Determining The Source Security Group - Cisco TrustSec Configuration Manual

Chapter 1 Cisco TrustSec Overview
Figure 1-4
domain.
Figure 1-4
Host
user PC
Step 1 The host PC transmits a packet to the web server. Although the PC and the web server are not members
of the Cisco TrustSec domain, the data path of the packet includes the Cisco TrustSec domain.
Step 2 The Cisco TrustSec ingress switch modifies the packet to add an SGT with security group number 3, the
security group number assigned by the authentication server for the host PC.
The Cisco TrustSec egress switch enforces the SGACL policy that applies to source group 3 and
Step 3
destination group 4, the security group number assigned by the authentication server for the web server.
If the SGACL allows the packet to be forwarded, the Cisco TrustSec egress switch modifies the packet
Step 4
to remove the SGT and forwards the packet to the web server.

Determining the Source Security Group

A network device at the ingress of Cisco TrustSec domain must determine the SGT of the packet entering
the Cisco TrustSec domain so that it can tag the packet with that SGT when it forwards it into the Cisco
TrustSec domain. The egress network device must determine the SGT of the packet in order to apply an
SGACL.
The network device can determine the SGT for a packet in one of the following methods:
•
•
•
•
OL-22192-01
shows how the SGT assignment and the SGACL enforcement operate in a Cisco TrustSec
SGT and SGACL in a Cisco TrustSec Domain
SGT imposition
Obtain the source SGT during policy acquisition—After the Cisco TrustSec authentication phase, a
network device acquires policy information from the authentication server, which indicates whether
the peer device is trusted or not. If a peer device is not trusted, then the authentication server can
also provide an SGT to apply to all packets coming from the peer device.
Obtain the source SGT from the packet—If a packet comes from a trusted peer device, the packet
carries the SGT. This applies to a network device that is not the first network device in Cisco
TrustSec domain for the packet.
Look up the source SGT based on the source identity—With Identity Port Mapping (IPM), you can
manually configure the link with the identity of the connected peer. The network device requests
policy information, including SGT and trust state, from the authentication server.
Look up the source SGT based on the source IP address—In some cases, you can manually configure
the policy to decide the SGT of a packet based on its source IP address. The SGT Exchange Protocol
(SXP) can also populate the IP-address-to-SGT mapping table.
Information about Cisco TrustSec Architecture
SGT = 3
3 3
3 3
Cisco TrustSec
Cisco TrustSec Configuration Guide
SGACL enforcement
DGT = 4
Web server
1-9