pxGrid TrustSec Commands

Overview

TrustSec Security Group Tags (SGTs) enable software-defined segmentation. pxGrid provides real-time access to SGT assignments and egress policies.

Commands

sgts

List all TrustSec Security Groups.

netapi ise pxgrid sgts

Output:

╭────────────────────────────────────────────────────────────╮
│              TrustSec Security Groups                      │
├───────────────────┬────────┬───────────────────────────────┤
│ Name              │ Tag    │ Description                   │
├───────────────────┼────────┼───────────────────────────────┤
│ Unknown           │ 0      │ Unknown Security Group        │
│ TrustSec_Devices  │ 2      │ TrustSec Devices              │
│ Employees         │ 4      │ Employee workstations         │
│ Servers           │ 5      │ Production servers            │
│ IoT               │ 10     │ IoT devices                   │
│ Guests            │ 15     │ Guest network access          │
│ Quarantine        │ 255    │ Quarantined devices           │
╰───────────────────┴────────┴───────────────────────────────╯

SGT Assignment Flow

                   ┌─────────────┐
    Auth Request   │    ISE      │
    ────────────►  │  (RADIUS)   │
                   └──────┬──────┘
                          │ SGT=4 (Employees)
                          ▼
                   ┌─────────────┐
                   │   Switch    │
                   │  (TrustSec) │
                   └──────┬──────┘
                          │ Tagged traffic
                          ▼
                   ┌─────────────┐
                   │  Firewall   │
                   │   (SGACL)   │
                   └─────────────┘

Use Cases

Verify SGT Assignment

# Get session with SGT
netapi ise pxgrid session C8:5B:76:C6:59:62 | grep securityGroup

Audit SGT Distribution

# Count sessions by SGT
netapi ise pxgrid -f json sessions | jq '
  group_by(.securityGroup) |
  map({sgt: .[0].securityGroup, count: length}) |
  sort_by(-.count)
'

See Also