Trustsec - Tidbit

In this tidbit I want to cover some high level notes on general trustsec items as well as some good-to-knows. A brief overview of what trustsec is: TrustSec provides scalable access controls by uniquely classifying data traffic for a particular role.

Understanding SGT Transport Mechanisms:

  • Inline Tagging (data plane): if device supports SGT in its ASIC

  • SXP (control plane): shared between devices that do not have SGT-capable hardware

Multiple options for SGT transport over non CTS L3 network:

  • By default you can go from SXP to inline tagging

  • To go inline tagging to SXP you must use SGT caching

  • SGT can be carried inband with:




  • Note that IP/SGT get carried in SXP out of band

Example of IOS SXP Configuration:


cts sxp enable

cts sxp connection peer x.x.x.x source x.x.x.x password default mode local


cts sxp enable

cts sxp default password cisco123


cts sxp connection peer x.x.x.x source x.x.x.x password default mode local listener hold-time 0 0


cts sxp connection peer x.x.x.x source x.x.x.x password default local listener hold-time 0 0

Steps to configure a device in ISE as a trustsec device AKA SGT device:

  • Configure radius shared secret

  • Enable advanced trustsec use device-id + password

  • Best practice for timers is to set for a long duration so policy is only updated on the device via an explicit push/workflow

Configuring a catalyst switch for SGT:

Following CLI is required to turn on NDAC (authenticate device to ISE and receive policies including SGACL from ISE)

  • step1: enable aaa

#aaa new-model

  • step2: define radius server with PAC keyword

#radius-server host <ISE_PSN> pac key <radius shared secret>

  • step 3: define authorization list name for trustsec policy download

#cts authorization list <authz_list_name>

  • step 4: use aaa group for 802.1x and defined authz list for authorization

#aaa authentication dot1x default group radius

#aaa authorization network <authz list name> group radius

  • step 5:configure radius server to use VSA auth request

#radius-server vsa send authentication

  • step 6: enable dot1x globally

#dot1x system-auth-control

  • step 7: define device credential (EAP-FAST ID) which must match the ones in ISE AAA client configuration

#cts credential id <device id> password <device password>

**NOTE: device credential under ios is configured in enable mode, not in config mode & NX-OS gets configured in config mode**


  • #show cts environment-data

Example of activating SGACL Enforcement on IOS Switch:

  • Enabling SGACL enforcement globally and for vlan:

#cts role-based enforcement

#cts role-based enforcement vlan-list xx

Defining IP to SGT mapping for servers - shown via cli but can be pushed from ISE to cli or via SXP:

#cts role-based sgt-map sgt 100

#cts role-based sgt-map sgt 20

#cts role-based sgt-map 10.x.x.x sgt 30

Downloading Policy on IOS Switch:

  • #cts refresh environment-data

  • #cts refresh policy

SGACL Download Server list:

  • NAD can be configured to speak to ISE via real IP of PSN or SLB virtual IP address for CTS

  • Regardless the NAD will download from the IPs in the server list (should be PSNs)


Applies to SGACL, environmental data, server-list:

  • #aaa server radius dynamic-author

  • #client x.x.x.x server-key 7 XXX --should be pan IP for COA

  • #client x.x.x.x server-key 7 XXX --add psn for 802.1x auth COA

View SGACL Policy on IOS Switch:

  • #show cts role-based permissions

Verify SGACL Drops:

  • #show cts role-based counters

Device Tracking is fundamental to IP/SGT Entries:

  • #show ip device tracking all --ios-xe 3.x

  • #show device-tracking database --ios-xe 16.x

IP/SGT Programming Happens after Device Tracking Learning:

  • #show cts role-based sgt-map all detail

Troubleshoot SGACL Download Errors:

  • #show aaa servers --verify AAA is reachable

  • #show cts pac all --validate device has a PAC

  • #show cts environmental-data --validate device can communicate with ISE by checking env data

  • No IP/SGT on switch because of error in device tracking

Brief example on configuring links for SGT Tagging:

interface eth1/0

cts manual

policy static sgt 2 trusted

Additional good-to-knows:

  • For port-channel support - CTS is configured on the physical interface then added to the port channel

  • #show cts interface brief --will show you if propagate SGT is enabled

  • Best practice is to shut/no shut interface for any cts manual changes

  • Enabling inline tagging for DMVPN #cts sgt inline --enabled under tunnel interface

That wraps up this tidbit on Trustsec :) Cheers!


Recent Posts

See All

"The What?" - In this post I want to cover Identity Based Networking Services (IBNS) 2.0 to include benefits, configuration, & simply a general understanding of it. At first glance it can be a bit ov

In this tidbit I will cover some ESA nice-to-know CLI commands & their purposes: > status = view counters/gauges; counters are a total of various events in the system; gauges show current utilization