Determining The Destination Security Group; Sgacl Enforcement On Routed And Switched Traffic; Authorization And Policy Acquisition - Cisco TrustSec Configuration Manual

Information about Cisco TrustSec Architecture

Determining the Destination Security Group

The egress network device in a Cisco TrustSec domain determines the destination group (DGT) for
applying the SGACL. The network device determines the destination security group for the packet using
the same methods used for determining the source security group, with the exception of obtaining the
group number from a packet tag. The destination security group number is not included in a packet tag.
In some cases, ingress devices or other non-egress devices might have destination group information
available. In those cases, SGACLs might be applied in these devices rather than egress devices.

SGACL Enforcement on Routed and Switched Traffic

SGACL enforcement is applied only on IP traffic, but enforcement can be applied to either routed or
switched traffic.
For routed traffic, SGACL enforcement is performed by an egress switch, typically a distribution switch
or an access switch with a routed port connecting to the destination host. When you enable SGACL
enforcement globally, enforcement is automatically enabled on every Layer 3 interface except for SVI
interfaces.
For switched traffic, SGACL enforcement is performed on traffic flowing within a single switching
domain without any routing function. An example would be SGACL enforcement performed by a data
center access switch on server-to-server traffic between two directly connected servers. In this example,
the server-to-server traffic would typically be switched. SGACL enforcement can be applied to packets
switched within a VLAN or forwarded to an SVI associated with a VLAN, but enforcement must be
enabled explicitly for each VLAN.

Authorization and Policy Acquisition

After device authentication ends, both the supplicant and authenticator obtain the security policy from
the authentication server. The two peers then perform link authorization and enforce the link security
policy against each other based on their Cisco TrustSec device IDs. The link authentication method can
be configured as either 802.1X or manual authentication. If the link security is 802.1X, each peer uses
a device ID received from the authentication server. If the link security is manual, you must assign the
peer device IDs.
The authentication server returns the following policy attributes:
•
•
•
Each Cisco TrustSec device should support some minimal default access policy in case it is not able to
Tip
contact the authentication server to get an appropriate policy for the peer.
Cisco TrustSec Configuration Guide
1-10
Cisco TrustSec trust—Indicates whether the peer device is to be trusted for the purpose of putting
the SGT in the packets.
Peer SGT—Indicates the security group to which the peer belongs. If the peer is not trusted, all
packets received from the peer are tagged with this SGT. If the device does not know whether any
SGACLs are associated with the peer's SGT, the device may send a follow-up request to the
authentication server to download the SGACLs.
Authorization expiry time—Indicates the number of seconds before the policy expires. A Cisco
TrustSec device should refresh its policy and authorization before it times out. The device can cache
the authentication and policy data and reuse it after a reboot if the data has not expired. In Cisco IOS
Release 12.2(33)SXI, only policy data and environment data is cached.
Chapter 1 Cisco TrustSec Overview
OL-22192-01