A network engineer responsible for the switching environment must provision a new switch to properly propagate security group tags within the TrustSec inline method. Which CLI command must the network engineer enter on the switch to globally enable the tagging of SGTs?
To globally enable the tagging of security group tags (SGTs) within the TrustSec inline method on a switch, the correct command is 'cts role-based enforcement'. This command globally enables the tagging of frames and allows for the enforcement of security group access control lists (SGACLs). Without this command in the global configuration, the switch will not tag Layer 2 traffic.
I would go for B as it is the only command that has anything to do with inline SGT tagging. The others are for sgt-mapping, SGACL enforcment and SXP. But CTS manual is not global, it is per interface, so weird question.
Correct is D: "cts role-based enforcement" Ebook SISE: "Configuring Manual SGT Propagation on Cisco IOS XE Switches This section discusses the configuration of SGT propagation on access-layer switches such as the Catalyst 9300 and 9500 switches that have the ability to use native tags. Step 1. Enable Cisco TrustSec role-based enforcement on the switch: CAT9300(config)# cts role-based enforcement This GLOBALLY ENABLES THE TAGGING of frames. It also makes it possible to enforce SGACLs... Without this command in the global configuration, the switch does not tag the Layer 2 traffic." Example 17-4 Enabling Tagging on a 9300 Series Access Switch C9300(config)# cts role-based enforcement C9300(config)# interface g1/0/1 C9300(config-if)# cts manual C9300(config-if-cts-manual)# policy static sgt 2 trusted --- Confusing is that Cisco do not mention a word regarding tagging activation in the command reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-3/command_reference/b_173_9500_cr/cisco_trustsec_commands.html#wp2692401855
cts manual is for inline tagging
I think B is the correct one. https://www1-realm.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/sgt_inline_tagging.pdf
The correct answer is the B. cts manual Example: SGT Static Inline Tagging This example shows how to enable an interface on the device for L2-SGT tagging or imposition and defines whether the interface is trusted for Cisco TrustSec Device# configure terminal Device(config)# interface gigabitethernet 1/0/1 Device(config-if)# cts manual Device(config-if-cts-manual)# propagate sgt Device(config-if-cts-manual)# policy static sgt 77 trusted