Agree with XBfoundX new findings. Egress is correct. If you want to know more about it, found a great YouTube that explains it. "Group Based Segmentation Basics"
https://youtu.be/rq7bSgO_GPg
31:13 to 37:25 if you want this concept explained. Highly recommend the whole video though!
Cisco TrustSec uses the device and user credentials acquired during authentication for classifying the packets by security groups (SGs) as they enter the network.
This packet classification is maintained by tagging packets on ingress to the Cisco TrustSec network so that they can be properly identified for the purpose of applying security and other policy criteria along the data path. The tag, called the security group tag (SGT), allows the network to enforce the access control policy by enabling the endpoint device to act upon the SGT to filter traffic.
https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
The answer is D ingress router
Hello guys after failing the exam I'm back here :) (that's funny isn't it? Well no..)
BTW this question here need a real answer!
"Cisco TrustSec access control is implemented using ingress tagging and egress enforcement"
This means that in the ingress router we put the SGT TAG, the egress router will do the enforcement of the ACL outbound, so the router that we need to use for applying the ACL is the egress one.
"At the egress point of the Cisco TrustSec domain, an egress device uses the source SGT and the security group number of the destination entity (the destination SG, or DGT) to determine which access policy to apply from the SGACL policy matrix."
This link will clarify everything:
https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
search Ingress Tagging and Egress Enforcement with ctrl + f
A Security Group Access Control List (SGACL) associates a
Security Group Tag with a policy. The policy is enforced upon
SGT-tagged traffic egressing the TrustSec domain.
The correct answer is - ingress router.
The SGACL is a Cisco TrustSec policy that is enforced on egress traffic. This means that the SGACL must be configured on the ingress router, which is the router that the traffic originates from.
The other options are incorrect:
Secure server: The secure server is not involved in the enforcement of the SGACL.
Host: The host is the device that is generating the traffic. The SGACL is enforced on the ingress router, not the host.
Egress router: The egress router is the router that the traffic terminates on. The SGACL is not enforced on the egress router.
Key word here is "enforcement".
"Cisco TrustSec access control is implemented using ingress tagging and egress enforcement."
https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html#17760
upvoted 3 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
ZappBrannigan
Highly Voted 6 months, 3 weeks agodouglasaws
5 months, 1 week ago327c7c8
Most Recent 5 days, 15 hours agoXBfoundX
9 months, 1 week agoXBfoundX
8 months agoXBfoundX
8 months agoCanhelp
10 months, 1 week agoCCNP21
1 year agodenverfly
1 year, 1 month agoTHEODORABLE
1 year, 1 month agohomeslice
1 year, 7 months ago