Configure 802.1Q header inspection when your firewall
is part of a Cisco TrustSec network.
Where Can I Use
This? | What Do I Need? |
In a Cisco TrustSec network, a Cisco Identity Services Engine (ISE) assigns a Layer 2 Security
Group Tag (SGT) of 16 bits to a user or endpoint session. When your firewall is part
of a Cisco TrustSec network, the firewall needs to support the TrustSec 802.1Q
header to do content inspection. A Zone Protection profile with Ethernet SGT
protection configured allows the firewall to inspect headers with 802.1Q (EtherType
0x8909) for specific Layer 2 Security Group Tag (SGT) values and drop the packet if
the SGT matches the list you configure for the Zone Protection profile attached to
the interface. With a Zone Protection profile configured for Ethernet SGT
protection, you can specify which SGT values you want to deny access to a zone.