1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Switch
  5. TrustSec
  6. Configuration manual

Ingress Tagging And Egress Enforcement - Cisco TrustSec Configuration Manual

Hide thumbs
Table of Contents

Advertisement

Information about Cisco TrustSec Architecture
Figure 1-3
Egress Policy
(Security Group)
By assigning users and devices within the network to security groups and applying access control
between the security groups, Cisco TrustSec achieves role-based topology-independent access control
within the network. Because SGACLs define access control policies based on device identities instead
of IP addresses as in traditional ACLs, network devices are free to move throughout the network and
change IP addresses. As long as the roles and the permissions remain the same, changes to the network
topology do not change the security policy. When a user is added to the switch, you simply assign the
user to an appropriate security group and the user immediately receives the permissions of that group.
Using role-based permissions greatly reduces the size of ACLs and simplifies their maintenance. With
Cisco TrustSec, the number of access control entries (ACEs) configured is determined by the number of
permissions specified, resulting in a much smaller number of ACEs than in a traditional IP network. The
use of SGACLs in Cisco TrustSec typically results in a more efficient use of TCAM resources compared
with traditional ACLs.

Ingress Tagging and Egress Enforcement

Cisco TrustSec access control is implemented using ingress tagging and egress enforcement. At the
ingress point to the Cisco TrustSec domain, traffic from the source is tagged with an SGT containing the
security group number of the source entity. The SGT is propagated with the traffic across the domain.
At the egress point of the Cisco TrustSec domain, an egress device uses the source SGT and the security
group number of the destination entity (the destination SG, or DGT) to determine which access policy
to apply from the SGACL policy matrix.
Cisco TrustSec Configuration Guide
1-8
SGACL Policy Matrix Example
Destination
Role
Server X (111)
User A (10)
SGACL-A
User B (20)
SGACL-B
SGACL-C
User C (30)
User D (30)
Chapter 1
SGACL-A
permit ip
SGACL-B
permit tcp src dst eq 80
deny ip
SGACL-C
permit tcp dst eq 1433
permit tcp src eq 1433
permit tcp dst eq 80
permit tcp dst eq 433
deny ip
Cisco TrustSec Overview
OL-22192-01
Show Quick Links

Hide quick links:

Advertisement

Table of Contents
loading

Related Manuals for Cisco TrustSec

Related Content for Cisco TrustSec

Table of Contents