Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
405
Views
0
Helpful
1
Replies

Trustsec and PCI

agreenwald
Level 1
Level 1

‎12-15-2014 05:16 PM - edited ‎03-10-2019 10:16 PM

Does anyone know under Cisco’s TrustSec Security Group Tagging (SGT) if the packets that are tagged are flowing through the network routers/switches unencrypted or encrypted? 

 

I guess the other way to look at is assuming a person were able to compromise a core switch and get enable access to the device, would they potentially be able to see the payload in SGT tagged packets flowing through the switch?”

 

 

Thanks,

 

 

Labels:
0 Helpful
1 Reply 1

Kevin Regan
Cisco Employee
Cisco Employee

‎12-18-2014 02:03 PM

Encryption of SGT-tagged traffic is optional and depends on the switches involved.

Some switches can encrypt and authenticate packets with Security Group Tags using MACsec if they have capable-line cards or uplink modules installed (Catalyst 3560X, 3650, 4500, 6500 and Nexus 7000). Some switches tag traffic but do not have any MACsec capabilities, for instance, the Nexus 5500 and 5600.

As MACsec encryption works on a hop-by-hop basis, the traffic is not encrypted within a switch. This means that traffic could be sent to a SPAN port as an example.

For completeness, tagged traffic over a WAN would typically be encrypted with IPsec, DM-VPN or GET-VPN.

 

At http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html, the switches that can encrypt SGT-tagged traffic have an ‘SGT over MACsec’ entry in the column marked ‘Inline SGT Tagging’.

0 Helpful
Customers Also Viewed These Support Documents