Cisco TrustSec Configuration Guide for Cisco IOS Release 15M&T

Product Overview

Cisco TrustSec (CTS) is a security system that provides authentication, authorization, and traffic filtering for CTS-enabled network devices at each routing hop. By utilizing group tagging and role-based access control lists (ACLs), it secures traffic between devices. This guide covers key features including Secure RADIUS authentication, EAP-FAST, and SGT propagation.

Key Features and Configuration

Cisco TrustSec Support for IOS

CTS requires a security license for operation. Authentication is typically handled via Cisco Identity Services Engine (ISE) or Secure Access Control Server (ACS). Devices use EAP-FAST Phase 0 for dynamic Protected Access Credential (PAC) provisioning to establish secure tunnels for credential verification.

SGT Exchange Protocol (SXP)

The Security Group Tag (SGT) Exchange Protocol (SXP) propagates IP-to-SGT binding information across network devices that lack hardware support for tagging. SXPv4 introduces loop detection and prevention mechanisms to ensure network stability. Bidirectional SXP support allows propagation in both directions over a single connection.

Interface and Subnet Mapping

CTS allows binding traffic on specific Layer 3 interfaces or subnets to a security group tag. This ensures that all traffic originating from these sources is appropriately tagged for policy enforcement. The system uses a strict priority scheme to resolve conflicts among different binding sources.

Flexible NetFlow Export

Cisco TrustSec fields, including source and destination SGTs, can be exported using Flexible NetFlow (FNF). This enables administrators to monitor and troubleshoot traffic flows with identity information, facilitating better resource planning and security policy enforcement.

Maintenance and Troubleshooting

Configuration verification is performed using various show commands, such as show cts credentials, show cts sxp connections, and show cts interface. These commands provide visibility into the operational status of CTS features, SXP peer connections, and SGT mapping databases. If issues arise, ensure that licenses are correctly installed and that peer devices are configured with consistent credentials and SXP parameters.