Table of Contents
Advertisement
After the SGT is assigned either at the access layer or in the backbone, the tagged traffic is passed through the
network to an enforcement point. Figure 11 shows an example of an SGACL where traffic with SGT 1110 has
access to resources in group 3200 on the allowed TCP ports, whereas any other IP traffic is denied. Because the
SGACL is based on group memberships, changes in the underlying IP infrastructure do not requires changes in
the SGACL. For example, if 10 new subnets are added to the user access infrastructure, no change is needed in
the SGACL, because all of the new users would be getting existing SGTs. This makes an SGT/SGACL
infrastructure much easier to manage and much more flexible.
Cases arise in which an organization wants to enact an enterprisewide SGT/SGACL infrastructure but has remote
locations that are separated from the main campus by Layer 3 networks. The Cisco Catalyst 6500-E with
Supervisor Engine 2T supports the ability to transmit SGT traffic from remote locations to a centralized
enforcement site. Figure 12 shows the concept of connecting Cisco TrustSec domains across a domain without
Cisco TrustSec.
Figure 12.
Connecting Cisco TrustSec Domains Across Domains Without Cisco TrustSec
The packet traversing a domain without Cisco TrustSec on the path to another Cisco TrustSec domain has its
SGT preserved by using the Cisco TrustSec Layer 3 SGT transport feature. With this feature, the egress Cisco
TrustSec device encapsulates the packet with an ESP header that includes a copy of the SGT. When the
encapsulated packet arrives at the next Cisco TrustSec domain, the ingress Cisco TrustSec device removes the
ESP encapsulation and propagates the packet with its SGT.
To support Cisco TrustSec Layer 3 SGT transport, the Cisco Catalyst 6500-E with Supervisor Engine 2T that will
act as a Cisco TrustSec ingress or egress Layer 3 gateway must maintain a traffic policy database that lists
eligible subnets in remote Cisco TrustSec domains as well as any excluded subnets within those regions. You can
configure this database manually on each device if they cannot be downloaded automatically from the Cisco ISE.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 13 of 28
Advertisement
Table of Contents
Related Manuals for Cisco Catalyst 6500-E Series
Related Products for Cisco Catalyst 6500-E Series
- Cisco 6503 - Catalyst Firewall Security Sys
- Cisco 6500 - Catalyst Series 10 Gigabit EN Interface Module Expansion
- Cisco 6503-E - Catalyst Chassis With Supervisor Engine 32 Switch
- Cisco 6504-E - Catalyst Chassis With Supervisor Engine 32 Switch
- Cisco 6506 - Catalyst Chassis Switch
- Cisco 6513 - Catalyst Switch
- Cisco Catalyst 6509
- Cisco Catalyst 6513-E