TrustSec Reference
Overview
Cisco TrustSec provides software-defined segmentation using Security Group Tags (SGTs). This enables microsegmentation without complex VLAN management.
|
Prerequisites
Load ISE credentials before running commands: This exports |
Command Reference
| Command | Description | Status |
|---|---|---|
|
List all Security Group Tags |
|
|
Get SGT by name or value |
|
|
Create new Security Group Tag |
|
|
Modify existing SGT |
|
|
Remove Security Group Tag |
|
|
List Security Group ACLs |
Planned |
|
Create SGACL |
Planned |
|
List IP-to-SGT mappings |
Planned |
|
Create IP-to-SGT mapping |
Planned |
|
Get TrustSec matrix |
Planned |
Security Group Tags (SGTs)
List All SGTs
# Table output
netapi ise get-sgts
# JSON with jq filtering
netapi ise get-sgts --format json | jq '.[] | {name, value, description}'Example Output
┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Name ┃ Value ┃ Description ┃
┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ Unknown │ 0 │ Unknown Security Group │
│ TrustSec_Devices │ 2 │ TrustSec Devices Security Group │
│ Employees │ 4 │ Employee endpoints │
│ Contractors │ 5 │ Contractor endpoints │
│ Servers │ 6 │ Server infrastructure │
│ IoT_Devices │ 7 │ IoT and low-security devices │
│ Quarantine │ 255 │ Quarantined endpoints │
└───────────────────────┴────────┴───────────────────────────────────────┘Get Single SGT
# By name
netapi ise get-sgt "Employees"
# By value
netapi ise get-sgt --value 4
# Full JSON
netapi ise get-sgt "Employees" --format json | jq '.'Create SGT
# Create new SGT
netapi ise create-sgt "Linux_Workstations" \
--description "Linux workstations with EAP-TLS" \
--value 10
# Create with propagation disabled
netapi ise create-sgt "Test_SGT" \
--description "Test SGT - no propagation" \
--value 100 \
--propagate falseSGT Assignment in Authorization Rules
SGTs are assigned through authorization profiles or directly in rules:
# Create authz profile with SGT
netapi ise create-authz-profile "Linux_EAP-TLS_Access" \
--access-type ACCESS_ACCEPT \
--dacl "Linux-Permit-All" \
--sgt "Linux_Workstations"
# Add authz rule with SGT
netapi ise add-authz-rule "Wired_802.1X_Closed" \
--name "Linux_Assign_SGT" \
--condition "AD:ExternalGroups CONTAINS Linux-Workstations" \
--profile "Linux_EAP-TLS_Access" \
--rank 1SGACLs (Not Yet Implemented)
Security Group ACLs define traffic rules between SGTs.
Raw API Access
# List all SGACLs
netapi ise api-call ers GET "/ers/config/sgacl"
# Get specific SGACL
netapi ise api-call ers GET "/ers/config/sgacl/name/Permit_IP"
# Create SGACL (JSON body)
netapi ise api-call ers POST "/ers/config/sgacl" --body '{
"Sgacl": {
"name": "Linux_to_Servers",
"description": "Allow Linux to access servers",
"aclcontent": "permit tcp dst eq 22\npermit tcp dst eq 443\ndeny ip"
}
}'TrustSec Monitoring
Sessions with SGT Assignment
# List sessions with SGT info
netapi ise mnt sessions --format json | \
jq '.[] | {mac: .calling_station_id, ip: .framed_ip_address, sgt: .security_group}'TrustSec Architecture Patterns
Basic Segmentation (3 SGTs)
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Employees │────▶│ Servers │◀────│ Contractors │
│ SGT: 4 │ │ SGT: 6 │ │ SGT: 5 │
│ │ │ │ │ │
│ Full Access │ │ Destination │ │ Limited │
└─────────────┘ └─────────────┘ └─────────────┘
▲
│ Restricted
┌─────────────┐
│ Quarantine │
│ SGT: 255 │
│ DNS/DHCP │
└─────────────┘Planned Enhancements
The following TrustSec features are planned for netapi:
# Phase 1 - SGACL Management
netapi ise get-sgacls
netapi ise create-sgacl "Allow_HTTPS" --content "permit tcp dst eq 443"
netapi ise update-sgacl "Allow_HTTPS" --content "permit tcp dst eq 443\npermit tcp dst eq 8443"
netapi ise delete-sgacl "Allow_HTTPS"
# Phase 2 - IP Mappings
netapi ise get-sg-mappings
netapi ise create-sg-mapping --ip "10.50.20.0/24" --sgt "Servers"
netapi ise delete-sg-mapping "Server_Subnet"
# Phase 3 - Matrix Management
netapi ise get-egress-matrix
netapi ise set-matrix-cell --source "Employees" --dest "Servers" --sgacl "Permit_All"