Ethernet SGT Protection
Table of Contents
Ethernet SGT Protection
In a Cisco TrustSec network, employ Zone Protection based
on dropping packets that contain specific security group tags (SGT)
in the 802.1Q header.
In a Cisco TrustSec network, a Cisco Identity
Services Engine (ISE) assigns a Layer 2 Security Group Tag (SGT)
of 16 bits to a user’s or endpoint’s session. When your firewall
is part of a Cisco TrustSec network, the firewall needs to support
the TrustSec 802.1Q header to do content inspection. Without such
support, in a virtual wire topology the firewall can only pass SGT-tagged
packets without being able to inspect content. The firewall can
now inspect headers with 802.1Q (Ethertype 0x8909) for specified
SGT values and drop the packet if the SGT matches the list you configure
in the Zone Protection profile attached to a Layer2, virtual wire,
or tap interface.
- Create a Zone Protection profile to provide Ethernet SGT Protection.
- Select .
- Adda Zone Protection profile byName.
- SelectEthernet SGT Protection.
- AddaLayer 2 SGT Exclude Listby name.
- Enter one or moreTagvalues for the list; range is 0 to 65,535. You can enter individual entries that are a contiguous range of tag values (for example, 100-500). You can add up to 100 (individual or range) tag entries in an Exclude List.
- Enablethe Layer 2 SGT Exclude List. You can disable the list at any time.
- ClickOK.
- Apply the Zone Protection profile to the security zone to which the Layer 2, virtual wire, or tap interfaces belong.
- Select .
- Adda zone.
- Enter theNameof the zone.
- ForLocation, select the virtual system where the zone applies.
- ForType, selectLayer2,Virtual Wire, orTap.
- AddanInterfacethat belongs to the zone.
- ForZone Protection Profile, select the profile you created.
- ClickOK.
- Commit.
- View the global counter of packets that the firewall dropped as a result of all Zone Protection profiles that employ Ethernet SGT Protection.
- >show counter global name pan_flow_dos_l2_sec_tag_drop