Layer 2 Security Group Tagging Imposition; Usage Scenarios - Cisco ASA Series Configuration Manual

Guidelines for Cisco TrustSec

Layer 2 Security Group Tagging Imposition

Cisco TrustSec identifies and authenticates each network user and resource and assigns a 16-bit number
called a Security Group Tag (SGT). This identifier is in turn propagated between network hops, which
allows any intermediary devices such as ASAs, switches, and routers to enforce polices based on this
identity tag.
SGT plus Ethernet Tagging, also called Layer 2 SGT Imposition, enables the ASA to send and receive
security group tags on Ethernet interfaces using Cisco proprietary Ethernet framing (EtherType 0x8909),
which allows the insertion of source security group tags into plain-text Ethernet frames. The ASA inserts
security group tags on the outgoing packet and processes security group tags on the incoming packet,
based on a manual per-interface configuration. This feature allows inline hop-by-hop propagation of
endpoint identity across network devices and provides seamless Layer 2 SGT Imposition between each
hop.
The following figure shows a typical example of Layer 2 SGT Imposition.
Figure 6-3
Switch
Untagged
User 1

Usage Scenarios

The following table describes the expected behavior for ingress traffic when configuring this feature.
Table 6-3 Ingress Traffic
Interface Configuration
No command is issued.
The cts manual command is issued.
Cisco ASA Series Firewall CLI Configuration Guide
6-22
Layer 2 SGT Imposition
ISE
Inline Tagged
SGT 100
ASA
SGT 100 = User 1
ACL: Allow User 1
to access server
Tagged Packet Received
Packet is dropped.
SGT value is from the IP-SGT Manager. SGT value is from the IP-SGT Manager.
Chapter 6
Router
Inline Tagged
SGT 100
Server
Untagged Packet Received
SGT value is from the IP-SGT Manager.
ASA and Cisco TrustSec
Untagged