Solved: How are Cisco TrustSec tags applied?

Mitrixsen · ‎05-17-2025

Hello, everyone.

I am quite early into SDN and I have some questions regarding the SD-Access fabric and how policies can be applied to it.

From what I understand, the various security policies in the fabric can be either statically or dynamically configured via Cisco TrustSec, which I assume is configured on platforms such as ISE?

If I understand correctly, the benefit with TrustSec is that we can assign a tag to each user after they authenticate and based on the assigned tag we can process various security policies (allow/deny them access to certain parts of the network, etc.) instead of relying on IP addresses, MAC addresses, etc which is more easier to manage than the traditional ACL/VLAN segmentation way of applying policies.

So since we’re identifying users based off these tags, regardless of whether the user roams somewhere or connects wirelessly or to another switchport, they will still have the same policies applied because they have been tagged.

How is this tag applied? For example, how do I define that a specific user should be tagged? What parameters can I use for this? What makes logical sense to me is to apply it to the user credentials. Say, if someone with a name of John and a password of Cisco joins in, they should have the tag applied.

Thank you!
David

Andrii Oliinyk · ‎05-17-2025

"... which is more easier..."
very disputable topic, as f.e. for scalability & easiness in multi-site deployments you must implement either IP-to-SGT propagation via SXP (which is not as easy as may look at 1st glance) or maintain static IP-to-SGT assignments on the Fabric BNs (which is obviously not scalable & easy).
"How is this tag applied?"
in SDA basically 3 methods are available for ingress switches to "stick" SGT to source:
VALN-to-SGT via DNAC UI
static SGT on port via DNAC UI
dynamic SGT by ISE during AAA (finally switch applies SGT received from ISE)
"For example, how do I define that a specific user should be tagged?"
In SDA case it's ISE
"What parameters can I use for this?"
with static approach u use known VLAN|port & SGT
with dynamic u may use whatever properties of the AAA session ISE can use in its AuthZ policies
"What makes logical sense to me is to apply it to the user credentials. Say, if someone with a name of John and a password of Cisco joins in, they should have the tag applied."
password makes 0 sense here. it's only for successful AuthC/AuthZ on ISE. then ISE based on the user's properties may assign specific SGT in case of successful authentication/authorization.

View solution in original post

Andrii Oliinyk · ‎05-17-2025

"... which is more easier..."
very disputable topic, as f.e. for scalability & easiness in multi-site deployments you must implement either IP-to-SGT propagation via SXP (which is not as easy as may look at 1st glance) or maintain static IP-to-SGT assignments on the Fabric BNs (which is obviously not scalable & easy).
"How is this tag applied?"
in SDA basically 3 methods are available for ingress switches to "stick" SGT to source:
VALN-to-SGT via DNAC UI
static SGT on port via DNAC UI
dynamic SGT by ISE during AAA (finally switch applies SGT received from ISE)
"For example, how do I define that a specific user should be tagged?"
In SDA case it's ISE
"What parameters can I use for this?"
with static approach u use known VLAN|port & SGT
with dynamic u may use whatever properties of the AAA session ISE can use in its AuthZ policies
"What makes logical sense to me is to apply it to the user credentials. Say, if someone with a name of John and a password of Cisco joins in, they should have the tag applied."
password makes 0 sense here. it's only for successful AuthC/AuthZ on ISE. then ISE based on the user's properties may assign specific SGT in case of successful authentication/authorization.