Cisco TrustSec

TrustSec is the next generation access-control enforcement solution developed by Cisco to address growing operational challenges regarding firewall rules and access control lists.

TrustSec uses Scalable Group Tags to perform ingress tagging and egress filtering to enforce access control policy.

Cisco ISE assigns Scaleable Group Tags to users or devices that have authenticated and are authorised through 802.1x, MAC address bypass, or WebAuth.

The SGT is delivered from ISE to the authenticator as an authorisation option.

After the SGT has been applied, it can be used as part of an enforcement policy to allow or drop baed on SGT tag. It can be applied on any egress point across the TrustSec network.

SGT can represent the context of the user, device, use case or function.

SGT are often named after a particular role or use case. For example, a Windows laptop on the wireless network may be labelled as Wireless_Windows_Laptop, or if it was a corporate Windows laptop on the wireless network, it could be Corporate_Wireless_Windows_Laptop

Whilst SGT can have alphanumeric names on the Cisco ISE, what is actually inserted into the packet is a numeric value to represent the SGT

TrustSec can occur in three phases

Ingress Classification

Ingress Classification is the process of assigning a SGT tag to users, endpoints, and other resources as they ingress the TrustSec network.

Ingress Classification can happen in a few ways:

Dynamic Assignment

The SGT is assigned dynamically and can be downloaded as authorisation option from ISE when authentication through 802.1x, MAB, or WebAuth

Static Assignment

In environments where a port authentication is not required, SGT can be mapped statically onto SGT-capable network devices. Static assignment on a device can be carried out in the following ways:

  • Assign an SGT via IP
  • Assign an SGP via Subnet
  • Assign SGT via VLAN
  • Assign SGT via Layer 2 interface
  • Assign SGT via Layer 3 interface
  • Port to SGT
  • Port Profile to SGT

Cisco ISE can also configure a database of IP addresses to map to SGT


Propagation is the process of communicating the mappings to the TrustSec network devices that will enforce the policy based on SGT assigned

There are two methods available for propagating a SGT:

Inline Tagging

With inline tagging the switch will insert a SGT tag inside of a frame to allow upstream devices to read and apply policies.

Native tagging is completely independent of any Layer 3 protocol; the frame is preserved as it transmits through the network infrastructure until it reaches an egress point.

Native tagging is only supported on Cisco network devices with TrustSec support.

If a tagged frame is received by a device that does not support native tagging in hardware, it is likely that the frame will be dropped.

SGT Exchange Protocol (SXP)

SGT Exchange Protocol is a TCP-based peer to peer protocol used for network devices that do not support SGT inline tagging in hardware.

With SXP, IP-to-SGTA mappings can be communicated between non-inline tagging switches and other network devices.

Non-inline tagging switches also have a SGT mapping database to check packets against and enforce policy.

The SXP peer that sends the IP-to-SGT bindings is called a speaker.

The IP-to-SGT binding receiver is called a listener.

SXP connections can be multi-hop.

Egress Enforcement

Once the SGTs have been assigned and transmitted across the network, they need to be enforced.

The policies are enforced at egress points, and there are multiple ways to enforce policies based on the SGT.

Security Group ACL (SGACL)

Provides enforcement on routers and switches. It is an access list that filter based on the source and destination SGT

Security Group Firewall (SGFW)

Provides enforcement on firewalls using tag-based rules



, ,




Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.