According to the Cisco Press official study guide "Cisco TrustSec SGT tags are assigned to authenticated groups of users or end devices". Since the rest mention networks and B mentions users, I'd argue that the correct answer is B.

Cisco TrustSec uses tags to represent logical group privilege. This tag, called a Security Group Tag (SGT), is used in access policies. The SGT is understood and is used to enforce traffic by Cisco switches, routers and firewalls . Cisco TrustSec is defined in three phases: classification, propagation and enforcement. When users and devices connect to a network, the network assigns a specific security group. This process is called classification. Classification can be based on the results of the authentication or by associating the SGT with an IP, VLAN, or port-profile (-> Answer A and answer B are not correct as they say “assigned ... on a switch” only. Answer D is not correct either as it says “assigned to each router”).

Provided answer is correct. Explanation below: At the point of network access, a Cisco TrustSec policy group called a Security Group Tag (SGT) is assigned to an endpoint, typically based on that endpoint’s user, device, and location attributes. The SGT denotes the endpoint’s access entitlements, and all traffic from the endpoint will carry the SGT information. The SGT is used by switches, routers, and firewalls to make forwarding decisions. Because SGT assignments can denote business roles and functions, Cisco TrustSec controls can be defined in terms of business needs and not underlying networking detail. https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/at_a_glance_c45-726831.pdf

Cisco TrustSec uses Security Group Tags (SGTs), which are assigned to each user or device rather than specific ports or routers. The SGTs are then used to enforce policy decisions across the network.

Cisco TrustSec uses security group tags (SGTs) to provide scalable, secure communication throughout a network. These security group tags are assigned to network devices, such as switches and routers, and are used to enforce policies based on the identity of the devices and users in the network. The correct answer is: C. security group tag number assigned to each port on a network

I deal with ISE on the regular and its assigned based off the user permission.

A. security group tag ACL assigned to each port on a switch --> INCORRECT as these talk about the use cases of sgt ACLs not the SGT itself B. security group tag number assigned to each user on a switch -->90% CORRECT , SGT is a TAG Number that can be used in ACLs but it actually is just a 16bit number. Why 90% ??? => Because logically thinking it would mean that we have only control and visibility on SWITCH PORTS only, and we all know thats just halve the rent. C. security group tag number assigned to each port on a network --> 95% CORRECT, as SGTs are described as Numbers and not ACLs AS WELL AS the keyword NETWORK. With Network i guess all our visibility and control problems are sorted on SWITCHES, ROUTERS and maybe FWs. D. security group tag ACL assigned to each router on a network --> INCORRECT, same issue as above. Why only Routers? ?? what about the other stuff? and SGT is NOT ACL but can be used in ACLS. Hence: C is the best choice of answers but not 100% accurate.

The security group tag number is assigned to the user. I am not sure how people are getting caught up on C. The tag number is assigned at the port, but the port does not get assigned a tag number of its own. The port can assign different tag numbers to packets coming in, depending on the user that is sending those packets. Only thing wrong with A and D is where the SGT ACL is applied. It is only at the TrustSec entry points, which may not be all switches or routers.

The correct answer is A. security group tag ACL assigned to each port on a switch. Cisco TrustSec is a security architecture that uses security group tags (SGTs) to classify and control traffic flows in a network. SGTs are assigned to ports, switches, and routers. When a packet enters a network, it is tagged with the SGT of the port it entered through. This tag is then used to determine which security group ACLs should be applied to the packet. SGT ACLs are lists of rules that define which traffic is allowed and blocked. These ACLs can be used to create flexible and granular security policies. By using SGTs and SGT ACLs, Cisco TrustSec provides scalable, secure communication throughout a network. The other answer choices are incorrect: B. security group tag number assigned to each user on a switch C. security group tag number assigned to each port on a network D. security group tag ACL assigned to each router on a network SGTs are assigned to ports, switches, and routers, not to users or networks.

B per nep1019

B to me is not correct because it refers to users and this means for a user on a switch (maybe local), A refers an ACL to each port on a switch and D an ACL for routers, to me the best answer is C.

Security Group Tags allow an organization to create policies based on a user.

C is correct Cisco TrustSec uses SGT (Security Group Tagging) to provide scalable, secure communication throughout a network. SGT is a 16-bit tag that is assigned to each port on a switch, not each user. This tag is then attached to network traffic as it passes through network infrastructure devices, based on predefined policies and rules. By using SGTs, Cisco TrustSec can provide granular and dynamic access control throughout the network, allowing only authorized traffic to flow between endpoints.

not 100% sure but i think B is the correct answer

The correct answer is C. They are asking about the network not for a specific switch: "Dynamic classification is typically used to assign SGT to users because users are mobile." https://community.cisco.com/t5/security-knowledge-base/group-based-policy-fundamentals/ta-p/3764433

The question asked is “throughout a network:, Answer A & B only on a switch, Answer D only on Router. Only Answer C is on “each port on a network”.

B https://www.routexp.com/2019/05/introduction-to-secure-group-tagging-sgt.html SGT- Secure Group Tagging which is generally used in the Cisco SD-Access design. An SGT is a 16-bit value that the Cisco ISE assigns to the user or endpoint’s session upon login.