About Sgt And Sxp Support In Cisco Trustsec - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
About Cisco TrustSec
•
•
•
About SGT and SXP Support in Cisco TrustSec
In the Cisco TrustSec feature, security group access transforms a topology-aware network into a
role-based network, which enables end-to-end policies enforced on the basis of role-based access control
(RBAC). Device and user credentials acquired during authentication are used to classify packets by
security groups. Every packet entering the Cisco TrustSec cloud is tagged with a security group tag
(SGT). The tagging helps trusted intermediaries identify the source identity of the packet and enforce
security policies along the data path. An SGT can indicate a privilege level across the domain when the
SGT is used to define a security group ACL.
An SGT is assigned to a device through IEEE 802.1X authentication, web authentication, or MAC
authentication bypass (MAB), which occurs with a RADIUS vendor-specific attribute. An SGT can be
assigned statically to a particular IP address or to a switch interface. An SGT is passed along
dynamically to a switch or access point after successful authentication.
The Security-group eXchange Protocol (SXP) is a protocol developed for Cisco TrustSec to propagate
the IP-to-SGT mapping database across network devices that do not have SGT-capable hardware support
to hardware that supports SGTs and security group ACLs. SXP, a control plane protocol, passes IP-SGT
mapping from authentication points (such as legacy access layer switches) to upstream devices in the
network.
The SXP connections are point-to-point and use TCP as the underlying transport protocol. SXP uses the
well-known TCP port number 64999 to initiate a connection. Additionally, an SXP connection is
uniquely identified by the source and destination IP addresses.
Cisco ASA Series Firewall CLI Configuration Guide
6-2
Offers exceptional control over activity of network users accessing physical or cloud-based IT
resources
Reduces total cost of ownership through centralized, highly secure access policy management and
scalable enforcement mechanisms
For more information, see the following URLs:
Reference
http://www.cisco.com/c/en/us/soluti
ons/enterprise-networks/trustsec/ind
ex.html
http://www.cisco.com/c/en/us/soluti
ons/enterprise/design-zone-security/
landing_DesignZone_TrustSec.html
http://www.cisco.com/c/en/us/soluti
ons/collateral/enterprise-networks/tr
ustsec/solution_overview_c22-5917
71.pdf
http://www.cisco.com/c/en/us/soluti
ons/enterprise-networks/trustsec/tru
stsec_matrix.html
Description
Describes the Cisco TrustSec system and architecture for
the enterprise.
Provides instructions for deploying the Cisco TrustSec
solution in the enterprise, including links to component
design guides.
Provides an overview of the Cisco TrustSec solution when
used with the ASA, switches, wireless LAN (WLAN)
controllers, and routers.
Provides the Cisco TrustSec Platform Support Matrix,
which lists the Cisco products that support the Cisco
TrustSec solution.
Chapter 6
ASA and Cisco TrustSec
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
