In a Cisco TrustSec network, a Cisco ISE assigns a Layer
2 Security Group Tag (SGT) to a user’s or endpoint’s session.
In a Cisco TrustSec network, a Cisco
Identity Services Engine (ISE) assigns a Layer 2 Security Group Tag
(SGT) of 16 bits to a user’s or endpoint’s session. You can
create a Zone Protection
profile with Ethernet SGT protection when your firewall is
part of a Cisco TrustSec network. The firewall can inspect headers
with 802.1Q (Ethertype 0x8909) for specific Layer 2 security group
tag (SGT) values and drop the packet if the SGT matches the list
you configure for the Zone Protection profile attached to the interface.
Determine which SGT values you want to deny access to a zone.