you have a question about the Cisco TrustSec and is the answer not in the manual?

Cisco TrustSec Specifications

General

Category	Network Security
Functionality	Provides role-based access control, network segmentation, and policy enforcement.
Key Components	Security Group Tags (SGT), Security Exchange Protocol (SXP).
Authentication Methods	802.1X, MAC Authentication Bypass (MAB), Web Authentication
Security Group Tagging (SGT)	Assigns security group tags to users and devices for identity-based segmentation.
Security Exchange Protocol (SXP)	A protocol used to propagate SGT information across network devices.
Policy Enforcement	Enforces security policies based on SGTs and SGACLs.
Benefits	Enhanced security, simplified policy management, and improved compliance.
Encryption	Supports encryption for data in transit through IPsec and MACsec.
Scalability	Scalable to large enterprise networks with thousands of devices.
Compatibility	Compatible with a wide range of Cisco network devices.
Description	Cisco TrustSec is a security architecture framework designed to build secure networks. It uses identity-based access control to segment the network and enforce policies based on user roles and device types, rather than relying solely on IP addresses.