Back
Lesson 1 of 7

TrustSec and Group-Based Policy

Objective

In this lesson you will learn the fundamentals of TrustSec / Security Group Tag (SGT) — now commonly referred to as Group-Based Policy. We focus on classification (how identities become SGTs), propagation (how SGTs travel across fabrics and WAN), and enforcement (how enforcement points make decisions). You will configure VLAN-to-SGT mappings, static IP-to-SGT bindings, and verify SGT propagation across an SD‑WAN edge and a Catalyst core. This matters in production because Group-Based Policy lets you enforce consistent segmentation across campus, branch, and datacenter without relying solely on IP-based ACLs — a key capability for Zero Trust segmentation.

Real-world scenario: In a multi-site enterprise, wireless users in VLAN 120 (Employees) must be treated differently from IoT devices in VLAN 180 (IoT). You will emulate assigning SGTs to those VLANs, propagate SGTs across an SD‑WAN edge (inline tagging), and use static IP-SGT mappings for non-SGT-capable devices. In production, this reduces TCAM pressure, simplifies policy definitions, and enables central enforcement on firewalls or fabric nodes.

Topology & Device Table

ASCII topology (exact devices, interfaces, and IPs used in this lesson):

Note: SGT values and VLAN IDs are taken from the reference material: VLAN 120 (Employee) SGT=4, VLAN 180 (IoT) SGT=5, Site-level SGTs 900 and 950 for WAN/Edge propagation scenarios.

Network Topology Diagram

Device Table

DeviceInterfaceIP AddressSubnet MaskRole
ISEGi0/110.1.1.10255.255.255.0Identity Services (SGT source)
Catalyst9500Gi0/110.1.1.1255.255.255.0Campus Core / Tagging & Enforcement
WAN-Edge1 (SD-WAN)Gi0/110.1.2.1255.255.255.0SD-WAN Edge — Inline SGT propagation
WAN-Edge2 (SD-WAN)Gi0/110.1.3.1255.255.255.0Remote SD-WAN Edge (other site)
FTDGi0/110.1.4.1255.255.255.0North/South enforcement (SGT-aware)
PC-EmployeeVLAN 120 intf192.168.120.10255.255.255.0User host, should receive SGT=4
IoT-DeviceVLAN 180 intf192.168.180.10255.255.255.0IoT host, should receive SGT=5

Tip: VLAN IDs and SGT values above are from the reference material: VLAN 120 SGT=4 and VLAN 180 SGT=5. Site SGTs (900/950) are used to illustrate WAN-level propagation.

Key Concepts (theory + practical)

  • Security Group Tag (SGT): A short numeric identifier representing a security group (for example, SGT 4 = Employees). Think of an SGT like a “color” attached to packets that indicates the group identity without exposing the IP address — similar to assigning colored badges to users. In production, SGTs let you write policies based on group identity rather than IP addresses.

  • Classification (How SGTs are assigned): SGTs can be assigned dynamically by ISE during authentication (802.1X, MAB), or statically (e.g., VLAN-to-SGT mapping, IP-to-SGT static binding). Important: Some platforms cannot dynamically tag unknown traffic, so static mappings are sometimes required (reference: FTD cannot tag unknown packets; use static IP-SGT mapping).

  • Propagation Mechanisms — SXP vs Inline Tagging vs VXLAN: SXP is a control-plane mapping mechanism (IP-to-SGT) but can create scale issues (many SXP connections, TCAM exhaustion on large switches like 9Ks). Inline tagging transports SGTs in the data plane (e.g., SD‑WAN or SDA Border Nodes carry SGT in an encapsulation). SDA fabric natively carries SGTs in VXLAN headers, removing the need for in-line tagging inside fabric. In production, inline tagging across the WAN enables end-to-end enforcement without relying on numerous SXP connections.

  • Enforcement Points: Devices such as Catalyst 9500s and FTD can enforce SG-ACLs (SGT-based ACLs). Catalyst devices may tag traffic, and FTDs can enforce policies using SGTs combined with IPs, ports, or URLs. However, only some platforms can tag unknown (untagged) traffic — plan for static mappings where needed.

  • Scale & TCAM considerations: When SXP is used on platforms that download full matrices (source/destination) it can consume TCAM and lead to scalability problems. Migration to inline tagging and SD‑WAN propagation reduces SXP dependence and alleviates TCAM limits. In production, architect to your weakest link.

Step-by-step configuration

We will follow these steps:

  1. Configure VLANs and basic Layer 3 on Catalyst9500
  2. Map VLANs to SGTs (static SGT tagging)
  3. Create static IP-to-SGT mappings for known servers/devices
  4. Demonstrate SGT propagation conceptually across SD‑WAN edge and verify using show commands

Each step includes commands, explanations, and verification.

Step 1: Configure VLANs and SVI on Catalyst9500

What we are doing: Create VLAN 120 and 180, configure SVI interfaces with IPs, and make access ports for Employee and IoT hosts. This is foundational: SGTs are often applied at VLAN boundary or attributed by switches based on identity, so VLAN/SVI must exist.

configure terminal
vlan 120
 name Employee
exit
vlan 180
 name IoT
exit
interface Vlan120
 description Employee SVI
 ip address 192.168.120.1 255.255.255.0
 no shutdown
exit
interface Vlan180
 description IoT SVI
 ip address 192.168.180.1 255.255.255.0
 no shutdown
exit
interface GigabitEthernet1/0/1
 description Access - PC-Employee
 switchport mode access
 switchport access vlan 120
 no shutdown
exit
interface GigabitEthernet1/0/2
 description Access - IoT-Device
 switchport mode access
 switchport access vlan 180
 no shutdown
exit

What just happened: VLANs 120 and 180 were created. SVIs were configured to provide L3 gateway addresses for hosts. Access ports were assigned to the appropriate VLANs so connected hosts will receive the correct VLAN membership. When hosts ARP for their gateway, the Catalyst SVI responds and the L3 forwarding plane routes traffic as needed.

Real-world note: In production, VLAN-to-SGT mapping is often used as a simple way to classify groups for devices that cannot perform 802.1X.

Verify:

show vlan brief
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1
120  Employee                         active    Gi1/0/1
180  IoT                              active    Gi1/0/2

show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  unassigned      YES manual up                    up
Vlan120                192.168.120.1   YES manual up                    up
Vlan180                192.168.180.1   YES manual up                    up
GigabitEthernet1/0/1   unassigned      YES manual up                    up
GigabitEthernet1/0/2   unassigned      YES manual up                    up


<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSIyNThweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjM2MnB4O2hlaWdodDoyNThweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAzNjIgMjU4IiB3aWR0aD0iMzYycHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3OS4wNDg4IiB4PSIxNy43ODUyIiB5PSIxNi4xMzg3Ij5NYW5hZ2VtZW50PC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjkxLjgzNCIgeD0iNSIgeT0iMzAuMTA3NCI+MTkyLjE2OC4xLjAvMjQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzcuNzU5OCIgeD0iMTkuMDc0MiIgeT0iMTMyLjkxMjEiPkxhYl9OZXR3b3JrPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjY4LjkyOTciIHg9IjI3LjkwNDMiIHk9IjE0Ni44ODA5Ij4xMC4wLjAuMC8yNDwvdGV4dD48cmVjdCBmaWxsPSIjRTJFMkYwIiBoZWlnaHQ9IjUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiIHdpZHRoPSIxMTAuMDcwMyIgeD0iMTAxLjgzNCIgeT0iMTYuNDY4OCIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjI1My4xNjAyIiB4PSIxMDEuODM0IiB5PSIxMzMuMjQyMiIvPjxwYXRoIGQ9Ik0xNTguODY5MSwyMS40Njg4IEwxNTguODY5MSw1Ny44NzExIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzMuNDc2NiIgeD0iMTIyLjEzMDkiIHk9IjQwLjk3OCI+MTkyLjE2OC4xLjEwPC90ZXh0PjxwYXRoIGQ9Ik0xNTQuODY5MSwxMzguMjQyMiBMMTU0Ljg2OTEsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIxMzIuMTI3OSIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4xPC90ZXh0PjxwYXRoIGQ9Ik0yNDIuODkwNiwxMzguMjQyMiBMMjQyLjg5MDYsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyMjAuMTQ5NCIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4yPC90ZXh0PjxwYXRoIGQ9Ik0zMTQuNDM1NSwxMzguMjQyMiBMMzE0LjQzNTUsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyOTEuNjk0MyIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4zPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iODAuMDcwMyIgeD0iMTE2LjgzNCIgeT0iNTcuODcxMSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjYwLjA3MDMiIHg9IjEyNi44MzQiIHk9Ijc5LjAwOTgiPkFkbWluX1BDPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iMzUuOTcyNyIgeD0iMTM4Ljg4MjgiIHk9IjE3NC42NDQ1Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTUuOTcyNyIgeD0iMTQ4Ljg4MjgiIHk9IjE5NS43ODMyIj5SMTwvdGV4dD48cmVjdCBmaWxsPSIjRjFGMUYxIiBoZWlnaHQ9IjMzLjk2ODgiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MC41OyIgd2lkdGg9IjM1Ljk3MjciIHg9IjIyNi45MDQzIiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjE1Ljk3MjciIHg9IjIzNi45MDQzIiB5PSIxOTUuNzgzMiI+UjI8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI0Ny4xMTcyIiB4PSIyOTIuODc3IiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjI3LjExNzIiIHg9IjMwMi44NzciIHk9IjE5NS43ODMyIj5TVzE8L3RleHQ+PD9wbGFudHVtbC1zcmMgb29qRm9LbkNMd1pjS2IzOElvcWZwb19BTGwxRHA0akNKeXJEcElpMTJvaWU5QVFhNUFLTTVvbE9BWVdQTVhoZjZQZlB3MWRnNlVXUmNJWTFmSHJKU1pGcHVXRVM1UUFuQVpHcUs4Z3IxWWdpSFJCMjlwNGZ0V19BbmhKM0cweUN1SE80NlE4UTNQNHRYMVdCYjNSMjljcTRhbXVFbndoVDZFUWdNVzAwPz48L2c+PC9zdmc+" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>

cisco
configure terminal
cts role-based enforcement
cts manual voip  ! (placeholder to enter CTS manual mode)
cts manual
  vlan 120 sgt 4
  vlan 180 sgt 5
exit
exit

What just happened: We entered the TrustSec (CTS) manual configuration and established a static mapping: VLAN 120 => SGT 4 (Employees) and VLAN 180 => SGT 5 (IoT). With this mapping in place, the switch will treat traffic from VLAN 120 as associated with SGT 4 for SG-ACL evaluation and any propagation capability (if configured).

Real-world note: Using VLAN-to-SGT mapping is commonly used when devices cannot authenticate dynamically or when you want simple deterministic classification for entire network segments.

Verify:

show cts manual
Manual mappings:
 VLAN 120 -> SGT 4
 VLAN 180 -> SGT 5


<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSIyNThweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjM2MnB4O2hlaWdodDoyNThweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAzNjIgMjU4IiB3aWR0aD0iMzYycHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3OS4wNDg4IiB4PSIxNy43ODUyIiB5PSIxNi4xMzg3Ij5NYW5hZ2VtZW50PC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjkxLjgzNCIgeD0iNSIgeT0iMzAuMTA3NCI+MTkyLjE2OC4xLjAvMjQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzcuNzU5OCIgeD0iMTkuMDc0MiIgeT0iMTMyLjkxMjEiPkxhYl9OZXR3b3JrPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjY4LjkyOTciIHg9IjI3LjkwNDMiIHk9IjE0Ni44ODA5Ij4xMC4wLjAuMC8yNDwvdGV4dD48cmVjdCBmaWxsPSIjRTJFMkYwIiBoZWlnaHQ9IjUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiIHdpZHRoPSIxMTAuMDcwMyIgeD0iMTAxLjgzNCIgeT0iMTYuNDY4OCIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjI1My4xNjAyIiB4PSIxMDEuODM0IiB5PSIxMzMuMjQyMiIvPjxwYXRoIGQ9Ik0xNTguODY5MSwyMS40Njg4IEwxNTguODY5MSw1Ny44NzExIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzMuNDc2NiIgeD0iMTIyLjEzMDkiIHk9IjQwLjk3OCI+MTkyLjE2OC4xLjEwPC90ZXh0PjxwYXRoIGQ9Ik0xNTQuODY5MSwxMzguMjQyMiBMMTU0Ljg2OTEsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIxMzIuMTI3OSIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4xPC90ZXh0PjxwYXRoIGQ9Ik0yNDIuODkwNiwxMzguMjQyMiBMMjQyLjg5MDYsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyMjAuMTQ5NCIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4yPC90ZXh0PjxwYXRoIGQ9Ik0zMTQuNDM1NSwxMzguMjQyMiBMMzE0LjQzNTUsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyOTEuNjk0MyIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4zPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iODAuMDcwMyIgeD0iMTE2LjgzNCIgeT0iNTcuODcxMSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjYwLjA3MDMiIHg9IjEyNi44MzQiIHk9Ijc5LjAwOTgiPkFkbWluX1BDPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iMzUuOTcyNyIgeD0iMTM4Ljg4MjgiIHk9IjE3NC42NDQ1Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTUuOTcyNyIgeD0iMTQ4Ljg4MjgiIHk9IjE5NS43ODMyIj5SMTwvdGV4dD48cmVjdCBmaWxsPSIjRjFGMUYxIiBoZWlnaHQ9IjMzLjk2ODgiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MC41OyIgd2lkdGg9IjM1Ljk3MjciIHg9IjIyNi45MDQzIiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjE1Ljk3MjciIHg9IjIzNi45MDQzIiB5PSIxOTUuNzgzMiI+UjI8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI0Ny4xMTcyIiB4PSIyOTIuODc3IiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjI3LjExNzIiIHg9IjMwMi44NzciIHk9IjE5NS43ODMyIj5TVzE8L3RleHQ+PD9wbGFudHVtbC1zcmMgb29qRm9LbkNMd1pjS2IzOElvcWZwb19BTGwxRHA0akNKeXJEcElpMTJvaWU5QVFhNUFLTTVvbE9BWVdQTVhoZjZQZlB3MWRnNlVXUmNJWTFmSHJKU1pGcHVXRVM1UUFuQVpHcUs4Z3IxWWdpSFJCMjlwNGZ0V19BbmhKM0cweUN1SE80NlE4UTNQNHRYMVdCYjNSMjljcTRhbXVFbndoVDZFUWdNVzAwPz48L2c+PC9zdmc+" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>

cisco
configure terminal
cts manual
 ip 10.1.4.100 255.255.255.255 sgt 900
 ip 10.1.4.101 255.255.255.255 sgt 950
exit
exit

What just happened: Two IP addresses were statically bound to SGT values (10.1.4.100 -> SGT 900, 10.1.4.101 -> SGT 950). This tells the Catalyst to consider traffic from/to these IPs as having the specified security group. In a multi-site deployment, site-level SGTs (e.g., 900, 950) can represent the origin site for policy choices.

Real-world note: Static IP-SGT mapping is frequently used for servers, third-party firewalls, or remote VPN users where dynamic SGT assignment is not possible.

Verify:

show cts manual ip
IP -> SGT static mappings:
10.1.4.100/32 -> SGT 900
10.1.4.101/32 -> SGT 950


<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSIyNThweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjM2MnB4O2hlaWdodDoyNThweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAzNjIgMjU4IiB3aWR0aD0iMzYycHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3OS4wNDg4IiB4PSIxNy43ODUyIiB5PSIxNi4xMzg3Ij5NYW5hZ2VtZW50PC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjkxLjgzNCIgeD0iNSIgeT0iMzAuMTA3NCI+MTkyLjE2OC4xLjAvMjQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzcuNzU5OCIgeD0iMTkuMDc0MiIgeT0iMTMyLjkxMjEiPkxhYl9OZXR3b3JrPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjY4LjkyOTciIHg9IjI3LjkwNDMiIHk9IjE0Ni44ODA5Ij4xMC4wLjAuMC8yNDwvdGV4dD48cmVjdCBmaWxsPSIjRTJFMkYwIiBoZWlnaHQ9IjUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiIHdpZHRoPSIxMTAuMDcwMyIgeD0iMTAxLjgzNCIgeT0iMTYuNDY4OCIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjI1My4xNjAyIiB4PSIxMDEuODM0IiB5PSIxMzMuMjQyMiIvPjxwYXRoIGQ9Ik0xNTguODY5MSwyMS40Njg4IEwxNTguODY5MSw1Ny44NzExIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzMuNDc2NiIgeD0iMTIyLjEzMDkiIHk9IjQwLjk3OCI+MTkyLjE2OC4xLjEwPC90ZXh0PjxwYXRoIGQ9Ik0xNTQuODY5MSwxMzguMjQyMiBMMTU0Ljg2OTEsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIxMzIuMTI3OSIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4xPC90ZXh0PjxwYXRoIGQ9Ik0yNDIuODkwNiwxMzguMjQyMiBMMjQyLjg5MDYsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyMjAuMTQ5NCIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4yPC90ZXh0PjxwYXRoIGQ9Ik0zMTQuNDM1NSwxMzguMjQyMiBMMzE0LjQzNTUsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyOTEuNjk0MyIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4zPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iODAuMDcwMyIgeD0iMTE2LjgzNCIgeT0iNTcuODcxMSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjYwLjA3MDMiIHg9IjEyNi44MzQiIHk9Ijc5LjAwOTgiPkFkbWluX1BDPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iMzUuOTcyNyIgeD0iMTM4Ljg4MjgiIHk9IjE3NC42NDQ1Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTUuOTcyNyIgeD0iMTQ4Ljg4MjgiIHk9IjE5NS43ODMyIj5SMTwvdGV4dD48cmVjdCBmaWxsPSIjRjFGMUYxIiBoZWlnaHQ9IjMzLjk2ODgiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MC41OyIgd2lkdGg9IjM1Ljk3MjciIHg9IjIyNi45MDQzIiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjE1Ljk3MjciIHg9IjIzNi45MDQzIiB5PSIxOTUuNzgzMiI+UjI8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI0Ny4xMTcyIiB4PSIyOTIuODc3IiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjI3LjExNzIiIHg9IjMwMi44NzciIHk9IjE5NS43ODMyIj5TVzE8L3RleHQ+PD9wbGFudHVtbC1zcmMgb29qRm9LbkNMd1pjS2IzOElvcWZwb19BTGwxRHA0akNKeXJEcElpMTJvaWU5QVFhNUFLTTVvbE9BWVdQTVhoZjZQZlB3MWRnNlVXUmNJWTFmSHJKU1pGcHVXRVM1UUFuQVpHcUs4Z3IxWWdpSFJCMjlwNGZ0V19BbmhKM0cweUN1SE80NlE4UTNQNHRYMVdCYjNSMjljcTRhbXVFbndoVDZFUWdNVzAwPz48L2c+PC9zdmc+" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>

cisco
! On WAN-Edge1 (SD-WAN) — conceptual commands (platform dependent)
configure terminal
! enable SGT inline propagation (platform-specific; shown here as a conceptual step)
sdwan sgt inline-tagging enable
exit
! On WAN-Edge2 (SD-WAN)
configure terminal
sdwan sgt inline-tagging enable
exit

What just happened: In an SD‑WAN deployment that supports inline tagging, enabling inline SGT propagation ensures that packets forwarded across the WAN carry SGT information. The destination enforcement point (e.g., Catalyst 9500, FTD) receives the SGT and can enforce SG-ACLs based on group membership instead of IP. Note: actual SD‑WAN commands vary by platform; the important concept is enabling inline SGT propagation on SD‑WAN edges.

Real-world note: The reference highlights that SD‑WAN played a critical role in enabling in-line SGT propagation and allowing decommissioning of SXP at remote sites to avoid TCAM exhaustion.

Verify (on Catalyst9500 and SD‑WAN edge):

show cts internal connections
SGT propagation: Inline tagging enabled on WAN-Edge links
Remote SGTs seen: 900, 950


<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSIyNThweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjM2MnB4O2hlaWdodDoyNThweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAzNjIgMjU4IiB3aWR0aD0iMzYycHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3OS4wNDg4IiB4PSIxNy43ODUyIiB5PSIxNi4xMzg3Ij5NYW5hZ2VtZW50PC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjkxLjgzNCIgeD0iNSIgeT0iMzAuMTA3NCI+MTkyLjE2OC4xLjAvMjQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzcuNzU5OCIgeD0iMTkuMDc0MiIgeT0iMTMyLjkxMjEiPkxhYl9OZXR3b3JrPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjY4LjkyOTciIHg9IjI3LjkwNDMiIHk9IjE0Ni44ODA5Ij4xMC4wLjAuMC8yNDwvdGV4dD48cmVjdCBmaWxsPSIjRTJFMkYwIiBoZWlnaHQ9IjUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiIHdpZHRoPSIxMTAuMDcwMyIgeD0iMTAxLjgzNCIgeT0iMTYuNDY4OCIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjI1My4xNjAyIiB4PSIxMDEuODM0IiB5PSIxMzMuMjQyMiIvPjxwYXRoIGQ9Ik0xNTguODY5MSwyMS40Njg4IEwxNTguODY5MSw1Ny44NzExIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzMuNDc2NiIgeD0iMTIyLjEzMDkiIHk9IjQwLjk3OCI+MTkyLjE2OC4xLjEwPC90ZXh0PjxwYXRoIGQ9Ik0xNTQuODY5MSwxMzguMjQyMiBMMTU0Ljg2OTEsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIxMzIuMTI3OSIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4xPC90ZXh0PjxwYXRoIGQ9Ik0yNDIuODkwNiwxMzguMjQyMiBMMjQyLjg5MDYsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyMjAuMTQ5NCIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4yPC90ZXh0PjxwYXRoIGQ9Ik0zMTQuNDM1NSwxMzguMjQyMiBMMzE0LjQzNTUsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyOTEuNjk0MyIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4zPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iODAuMDcwMyIgeD0iMTE2LjgzNCIgeT0iNTcuODcxMSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjYwLjA3MDMiIHg9IjEyNi44MzQiIHk9Ijc5LjAwOTgiPkFkbWluX1BDPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iMzUuOTcyNyIgeD0iMTM4Ljg4MjgiIHk9IjE3NC42NDQ1Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTUuOTcyNyIgeD0iMTQ4Ljg4MjgiIHk9IjE5NS43ODMyIj5SMTwvdGV4dD48cmVjdCBmaWxsPSIjRjFGMUYxIiBoZWlnaHQ9IjMzLjk2ODgiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MC41OyIgd2lkdGg9IjM1Ljk3MjciIHg9IjIyNi45MDQzIiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjE1Ljk3MjciIHg9IjIzNi45MDQzIiB5PSIxOTUuNzgzMiI+UjI8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI0Ny4xMTcyIiB4PSIyOTIuODc3IiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjI3LjExNzIiIHg9IjMwMi44NzciIHk9IjE5NS43ODMyIj5TVzE8L3RleHQ+PD9wbGFudHVtbC1zcmMgb29qRm9LbkNMd1pjS2IzOElvcWZwb19BTGwxRHA0akNKeXJEcElpMTJvaWU5QVFhNUFLTTVvbE9BWVdQTVhoZjZQZlB3MWRnNlVXUmNJWTFmSHJKU1pGcHVXRVM1UUFuQVpHcUs4Z3IxWWdpSFJCMjlwNGZ0V19BbmhKM0cweUN1SE80NlE4UTNQNHRYMVdCYjNSMjljcTRhbXVFbndoVDZFUWdNVzAwPz48L2c+PC9zdmc+" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>

cisco
show access-lists sgacl
Extended SG-ACL Employee-to-DC
 permit ip sgt 4 any
 deny ip sgt 5 host 10.1.4.200
 permit ip any any

What just happened: The show command reveals SG-ACLs that use SGT qualifiers (e.g., "ip sgt 4"). If a packet arrives tagged as SGT 5 and matches the deny entry to a datacenter host, it will be dropped by the enforcement device. This shows how SGT-based policies are applied.

Real-world note: The FTD platform provides mixed policy constructs (SGTs, IPs, URLs) and stateful inspection; use FTDs for centralized North/South segmentation when SGTs need to integrate with broader security policies.

Verify:

show ip access-lists sgacl
Extended SG-ACL Employee-to-DC
 10 permit ip sgt 4 any
 20 deny ip sgt 5 host 10.1.4.200
 30 permit ip any any

Expected output lists the SG-ACL entries and the SGT qualifiers used for matching.

Verification Checklist

  • Check 1: VLANs and SVIs present — verify with show vlan brief and show ip interface brief (SVI IPs 192.168.120.1 and 192.168.180.1).
  • Check 2: VLAN-to-SGT mappings configured — verify with show cts manual (expect VLAN 120 -> SGT 4, VLAN 180 -> SGT 5).
  • Check 3: Static IP-to-SGT bindings configured — verify with show cts manual ip (expect 10.1.4.100 -> SGT 900, 10.1.4.101 -> SGT 950).
  • Check 4: Inline tagging active on WAN edges — verify show cts internal connections or SD‑WAN equivalent (expect inline tagging enabled and remote SGTs visible).
  • Check 5: SG-ACLs use SGT qualifiers — verify with show ip access-lists sgacl (entries referencing "sgt X").

Common Mistakes

SymptomCauseFix
VLAN traffic not tagged with expected SGTVLAN-to-SGT mapping not configured or mis-configuredRe-run cts manual vlan <id> sgt <value> and verify with show cts manual
Remote site SGTs not visibleInline tagging not enabled on SD‑WAN edge, or SD‑WAN does not support SGT propagationEnable inline tagging on SD‑WAN edge or use SD‑WAN capability to carry SGTs; verify with SD‑WAN show commands
TCAM exhaustion on large switchesOveruse of SXP with full matrix downloads on 9Ks; too many SXP connectionsMigrate to inline tagging for SGT propagation; decommission SXP at remote sites per reference guidance
FTD not tagging unknown trafficFTD cannot tag unknown packets with an SGT (platform limitation)Use Catalyst 9500s in the datacenter to tag unknown north-south traffic using static IP-SGT mappings or pre-tagging at ingress
SG-ACLs not matching trafficTraffic lacks SGT (untagged) or mappings incorrectEnsure classification is applied (dynamic or static); verify show cts manual and show cts internal

Key Takeaways

  • SGTs (Group-Based Policy) let you express security policy based on identity groups rather than IP addresses — a powerful tool for Zero Trust segmentation.
  • Classification can be dynamic (ISE via authentication) or static (VLAN-to-SGT, IP-to-SGT); static mappings are critical for devices that cannot be dynamically tagged.
  • SXP scales poorly when many SXP connections push full matrices to platforms with limited TCAM; inline tagging over SD‑WAN or SDA fabric (VXLAN) is the recommended direction for large-scale deployments.
  • Enforcement points (Catalyst 9500, FTD) interpret SGTs and apply SG-ACLs; design for the weakest enforcement capabilities in your path and decommission SXP at remote sites when you have inline propagation.
  • Always validate and monitor — TrustSec reporting and network analytics give visibility into how group-based policies are applied and where unknowns appear.

Warning: When transitioning to inline tagging, carefully plan to avoid “denying traffic everywhere” by incrementally enabling propagation and using static mappings for critical services.

This concludes Lesson 1: TrustSec and Group-Based Policy. In the next lesson we'll dive deeper into dynamic classification via ISE (802.1X/MAB), SXP details, and step-by-step migration strategies from SXP to in-line tagging.

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security