6-2
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 6 ASA and Cisco TrustSec
About Cisco TrustSec
• Offers exceptional control over activity of network users accessing physical or cloud-based IT
resources
• Reduces total cost of ownership through centralized, highly secure access policy management and
scalable enforcement mechanisms
• For more information, see the following URLs:
About SGT and SXP Support in Cisco TrustSec
In the Cisco TrustSec feature, security group access transforms a topology-aware network into a
role-based network, which enables end-to-end policies enforced on the basis of role-based access control
(RBAC). Device and user credentials acquired during authentication are used to classify packets by
security groups. Every packet entering the Cisco TrustSec cloud is tagged with a security group tag
(SGT). The tagging helps trusted intermediaries identify the source identity of the packet and enforce
security policies along the data path. An SGT can indicate a privilege level across the domain when the
SGT is used to define a security group ACL.
An SGT is assigned to a device through IEEE 802.1X authentication, web authentication, or MAC
authentication bypass (MAB), which occurs with a RADIUS vendor-specific attribute. An SGT can be
assigned statically to a particular IP address or to a switch interface. An SGT is passed along
dynamically to a switch or access point after successful authentication.
The Security-group eXchange Protocol (SXP) is a protocol developed for Cisco TrustSec to propagate
the IP-to-SGT mapping database across network devices that do not have SGT-capable hardware support
to hardware that supports SGTs and security group ACLs. SXP, a control plane protocol, passes IP-SGT
mapping from authentication points (such as legacy access layer switches) to upstream devices in the
network.
The SXP connections are point-to-point and use TCP as the underlying transport protocol. SXP uses the
well-known TCP port number 64999 to initiate a connection. Additionally, an SXP connection is
uniquely identified by the source and destination IP addresses.
Reference Description
http://www.cisco.com/c/en/us/soluti
ons/enterprise-networks/trustsec/ind
ex.html
Describes the Cisco TrustSec system and architecture for
the enterprise.
http://www.cisco.com/c/en/us/soluti
ons/enterprise/design-zone-security/
landing_DesignZone_TrustSec.html
Provides instructions for deploying the Cisco TrustSec
solution in the enterprise, including links to component
design guides.
http://www.cisco.com/c/en/us/soluti
ons/collateral/enterprise-networks/tr
ustsec/solution_overview_c22-5917
71.pdf
Provides an overview of the Cisco TrustSec solution when
used with the ASA, switches, wireless LAN (WLAN)
controllers, and routers.
http://www.cisco.com/c/en/us/soluti
ons/enterprise-networks/trustsec/tru
stsec_matrix.html
Provides the Cisco TrustSec Platform Support Matrix,
which lists the Cisco products that support the Cisco
TrustSec solution.
To Next Page
Loading...
Need help?
General
