Cisco TrustSec Security Solution Overview

Cisco TrustSec is an umbrella name describing security enhancements to Cisco network devices, specifically in access control enforcement, to solve the growing operational problems associated with managing firewall rules and access control lists (ACLs) using Security Group Tag (SGT) tags. Firewall rules can now be written using server roles instead of IP addresses.

SGT tags are also known as Scalable Group Tags in Cisco Software-Defined Access (SD-Access).


Security Group Tags are used to tag ingress and filter egress, enforcing an access control policy. Cisco ISE assigns the SGT tags to users or clients after successfully authenticating and authorized via 802.1x, MAB, or WebAuth. The TrustSec enforcement node can be a Cisco firewall, router, or switch, and once the SGT tag is assigned, a security policy (allow or deny action) based on the SGT source and destination tag can be applied at any egress point of the TrustSec network.

Cisco TrustSec can be divided into three phases: Classification, Propagation, and Enforcement.



Classification happens on the ingress, and it is when users, devices, or other resources connect to the network and are assigned with SGT tags. It can either be a static or dynamic assignment.

Static Assignment

In environments where we do not require authentication, dynamic SGT assignment is impossible. In these instances, SGT tags can be statically assigned on SGT-capable network devices and can be either of the following:

  1. IP to SGT Mapping
  2. Subnet to SGT Mapping
  3. VLAN to SGT Mapping
  4. Port to SGT Mapping
  5. Layer 2 interface to SGT Mapping
  6. Layer 3 logical interface to SGT Mapping
  7. Port profile to SGT Mapping


Dynamic Assignment

The SGT tag can be assigned dynamically and downloaded as an authorization option from ISE when using 802.1x, MAB, or WebAuth authentication.



After classifying user traffic, the SGT is propagated from the node at which classification occurred to the node where enforcement action will be implemented. This is referred to as propagation, and Cisco TrustSec supports two different methods of SGT propagation: inline tagging and SXP.

Inline Tagging

The SGT is embedded into the ethernet frame to allow the upstream devices to read and apply policy. The ability to insert the SGT within an ethernet frame does require Cisco network devices with ASIC support for TrustSec. The frame is dropped if a tagged frame is received by a network device that does not support it.


SXP (SGT Exchange Protocol)

Network devices that don’t have hardware support use a protocol called SXP, a TCP-based peer-to-peer protocol. It is used to share the IP to SGT mapping and allows for continued SGT propagation to the next device in the path. SXP peer that sends IP to SGT mapping is called a speaker while IP to SGT mapping receiver is called a listener.



As mentioned earlier, the enforcement point can be a Cisco firewall, router, or switch. Additionally, policies will be executed at the TrustSec network’s egress point. There are several methods for enforcing traffic based on the SGT tag, but the two major types are as follows:

Security Group ACL (SGACL)

It enforces policies on routers and switches. Access lists do egress filtering based on the source and destination SGT tags. Moreover, SGACLs are specified centrally on ISE.


Security Group Firewall (SGFW)

It enforces firewall policies such as Cisco ASA and NGFW. SGFW rules are specified locally on the firewall using tag-based rules.

Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: