Exam 350-401 topic 1 question 260 discussion

According to the Cisco Press official study guide "Cisco TrustSec SGT tags are assigned to authenticated groups of users or end devices". Since the rest mention networks and B mentions users, I'd argue that the correct answer is B.

A SGT will certainly be applied to all users. Would it apply to all ports? Not necessarily. All users ports (based on ISE assigned SGT)? Sure. But not trunk ports ;)

The correct answer is C. security group tag number assigned to each port on a network. Cisco TrustSec uses a feature called Security Group Tagging (SGT). SGTs are unique identifiers assigned to groups of users, devices, or resources. These tags are not limited to just switches or users. The SGT is propogated on each network port, so that traffic originating or traversing that port can have its traffic properly tagged.

I think keyword here is "scalable" - are static assignments scalable? Food for thought!

Correct answer is B. Official Guide, page 735 " ISE assigns SGT tags to users or devices that are successfully authenticated and authorized ... After the SGT tag is assigned. an access enforcement policy based on the SGT tag can be applied at any egress point of the TrustSec network. SGT tags represent the context of the user, device, use case or function, ...SGT named after particular roles.... This is definitely not assigned to a port

Security Group Tags allow an organization to create policies based on a user.

C is correct Cisco TrustSec uses SGT (Security Group Tagging) to provide scalable, secure communication throughout a network. SGT is a 16-bit tag that is assigned to each port on a switch, not each user. This tag is then attached to network traffic as it passes through network infrastructure devices, based on predefined policies and rules. By using SGTs, Cisco TrustSec can provide granular and dynamic access control throughout the network, allowing only authorized traffic to flow between endpoints.

not 100% sure but i think B is the correct answer

Cisco TrustSec uses Security Group Tags (SGTs), which are assigned to each user or device rather than specific ports or routers. The SGTs are then used to enforce policy decisions across the network.

The security group tag number is assigned to the user. I am not sure how people are getting caught up on C. The tag number is assigned at the port, but the port does not get assigned a tag number of its own. The port can assign different tag numbers to packets coming in, depending on the user that is sending those packets. Only thing wrong with A and D is where the SGT ACL is applied. It is only at the TrustSec entry points, which may not be all switches or routers.

The correct answer is C. They are asking about the network not for a specific switch: "Dynamic classification is typically used to assign SGT to users because users are mobile." https://community.cisco.com/t5/security-knowledge-base/group-based-policy-fundamentals/ta-p/3764433

Cisco TrustSec uses security group tags (SGTs) to provide scalable, secure communication throughout a network. These security group tags are assigned to network devices, such as switches and routers, and are used to enforce policies based on the identity of the devices and users in the network. The correct answer is: C. security group tag number assigned to each port on a network

The correct answer is A. security group tag ACL assigned to each port on a switch. Cisco TrustSec is a security architecture that uses security group tags (SGTs) to classify and control traffic flows in a network. SGTs are assigned to ports, switches, and routers. When a packet enters a network, it is tagged with the SGT of the port it entered through. This tag is then used to determine which security group ACLs should be applied to the packet. SGT ACLs are lists of rules that define which traffic is allowed and blocked. These ACLs can be used to create flexible and granular security policies. By using SGTs and SGT ACLs, Cisco TrustSec provides scalable, secure communication throughout a network. The other answer choices are incorrect: B. security group tag number assigned to each user on a switch C. security group tag number assigned to each port on a network D. security group tag ACL assigned to each router on a network SGTs are assigned to ports, switches, and routers, not to users or networks.

B per nep1019

Cisco TrustSec uses tags to represent logical group privilege. This tag, called a Security Group Tag (SGT), is used in access policies. The SGT is understood and is used to enforce traffic by Cisco switches, routers and firewalls . Cisco TrustSec is defined in three phases: classification, propagation and enforcement. When users and devices connect to a network, the network assigns a specific security group. This process is called classification. Classification can be based on the results of the authentication or by associating the SGT with an IP, VLAN, or port-profile (-> Answer A and answer B are not correct as they say “assigned ... on a switch” only. Answer D is not correct either as it says “assigned to each router”).

I deal with ISE on the regular and its assigned based off the user permission.

Provided answer is correct. Explanation below: At the point of network access, a Cisco TrustSec policy group called a Security Group Tag (SGT) is assigned to an endpoint, typically based on that endpoint’s user, device, and location attributes. The SGT denotes the endpoint’s access entitlements, and all traffic from the endpoint will carry the SGT information. The SGT is used by switches, routers, and firewalls to make forwarding decisions. Because SGT assignments can denote business roles and functions, Cisco TrustSec controls can be defined in terms of business needs and not underlying networking detail. https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/at_a_glance_c45-726831.pdf