In a Cisco TrustSec network, employ Zone Protection based
on dropping packets that contain specific security group tags (SGT)
in the 802.1Q header.
In a Cisco TrustSec network, a Cisco Identity
Services Engine (ISE) assigns a Layer 2 Security Group Tag (SGT)
of 16 bits to a user’s or endpoint’s session. When your firewall
is part of a Cisco TrustSec network, the firewall needs to support
the TrustSec 802.1Q header to do content inspection. Without such
support, in a virtual wire topology the firewall can only pass SGT-tagged
packets without being able to inspect content. The firewall can
now inspect headers with 802.1Q (Ethertype 0x8909) for specified
SGT values and drop the packet if the SGT matches the list you configure
in the Zone Protection profile attached to a Layer2, virtual wire,
or tap interface.
for the list; range is 0 to 65,535. You can enter individual entries
that are a contiguous range of tag values (for example, 100-500).
You can add up to 100 (individual or range) tag entries in an Exclude
the Layer 2 SGT Exclude
List. You can disable the list at any time.
Apply the Zone Protection profile to the security zone
to which the Layer 2, virtual wire, or tap interfaces belong.
of the zone.
, select the virtual
system where the zone applies.
belongs to the zone.
Zone Protection Profile
select the profile you created.
View the global counter of packets that the firewall
dropped as a result of all Zone Protection profiles that employ
Ethernet SGT Protection.