{"id":2895,"date":"2026-01-19T21:55:00","date_gmt":"2026-01-19T21:55:00","guid":{"rendered":"https:\/\/www.balajibandi.com\/?p=2895"},"modified":"2026-02-14T08:57:53","modified_gmt":"2026-02-14T08:57:53","slug":"84-days-to-ccie-sec-v6-1-lab","status":"publish","type":"post","link":"https:\/\/www.balajibandi.com\/?p=2895","title":{"rendered":"84 Days to CCIE SEC v6.1 Lab"},"content":{"rendered":"\n

Cisco TrustSec: The Software-Defined Perimeter<\/strong><\/mark><\/h2>\n\n\n\n

In traditional networking, security is tied to IP addresses<\/strong>. If a user moves or a server changes its subnet, your firewall rules and Access Control Lists (ACLs) break.<\/p>\n\n\n\n

Cisco TrustSec<\/strong> solves this by decoupling security from topology. It uses Scalable Group Tags (SGTs)<\/strong>\u2014metadata assigned to traffic at the point of entry\u2014to enforce policy based on identity<\/em> rather than IP.<\/p>\n\n\n\n

What is TrustSec?<\/strong><\/mark><\/h2>\n\n\n\n

TrustSec is a Next-Generation access control mechanism that simplifies the provisioning and management of network security. It operates on three pillars:<\/p>\n\n\n\n

    \n
  1. Classification:<\/strong>\u00a0When a user authenticates (via 802.1X or MAB), they are assigned a decimal value called an\u00a0SGT<\/strong>\u00a0(e.g., Finance = 4, HR = 5).<\/li>\n\n\n\n
  2. Propagation:<\/strong>\u00a0The SGT is inserted into the Layer 2 Ethernet frame (using the\u00a0Cisco Meta Data\/CMD<\/strong>\u00a0field) and carried across the network.<\/li>\n\n\n\n
  3. Enforcement:<\/strong>\u00a0The egress device (usually a firewall or another switch) looks at the destination and source SGT and decides whether to permit or deny the traffic using an\u00a0SGACL<\/strong>\u00a0(Scalable Group ACL).<\/li>\n<\/ol>\n\n\n\n

    Use Case: The “Lateral Movement” Problem<\/h3>\n\n\n\n

    In a standard flat network, if a guest’s laptop is compromised, they can scan and attack a printer or a server in the same VLAN.<\/p>\n\n\n\n

      \n
    • With TrustSec:<\/strong>\u00a0You create a policy:\u00a0SGT_Guest<\/strong>\u00a0cannot talk to\u00a0SGT_Compliance_Server<\/strong>. Even if they are on the same subnet, the switch will drop the traffic at the hardware level because the tags don’t match the allowed policy.<\/li>\n<\/ul>\n\n\n\n
      \n\n\n\n

      The Power Couple: DNAC and ISE Integration<\/strong><\/mark><\/h2>\n\n\n\n

      Cisco DNA Center (DNAC)<\/strong>\u00a0acts as the orchestrator (the “brain”), while\u00a0Identity Services Engine (ISE)<\/strong>\u00a0acts as the policy engine and RADIUS server.<\/p>\n\n\n\n

      The Integration Workflow<\/h2>\n\n\n\n

      To make TrustSec work at scale, DNAC and ISE must be synchronized via pxGrid<\/strong> and REST APIs<\/strong>.<\/p>\n\n\n\n

        \n
      1. Identity Propagation:<\/strong>\u00a0ISE is the “Source of Truth” for SGTs. When you create a Scalable Group in ISE, it is pushed to DNAC.<\/li>\n\n\n\n
      2. Fabric Provisioning:<\/strong>\u00a0DNAC configures the underlying hardware (Catalyst switches\/Wireless controllers) to support TrustSec (CTS) commands.<\/li>\n\n\n\n
      3. Policy Matrix:<\/strong>\u00a0Instead of writing thousands of lines of ACLs, you use a\u00a0Grid Matrix<\/strong>\u00a0in either DNAC or ISE. You simply find the intersection of\u00a0Source SGT<\/em>\u00a0and\u00a0Destination SGT<\/em>\u00a0and select “Deny” or “Permit.”<\/li>\n<\/ol>\n\n\n\n
        \n\n\n\n

        Step-by-Step Concepts: How it works in the Fabric<\/strong><\/mark><\/h2>\n\n\n\n

        Step 1: Authentication & Classification<\/strong>
        A user connects. ISE validates their credentials. ISE sends an Access-Accept<\/strong> to the switch, which includes the SGT (e.g., SGT 10).<\/p>\n\n\n\n

        Step 2: Tagging (Inline Tagging)<\/strong>
        The switch tags every packet from that user with SGT 10<\/strong>. If the packet moves across the network to another switch, the tag stays inside the Ethernet frame (specifically the 802.1Q header or via VXLAN-GPO in a fabric).<\/p>\n\n\n\n

        Step 3: Policy Download<\/strong>
        The egress switch (where the destination server lives) connects to ISE and downloads the SGT Policy Matrix<\/strong>. It doesn’t need to know the user’s IP; it only needs to know that “SGT 10” is trying to reach “SGT 20” (the Server).<\/p>\n\n\n\n

        Step 4: Hardware Enforcement<\/strong>
        The switch checks its\u00a0ASIC (TCAM)<\/strong>. If the matrix says\u00a0SGT 10\u00a0<\/em><\/p>\n\n\n\n

        \u00a0SGT 20 = Deny<\/em>, the packet is dropped immediately.<\/p>\n\n\n\n

        \n\n\n\n

        Why use DNAC?<\/strong><\/mark><\/h2>\n\n\n\n

        While you can<\/em> run TrustSec without DNAC (using just ISE and switches), DNAC simplifies the “Propagation” phase.<\/strong> In a non-fabric network, every “hop” must support inline tagging. DNAC automates the deployment of SXP (SGT Exchange Protocol)<\/strong>\u2014a protocol that “tunnels” tags over network segments that don’t support TrustSec\u2014ensuring your security policy remains unbroken from end-to-end.<\/p>\n\n\n\n

        Pro-Tip:<\/strong>\u00a0Remember that\u00a0SGTs are 16-bit values<\/strong>. Always verify your SGT propagation using the command\u00a0show cts role-based sgt-map all<\/strong><\/code>\u00a0on your edge switches.<\/p>\n\n\n\n

        Integrating Cisco TrustSec within a DNA Center (DNAC) and Identity Services Engine (ISE) environment requires specific hardware, software, and synchronization steps to function correctly.<\/p>\n\n\n\n

        1. Key Requirements<\/strong><\/mark><\/h2>\n\n\n\n

        Before starting the configuration, ensure these prerequisites are met: <\/p>\n\n\n\n

          \n
        • Hardware Compatibility<\/strong>: All network devices (switches, WLCs) must support\u00a0Inline Tagging<\/strong>\u00a0(CMD) to carry SGTs in the Ethernet frame. Catalyst 9000 series switches are the standard for full TrustSec support.<\/li>\n\n\n\n
        • ISE Services<\/strong>: On the ISE node, you must enable\u00a0pxGrid<\/strong>\u00a0(for context sharing) and\u00a0ERS (External RESTful Services)<\/strong>\u00a0with Read\/Write access.<\/li>\n\n\n\n
        • Network Reachability & Ports<\/strong>: DNAC and ISE must communicate over ports\u00a0443<\/strong>\u00a0(HTTPS\/ERS),\u00a05222<\/strong>\u00a0(pxGrid),\u00a08910<\/strong>, and\u00a09060<\/strong>.<\/li>\n\n\n\n
        • Certificates<\/strong>: Both systems must trust each other\u2019s certificates. It is recommended that the ISE internal CA sign the pxGrid certificates.<\/li>\n\n\n\n
        • MTU Adjustments<\/strong>: TrustSec adds an 8-byte overhead to Ethernet frames; ensure your MTU is at least\u00a01508 bytes<\/strong>\u00a0on all transit links to avoid fragmentation or drops.\u00a0<\/li>\n<\/ul>\n\n\n\n
          \n\n\n
          \n
          \"\"<\/figure>\n<\/div>\n\n\n

          2. Configuration Steps (Integration & Policy)<\/strong><\/mark><\/h2>\n\n\n\n

          Step 1: Prepare ISE <\/h3>\n\n\n\n
            \n
          1. Enable TrustSec Role<\/strong>: Go to\u00a0Administration > System > Deployment<\/strong>, edit your node, and check\u00a0Enable TrustSec<\/strong>\u00a0and\u00a0Enable SXP Service<\/strong>.<\/li>\n\n\n\n
          2. Enable APIs<\/strong>: Navigate to\u00a0Administration > System > Settings > ERS Settings<\/strong>\u00a0and select\u00a0Enable ERS for Read\/Write<\/strong>.<\/li>\n\n\n\n
          3. pxGrid Settings<\/strong>: Ensure pxGrid is enabled and set to\u00a0Automatically approve new certificate-based accounts<\/strong>\u00a0to allow DNAC to subscribe seamlessly.\u00a0<\/li>\n<\/ol>\n\n\n\n

            Step 2: Integrate DNAC with ISE <\/h3>\n\n\n\n
              \n
            1. In DNAC, navigate to\u00a0System > Settings > Authentication and Policy Servers<\/strong>.<\/li>\n\n\n\n
            2. Add the ISE server using its\u00a0FQDN<\/strong>\u00a0(IP-only is often unsupported for certificate reasons), admin credentials, and a\u00a0Shared Secret<\/strong>\u00a0for RADIUS.<\/li>\n\n\n\n
            3. Verify the status shows as\u00a0Active<\/strong>\u00a0or\u00a0Connected<\/strong>.\u00a0<\/li>\n<\/ol>\n\n\n\n

              Step 3: Define Scalable Groups (SGTs) <\/h3>\n\n\n\n
                \n
              • In an SD-Access\/DNAC environment,\u00a0always create SGTs in DNAC<\/strong>\u00a0first (Policy > Group-Based Access Control > Scalable Groups<\/strong>).<\/li>\n\n\n\n
              • DNAC will automatically push these groups to ISE via the API.\u00a0<\/li>\n<\/ul>\n\n\n\n

                Step 4: Create Policies (Contracts & Matrix) <\/h3>\n\n\n\n
                  \n
                1. Create a Contract<\/strong>: In DNAC (Policy > Contracts<\/strong>), define what traffic is allowed (e.g., Permit IP, Deny SSH).<\/li>\n\n\n\n
                2. Assign Policy<\/strong>: Go to\u00a0Policy > Group-Based Access Control Policies<\/strong>, select a Source SGT and Destination SGT, and assign the contract.<\/li>\n\n\n\n
                3. Deploy<\/strong>: Click\u00a0Deploy<\/strong>. This pushes the SGACL (Scalable Group ACL) to ISE and notifies the network devices to download the new policy matrix.\u00a0<\/li>\n<\/ol>\n\n\n
                  \n
                  \"\"<\/figure>\n<\/div>\n\n\n

                  Step 5: Provision Fabric Devices<\/h3>\n\n\n\n
                    \n
                  1. Use DNAC to provision your switches. DNAC will configure the necessary\u00a0cts<\/code>\u00a0commands on the switch CLI automatically.<\/li>\n\n\n\n
                  2. Verification<\/strong>: On a switch, use\u00a0show cts environment-data<\/code>\u00a0to confirm SGTs are downloaded and\u00a0show cts role-based permissions<\/code>\u00a0to see the active policy matrix.\u00a0<\/li>\n<\/ol>\n\n\n\n

                    Use Case Summary<\/strong><\/mark><\/h3>\n\n\n\n

                    The primary use case is\u00a0Micro-segmentation<\/strong>. For example, if you have two groups (e.g., “Contractors” and “Internal_Devs”) on the same VLAN, you can use a DNAC policy to block Contractors from accessing the Devs’ servers without ever touching a traditional IP-based firewall rule.<\/p>\n\n\n\n

                    Happy Labingggggggggggggg !<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

                    Cisco TrustSec: The Software-Defined Perimeter In traditional networking, security is tied to IP addresses. If a user moves or a server changes its subnet, your firewall rules and Access Control Lists (ACLs) break. Cisco TrustSec solves this by decoupling security from topology. It uses Scalable Group Tags (SGTs)\u2014metadata assigned to traffic at the point of entry\u2014to enforce policy […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2],"tags":[],"class_list":["post-2895","post","type-post","status-publish","format-standard","hentry","category-ccie-sec","category-cisco"],"_links":{"self":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2895","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2895"}],"version-history":[{"count":2,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2895\/revisions"}],"predecessor-version":[{"id":2900,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2895\/revisions\/2900"}],"wp:attachment":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2895"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2895"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2895"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}