3.5 TrustSec/SGT Integration
| Field |
Value |
| Document ID |
SDWAN-SEC-3.5 |
| Version |
1.0 |
| Last Updated |
December 2025 |
| Author |
Network Architecture Team |
| Classification |
Internal Use |
1. Executive Summary
This section documents the Cisco TrustSec and Security Group Tag (SGT) integration between SD-Access and SD-WAN for Abhavtech's network infrastructure. TrustSec enables identity-based microsegmentation that extends from the campus LAN through the WAN, providing consistent policy enforcement regardless of user or device location.
1.1 TrustSec Integration Objectives
+------------------------------------------------------------------+
| TRUSTSEC/SGT INTEGRATION OBJECTIVES |
+------------------------------------------------------------------+
| |
| +------------------+ +------------------+ +------------------+
| | END-TO-END | | IDENTITY-BASED | | MICROSEGMENT- |
| | CONSISTENCY | | POLICIES | | ATION |
| +------------------+ +------------------+ +------------------+
| | Same SGT from | | Who you are | | Granular access |
| | campus to cloud | | determines access| | within VPNs |
| +------------------+ +------------------+ +------------------+
| |
| +------------------+ +------------------+ +------------------+
| | CENTRALIZED | | SCALABLE | | COMPLIANCE |
| | POLICY | | MODEL | | ENABLED |
| +------------------+ +------------------+ +------------------+
| | ISE as single | | Add users, not | | Auditable SGT |
| | policy source | | ACL entries | | assignments |
| +------------------+ +------------------+ +------------------+
| |
+------------------------------------------------------------------+
1.2 Integration Architecture
+------------------------------------------------------------------+
| TRUSTSEC INTEGRATION ARCHITECTURE |
+------------------------------------------------------------------+
| |
| Campus (SD-Access) WAN (SD-WAN) Cloud |
| +------------------+ +------------------+ +----------+ |
| | | | | | | |
| | User/Device | SGT | WAN Edge | | Cloud | |
| | SGT: 3 (Employee)|-------->| CTS Inline |-->| Gateway | |
| | | Inline | SGT Preserved | | | |
| +--------+---------+ +--------+---------+ +----+-----+ |
| | | | |
| | | | |
| v v v |
| +------------------+ +------------------+ +----------+ |
| | SD-Access | | SD-WAN Manager | | Remote | |
| | Fabric Border | eBGP | Policy Engine | | Site | |
| | CTS Inline Tag |<------->| SGT Awareness | | WAN Edge | |
| +--------+---------+ +--------+---------+ +----+-----+ |
| | | | |
| +----------------------------+------------------+ |
| | |
| +--------+--------+ |
| | ISE | |
| | (Policy Source) | |
| | pxGrid, SXP | |
| +-----------------+ |
| |
+------------------------------------------------------------------+
2. Abhavtech SGT Taxonomy
2.1 SGT Definitions
| SGT |
Name |
Description |
VPN Mapping |
Population |
| 2 |
TrustSec_Devices |
Network infrastructure |
VPN 512 |
~200 devices |
| 3 |
Employees |
Full-time employees |
VPN 10 |
~8,000 users |
| 4 |
Guests |
Guest and contractor |
VPN 20 |
~500 concurrent |
| 5 |
IT_Admins |
IT privileged users |
VPN 10, 512 |
~50 users |
| 6 |
Executives |
C-level executives |
VPN 10 |
~25 users |
| 7 |
IoT_Devices |
General IoT |
VPN 30 |
~2,000 devices |
| 8 |
IP_Cameras |
Security cameras |
VPN 30 |
~500 cameras |
| 9 |
Voice_Devices |
IP phones, video |
VPN 40 |
~3,000 devices |
| 10 |
Servers |
Data center servers |
VPN 50, 100 |
~500 servers |
| 11 |
Critical_Servers |
Tier-1 applications |
VPN 50 |
~50 servers |
| 12 |
PCI_Systems |
Payment processing |
VPN 100 |
~30 systems |
2.2 SGT Hierarchy
+------------------------------------------------------------------+
| SGT HIERARCHY |
+------------------------------------------------------------------+
| |
| +-------------+ |
| | Unknown (0) | |
| +------+------+ |
| | |
| +----------------------+----------------------+ |
| | | | |
| +------+------+ +------+------+ +------+------+ |
| |Infrastructure| | Users | | Devices | |
| +------+------+ +------+------+ +------+------+ |
| | | | |
| +----+----+ +------+------+ +----+----+ |
| | | | | | | | | |
| SGT 2 SGT 10 SGT 3 SGT 4 SGT 5 SGT 7 SGT 8 SGT 9 |
| Net Dev Servers Empl Guest IT_Adm IoT Cam Voice |
| | |
| +----+----+ |
| | | |
| SGT 6 SGT 11 |
| Exec Critical |
| |
| Special Purpose: |
| - SGT 12: PCI Systems (Compliance isolation) |
| |
+------------------------------------------------------------------+
3. SGT Propagation Methods
3.1 Propagation Options
| Method |
Description |
Use Case |
Abhavtech Usage |
| CTS Inline |
SGT in Ethernet frame CMD field |
Campus, WAN tunnels |
Primary |
| SXP |
IP-to-SGT binding exchange |
Legacy devices |
ISE-to-WAN Edge |
| IP-SGT Static |
Manual SGT assignment |
Servers, infrastructure |
Backup |
| SGACLs |
Policy enforcement |
All locations |
All fabric nodes |
3.2 Inline Tagging Architecture
+------------------------------------------------------------------+
| CTS INLINE TAGGING |
+------------------------------------------------------------------+
| |
| Ethernet Frame with CTS Inline Tag: |
| +----------------------------------------------------------+ |
| | Dest MAC | Src MAC | 802.1AE | CMD | EtherType | Payload| |
| | (6 bytes) |(6 bytes)| Header | TAG | | | |
| +----------------------------------------------------------+ |
| | | |
| | +-> 16-bit SGT Value |
| +-> Cisco Meta Data (CMD) |
| |
| CMD Field Structure: |
| +----------------------------------------------------------+ |
| | Version (4) | Length (12) | Opt Type (16) | SGT (16) | |
| +----------------------------------------------------------+ |
| |
| Flow: |
| 1. User authenticates to network (802.1X, MAB) |
| 2. ISE assigns SGT based on identity/posture |
| 3. Access switch adds CMD with SGT to frames |
| 4. All network devices honor and propagate SGT |
| 5. SGACLs enforce policy based on source-dest SGT pair |
| |
+------------------------------------------------------------------+
3.3 SXP for SGT Propagation
+------------------------------------------------------------------+
| SXP PROPAGATION |
+------------------------------------------------------------------+
| |
| +-------------+ SXP +-------------+ |
| | ISE |<----------->| WAN Edge | |
| | (Speaker) | TCP/64999 | (Listener) | |
| +------+------+ +------+------+ |
| | | |
| | IP-SGT Bindings: | Receives bindings: |
| | 10.10.10.50 -> SGT 3 | Uses for policy |
| | 10.10.20.100 -> SGT 7 | enforcement |
| | 10.10.30.25 -> SGT 9 | |
| | | |
| |
| SXP Use Cases: |
| - Non-CTS capable devices (legacy switches) |
| - Third-party devices |
| - Cloud gateways |
| - Software sensors |
| |
+------------------------------------------------------------------+
4. SD-WAN TrustSec Configuration
4.1 WAN Edge CTS Configuration
! Enable CTS on WAN Edge
cts role-based enforcement
cts role-based enforcement vlan-list all
! CTS Credentials
cts credentials id WANEDGE-MUMBAI password 7 <encrypted>
! Configure SXP
cts sxp enable
cts sxp default source-ip 10.100.1.2
cts sxp default password 7 <encrypted>
cts sxp connection peer 10.254.1.10 source 10.100.1.2 password default mode peer speaker
! SGT Propagation on Tunnel Interface
interface Tunnel100
description "SD-WAN Tunnel - CTS Enabled"
cts role-based enforcement
cts manual
propagate sgt
!
!
! Service VPN Interface with CTS
interface GigabitEthernet0/0/2.10
description "Employee VPN - SD-Access Handoff"
cts role-based enforcement
cts manual
propagate sgt
!
!
4.2 SD-WAN Manager TrustSec Template
! Feature Template: TrustSec
trustsec
credentials
id ABHAV-WANEDGE-{{site_id}}
password <encrypted>
!
sxp
enable
source-ip {{system_ip}}
default-password <encrypted>
connection-peer {{ise_psn_ip}}
password default
mode local listener
!
!
role-based
enforcement enable
enforcement vlan-list all
sgt-map {{server_ip}} sgt {{server_sgt}}
!
!
4.3 ISE Integration for SXP
! ISE SXP Speaker Configuration
cts sxp enable
cts sxp default source-ip 10.254.1.10
cts sxp default password 7 ABHAV_SXP_KEY
! SXP Connections to WAN Edges
cts sxp connection peer 10.100.1.2 source 10.254.1.10 password default mode local speaker
cts sxp connection peer 10.100.1.3 source 10.254.1.10 password default mode local speaker
cts sxp connection peer 10.100.2.2 source 10.254.1.10 password default mode local speaker
cts sxp connection peer 10.100.2.3 source 10.254.1.10 password default mode local speaker
5. SGACL Policy Enforcement
5.1 SGACL Matrix
+------------------------------------------------------------------+
| SGACL POLICY MATRIX |
+------------------------------------------------------------------+
| |
| Source SGT | Dest SGT 3 | Dest SGT 4 | Dest SGT 7 | ... |
| (Rows) | (Employees) | (Guests) | (IoT) | |
| --------------+-------------+-------------+-------------+--------|
| SGT 3 (Empl) | PERMIT_ALL | DENY | DENY | ... |
| SGT 4 (Guest) | DENY | PERMIT_INET | DENY | ... |
| SGT 5 (Admin) | PERMIT_ALL | PERMIT_ALL | PERMIT_ALL | ... |
| SGT 7 (IoT) | DENY | DENY | PERMIT_IOT | ... |
| SGT 9 (Voice) | PERMIT_VOICE| DENY | DENY | ... |
| SGT 10 (Srv) | PERMIT_ALL | DENY | PERMIT_IOT | ... |
| SGT 12 (PCI) | DENY | DENY | DENY | ... |
| |
+------------------------------------------------------------------+
5.2 SGACL Definitions
! SGACL: Employee to Servers - Full Access
ip access-list role-based PERMIT_ALL
permit ip
! SGACL: Guest - Internet Only
ip access-list role-based PERMIT_INET
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit ip
! SGACL: IoT - Restricted
ip access-list role-based PERMIT_IOT
permit tcp any any eq 443
permit tcp any any eq 8883
permit udp any any eq 123
deny ip
! SGACL: Voice - Voice Protocols Only
ip access-list role-based PERMIT_VOICE
permit udp any any range 16384 32767
permit tcp any any eq 5060
permit tcp any any eq 5061
permit tcp any any eq 2000
deny ip
! SGACL: Default Deny
ip access-list role-based DENY_ALL
deny ip
5.3 SGACL Binding to SGT Pairs
! ISE TrustSec Policy Configuration
! (Configured in ISE GUI, shown as CLI representation)
cts role-based permissions from 3 to 10 ! Employee to Servers
PERMIT_ALL
cts role-based permissions from 4 to any ! Guest to Any
PERMIT_INET
cts role-based permissions from 7 to 10 ! IoT to Servers
PERMIT_IOT
cts role-based permissions from 9 to 10 ! Voice to Servers
PERMIT_VOICE
cts role-based permissions from 12 to any ! PCI to Any
DENY_ALL
cts role-based permissions default
DENY_ALL
6. SGT Across WAN Scenarios
6.1 Campus to Remote Site
+------------------------------------------------------------------+
| SGT PROPAGATION: CAMPUS TO REMOTE |
+------------------------------------------------------------------+
| |
| MUMBAI CAMPUS BANGALORE BRANCH |
| +----------------+ +----------------+ |
| | User: SGT 3 | | Server: SGT 10 | |
| | (Employee) | | (DC App) | |
| +-------+--------+ +-------+--------+ |
| | ^ |
| v | |
| +-------+--------+ +-------+--------+ |
| | Access Switch | | Remote Router | |
| | CTS Inline | | SGACL Enforce | |
| +-------+--------+ +-------+--------+ |
| | ^ |
| v | |
| +-------+--------+ +-------+--------+ |
| | Fabric Border | | WAN Edge | |
| | SGT: 3 | | SGT: 3 (recv) | |
| +-------+--------+ +-------+--------+ |
| | ^ |
| | IPsec Tunnel (SGT in CMD) | |
| +------------------------------------+ |
| |
| Policy Applied: Employee (SGT 3) -> Server (SGT 10) = PERMIT |
| |
+------------------------------------------------------------------+
6.2 Remote Site to Remote Site
+------------------------------------------------------------------+
| SGT PROPAGATION: REMOTE TO REMOTE |
+------------------------------------------------------------------+
| |
| BANGALORE BRANCH DELHI BRANCH |
| +----------------+ +----------------+ |
| | IP Phone | | IP Phone | |
| | SGT 9 (Voice) | | SGT 9 (Voice) | |
| +-------+--------+ +-------+--------+ |
| | ^ |
| v | |
| +-------+--------+ +-------+--------+ |
| | WAN Edge BLR | | WAN Edge DEL | |
| | Source: SGT 9 | | Dest: SGT 9 | |
| +-------+--------+ +-------+--------+ |
| | ^ |
| | Direct Spoke-to-Spoke Tunnel | |
| +------------------------------------+ |
| |
| Policy Applied: Voice (SGT 9) -> Voice (SGT 9) = PERMIT_VOICE |
| |
| Note: On-demand tunnel for voice maintains SGT throughout |
| |
+------------------------------------------------------------------+
6.3 Cloud Access with SGT
+------------------------------------------------------------------+
| SGT PROPAGATION: ON-PREM TO CLOUD |
+------------------------------------------------------------------+
| |
| MUMBAI CAMPUS AWS CLOUD GATEWAY |
| +----------------+ +------------------------+ |
| | User: SGT 3 | | Cloud App | |
| | (Employee) | | (Destination) | |
| +-------+--------+ +-----------+------------+ |
| | ^ |
| v | |
| +-------+--------+ +-----------+------------+ |
| | Fabric Border | | AWS Transit Gateway | |
| | SGT: 3 | | SGT Mapping Required | |
| +-------+--------+ +-----------+------------+ |
| | ^ |
| v | |
| +-------+--------+ +-----------+------------+ |
| | Mumbai WAN Edge|-------->| Cloud OnRamp Gateway | |
| | SGT Preserved | IPsec | SXP for SGT Mapping | |
| +----------------+ +------------------------+ |
| |
| Cloud Gateway Mapping: |
| - Receives SGT via CTS inline or SXP |
| - Applies cloud security group based on SGT |
| - Enables consistent policy in hybrid environment |
| |
+------------------------------------------------------------------+
7. Static SGT Assignment
7.1 Server and Infrastructure SGT
For devices that cannot authenticate (servers, printers, infrastructure), static SGT mappings are required.
! Static IP-SGT Mappings on WAN Edge
cts role-based sgt-map 172.20.10.10 sgt 10 ! AD Server
cts role-based sgt-map 172.20.10.11 sgt 10 ! AD Server 2
cts role-based sgt-map 172.20.1.10 sgt 10 ! DNS Server
cts role-based sgt-map 172.20.1.11 sgt 10 ! DNS Server 2
cts role-based sgt-map 172.19.1.10 sgt 11 ! CUCM Publisher
cts role-based sgt-map 172.19.1.11 sgt 11 ! CUCM Subscriber
cts role-based sgt-map 172.30.10.0/24 sgt 12 ! PCI Subnet
! Verify Static Mappings
show cts role-based sgt-map all
7.2 Subnet-based SGT Assignment
! Subnet-based SGT Mapping (when IP authentication not possible)
cts role-based sgt-map 172.16.10.0/23 sgt 3 ! Mumbai Employee
cts role-based sgt-map 172.17.10.0/24 sgt 4 ! Mumbai Guest
cts role-based sgt-map 172.18.10.0/24 sgt 7 ! Mumbai IoT
cts role-based sgt-map 172.19.10.0/24 sgt 9 ! Mumbai Voice
! VRF-aware SGT Mapping
cts role-based sgt-map vrf Employee 172.16.0.0/14 sgt 3
cts role-based sgt-map vrf Guest 172.17.0.0/16 sgt 4
cts role-based sgt-map vrf IoT 172.18.0.0/16 sgt 7
cts role-based sgt-map vrf Voice 172.19.0.0/16 sgt 9
8. SGT Policy Integration with SD-WAN
8.1 Data Policy with SGT Matching
! SD-WAN Data Policy with SGT Awareness
policy
data-policy SGT-AWARE-POLICY
vpn-list VPN-10-EMPLOYEE
! High-priority routing for Executives
sequence 10
match
source-sgt 6
app-list BUSINESS-CRITICAL
action accept
set
local-tloc-list MPLS-PREFERRED
dscp 46
!
!
! Standard routing for Employees
sequence 20
match
source-sgt 3
action accept
set
local-tloc-list LOAD-BALANCE
!
!
! Restrict IoT cloud access
sequence 30
match
source-sgt 7
action accept
set
local-tloc-list INTERNET-ONLY
service firewall
!
!
!
!
!
8.2 Application-Aware Routing with SGT
! AAR Policy Enhanced with SGT
policy
app-route-policy SGT-AAR-POLICY
vpn-list VPN-10-EMPLOYEE
! Voice traffic from Voice SGT gets priority
sequence 10
match
source-sgt 9
app-list VOICE-VIDEO
action
sla-class VOICE-SLA strict
backup-sla-preferred-color mpls
!
!
! Executive traffic gets premium path
sequence 20
match
source-sgt 6
action
sla-class PREMIUM-SLA
backup-sla-preferred-color mpls
!
!
!
!
!
9. Verification and Monitoring
9.1 SGT Verification Commands
! Verify CTS Status
show cts
show cts pacs
show cts environment-data
! Verify SXP Connections
show cts sxp connections
show cts sxp sgt-map
! Verify SGT Propagation
show cts role-based sgt-map all
show cts role-based counters
! Verify SGACL Policies
show cts role-based permissions
show cts rbacl
! Example Output: CTS Status
CTS Global Inline Tagging: Enabled
CTS Cache (SGACL Instance): Enabled
CTS Cache (Role-based permissions): Enabled
CTS SXP Connections: 4
CTS SXP Learned SGT/Mapping: 2847
9.2 Troubleshooting SGT Issues
| Issue |
Symptoms |
Diagnosis |
Resolution |
| SGT Not Propagating |
Traffic denied |
show cts interface |
Enable CTS on interface |
| SXP Connection Down |
No bindings |
show cts sxp connections |
Check credentials, reachability |
| SGACL Not Enforcing |
Unexpected access |
show cts role-based permissions |
Verify policy download |
| SGT Mismatch |
Wrong policy |
show cts role-based sgt-map |
Check static mappings |
9.3 Monitoring Dashboard
+------------------------------------------------------------------+
| SGT MONITORING DASHBOARD |
+------------------------------------------------------------------+
| |
| Real-Time Metrics: |
| +----------------------------------------------------------+ |
| | Metric | Value | Status | |
| +----------------------------------------------------------+ |
| | Active SGT Bindings | 12,847 | Normal | |
| | SXP Connections | 8/8 | Healthy | |
| | SGACL Denies (1 hour) | 342 | Monitor | |
| | Unknown SGT Traffic | 0.1% | Normal | |
| | CTS Enabled Interfaces | 156/160 | 97.5% | |
| +----------------------------------------------------------+ |
| |
| Alert Thresholds: |
| - SXP Connection Loss: Immediate alert |
| - Unknown SGT > 1%: Warning |
| - SGACL Denies spike: Investigate |
| |
+------------------------------------------------------------------+
10. Best Practices Summary
10.1 SGT Design Best Practices
- Keep SGT taxonomy simple (< 16 for most deployments)
- Align SGTs with business roles, not technical groups
- Document all SGT assignments and their purpose
- Use descriptive names for SGACLs
10.2 Propagation Best Practices
- Prefer CTS inline tagging over SXP where possible
- Use SXP only for legacy or third-party devices
- Ensure all transit devices support CTS
- Monitor SXP connection health
10.3 Policy Best Practices
- Default to deny between different SGT groups
- Explicitly permit only required communication
- Test SGACL policies in lab before production
- Regular audit of SGT assignments and policies
10.4 Operational Best Practices
- Monitor SGACL deny counters for anomalies
- Alert on SXP connection failures
- Include SGT in troubleshooting workflows
- Document SGT in network diagrams
References
| Document |
Description |
Location |
| Cisco TrustSec Design Guide |
Official TrustSec documentation |
cisco.com |
| ISE TrustSec Configuration |
ISE SGT/SGACL setup |
cisco.com |
| SD-WAN TrustSec Integration |
SD-WAN specific guidance |
cisco.com |
| Abhavtech SGT Policy |
Corporate SGT definitions |
SharePoint |
Document Version: 1.0
Last Updated: December 2025
Classification: Internal Use
Document ID: SDWAN-SEC-3.5