Ethernet SGT Protection

In a Cisco TrustSec network, employ Zone Protection based on dropping packets that contain specific security group tags (SGT) in the 802.1Q header.
In a Cisco TrustSec network, a Cisco Identity Services Engine (ISE) assigns a Layer 2 Security Group Tag (SGT) of 16 bits to a user’s or endpoint’s session. When your firewall is part of a Cisco TrustSec network, the firewall needs to support the TrustSec 802.1Q header to do content inspection. Without such support, in a virtual wire topology the firewall can only pass SGT-tagged packets without being able to inspect content. The firewall can now inspect headers with 802.1Q (Ethertype 0x8909) for specified SGT values and drop the packet if the SGT matches the list you configure in the Zone Protection profile attached to a Layer2, virtual wire, or tap interface.
  1. Create a Zone Protection profile to provide Ethernet SGT Protection.
    1. Select
      Network
      Network Profiles
      Zone Protection
      .
    2. Add
      a Zone Protection profile by
      Name
      .
    3. Select
      Ethernet SGT Protection
      .
    4. Add
      a
      Layer 2 SGT Exclude List
      by name.
    5. Enter one or more
      Tag
      values for the list; range is 0 to 65,535. You can enter individual entries that are a contiguous range of tag values (for example, 100-500). You can add up to 100 (individual or range) tag entries in an Exclude List.
    6. Enable
      the Layer 2 SGT Exclude List. You can disable the list at any time.
    7. Click
      OK
      .
      zone-protect-eth-sgt-protect.png
  2. Apply the Zone Protection profile to the security zone to which the Layer 2, virtual wire, or tap interfaces belong.
    1. Select
      Network
      Zones
      .
    2. Add
      a zone.
    3. Enter the
      Name
      of the zone.
    4. For
      Location
      , select the virtual system where the zone applies.
    5. For
      Type
      , select
      Layer2
      ,
      Virtual Wire
      , or
      Tap
      .
    6. Add
      an
      Interface
      that belongs to the zone.
    7. For
      Zone Protection Profile
      , select the profile you created.
    8. Click
      OK
      .
  3. Commit
    .
  4. View the global counter of packets that the firewall dropped as a result of all Zone Protection profiles that employ Ethernet SGT Protection.
    1. >
      show counter global name pan_flow_dos_l2_sec_tag_drop

Recommended For You