Security Group Tag Transport Methods

B.

The method for transporting security group tags throughout the network is by embedding the security group tag in the 802.1Q header. This is accomplished through the use of the IEEE 802.1Q standard, which defines a mechanism for identifying VLAN membership on Ethernet networks.

In this context, security group tags (SGTs) are a method of implementing network access control (NAC) by associating a tag with a user or device that identifies the level of access they are allowed to specific network resources. This tag is typically assigned by an identity services engine (ISE) and is propagated throughout the network via the 802.1Q header.

The 802.1Q header is a 4-byte field that is added to an Ethernet frame to identify the VLAN membership of the frame. The header includes a 12-bit VLAN ID field that can be used to carry the SGT. The SGT can be either a 16-bit or 32-bit value, depending on the implementation.

By embedding the SGT in the 802.1Q header, it is possible to transport this information throughout the network, allowing network devices to make access control decisions based on the SGT. This enables granular control over network access and allows for the implementation of policies that restrict access to sensitive resources based on the user or device's security posture.

The Security Group Tag Exchange Protocol (SXP) is also a valid method for transporting security group tags, but it is not one of the options listed in the question. SXP is a protocol that is used to exchange SGTs between network devices, and it can be used in conjunction with the 802.1Q header to provide enhanced network access control.

Enabling 802.1AE (also known as MACsec) on every network device is not a valid method for transporting security group tags. 802.1AE is a security protocol that provides confidentiality, integrity, and authenticity for Ethernet frames, but it does not address the transport of SGTs.

Embedding the security group tag in the IP header is also not a valid method for transporting SGTs. The IP header is used for routing IP packets, and it does not provide a mechanism for carrying VLAN or SGT information.