Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Security Group Tagging without ISE - one which device?

Unanswered Question
Jul 7th, 2014
User Badges:

If I have a TrustSec domain set up, and want to utilise IP-SGT mappings by using the "cts role-based sgt-map {ip} sgt <sgt-id-number>" commands - on what device do these commands need to get executed?


I have been researching this a lot in Cisco documentation but cannot find a clear answer. I am either referred to configuring ISE (which I don't have), or using the command (eg. http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration...). However, no document I have found actually tells me on which device this should be executed? Can it be on any switch in the TrustSec domain? Must it be on a seed device? On the authentication server?   (this is especially relevant when the access switch to which the host that I'm applying the SGT to, is not part of the TrustSec domain itself).


Any ideas what I am missing?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mohanak Thu, 07/17/2014 - 04:02
User Badges:
  • Gold, 750 points or more

Please refer

Cisco TrustSec- Facilitated Infrastructure

Cisco TrustSec uniquely builds upon your existing identity-aware infrastructure by enforcing these policies in a scalable manner with the innovative Cisco Security Group Access (SGA) and Device Sensors. It also helps to ensure complete data confidentiality using ubiquitous encryption between network devices with MAC sec encryption



This Discussion

Related Content