Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Security Group Tagging without ISE - one which device?

If I have a TrustSec domain set up, and want to utilise IP-SGT mappings by using the "cts role-based sgt-map {ip} sgt <sgt-id-number>" commands - on what device do these commands need to get executed?


I have been researching this a lot in Cisco documentation but cannot find a clear answer. I am either referred to configuring ISE (which I don't have), or using the command (eg. However, no document I have found actually tells me on which device this should be executed? Can it be on any switch in the TrustSec domain? Must it be on a seed device? On the authentication server?   (this is especially relevant when the access switch to which the host that I'm applying the SGT to, is not part of the TrustSec domain itself).


Any ideas what I am missing?

Everyone's tags (2)
Cisco Employee

Please referCisco TrustSec-

Please refer

Cisco TrustSec- Facilitated Infrastructure

Cisco TrustSec uniquely builds upon your existing identity-aware infrastructure by enforcing these policies in a scalable manner with the innovative Cisco Security Group Access (SGA) and Device Sensors. It also helps to ensure complete data confidentiality using ubiquitous encryption between network devices with MAC sec encryption

CreatePlease to create content