Table of Contents
Advertisement
Chapter 1
Cisco TrustSec Overview
Security Group-Based Access Control
This section includes the following topics:
•
•
•
•
•
•
Security Groups and SGTs
A security group is a grouping of users, endpoint devices, and resources that share access control
policies. Security groups are defined by the administrator in the Cisco ISE or Cisco Secure ACS. As new
users and devices are added to the Cisco TrustSec domain, the authentication server assigns these new
entities to appropriate security groups. Cisco TrustSec assigns to each security group a unique 16-bit
security group number whose scope is global within a Cisco TrustSec domain. The number of security
groups in the switch is limited to the number of authenticated network entities. You do not have to
manually configure security group numbers.
Once a device is authenticated, Cisco TrustSec tags any packet that originates from that device with a
security group tag (SGT) that contains the security group number of the device. The packet carries this
SGT throughout the network within the Cisco TrustSec header. The SGT is a single label that determines
the privileges of the source within the entire enterprise.
Because the SGT contains the security group of the source, the tag can be referred to as the source SGT.
The destination device is also assigned to a security group (the destination SG) that can be referred to
for simplicity as the destination group tag (DGT), although the actual Cisco TrustSec packet tag does
not contain the security group number of the destination device.
SGACL Policies
Using security group access control lists (SGACLs), you can control the operations that users can
perform based on the security group assignments of users and destination resources. Policy enforcement
within the Cisco TrustSec domain is represented by a permissions matrix, with source security group
numbers on one axis and destination security group numbers on the other axis. Each cell in the body of
the matrix can contain an ordered list of SGACLs which specifies the permissions that should be applied
to packets originating from the source security group and destined for the destination security group.
Figure 1-3
defined user roles and one defined destination resource. Three SGACL policies control access to the
destination server based on the role of the user.
OL-22192-01
Security Groups and SGTs, page 1-7
SGACL Policies, page 1-7
Ingress Tagging and Egress Enforcement, page 1-8
Determining the Source Security Group, page 1-9
Determining the Destination Security Group, page 1-10
SGACL Enforcement on Routed and Switched Traffic, page 1-10
shows an example of a Cisco TrustSec permissions matrix for a simple domain with three
Information about Cisco TrustSec Architecture
Cisco TrustSec Configuration Guide
1-7
Hide quick links:
Advertisement
Table of Contents
