Next-Generation Firewall
Configure Ethernet SGT Protection
Table of Contents
Configure Ethernet SGT Protection
Configure 802.1Q header inspection when your firewall
is part of a Cisco TrustSec network.
Contact your account team to enable Cloud Management for NGFWs using
Strata Cloud Manager.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of these:
|
In a Cisco TrustSec network, a Cisco Identity Services Engine (ISE) assigns a Layer 2 Security
Group Tag (SGT) of 16 bits to a user or endpoint session. When your firewall is part
of a Cisco TrustSec network, the firewall needs to support the TrustSec 802.1Q
header to do content inspection. A Zone Protection profile with Ethernet SGT
protection configured allows the firewall to inspect headers with 802.1Q (EtherType
0x8909) for specific Layer 2 Security Group Tag (SGT) values and drop the packet if
the SGT matches the list you configure for the Zone Protection profile attached to
the interface. With a Zone Protection profile configured for Ethernet SGT
protection, you can specify which SGT values you want to deny access to a zone.
- Log in to Strata Cloud Manager.Select and select the Configuration Scope where you want to create the Zone Protection profile.You can select a folder or firewall from your Folders or select Snippets to configure the Zone Protection profile in a snippet.Navigate to the Zone Protection Profiles and Add Profile.Enter a descriptive Name.(Optional) Enter a Description.Select Ethernet SGT.Add a Layer 2 SGT Exclude List by name.Enter one or more Tag values for the list.Range is 0 to 65,535. You can enter individual entries that are a contiguous range of tag values (for example, 100-500). You can add up to 100 (individual or range) tag entries in an Exclude List.Enable the Layer 2 SGT Exclude List.Layer 2 SGT Exclude Lists are enabled by default when added.You can modify an existing Zone Protection profile to disable a specific Layer 2 SGT Exclude List from enforcement.Save.
