Configuring Network Device for Traffic Filtering based on Security Group Tags

D.

The command that should be used to filter traffic based on security group tags using a security policy on a routed interface is "D. cts role-based enforcement".

The Cisco Identity Services Engine (ISE) allows network administrators to enforce security policies on network devices based on the user's identity and the device's security posture. Cisco TrustSec is a network security solution that uses security group tags to classify network traffic and enforce security policies on network devices. Security group tags are assigned to users, devices, and applications based on their security attributes.

To enforce security policies based on security group tags on a network device, the device must be configured to support Cisco TrustSec. This can be achieved by enabling the Cisco TrustSec Cache (CTS Cache) and configuring a role-based policy on the device.

The command "cts cache enable" enables the CTS Cache on the device, which stores security group tag information in hardware for fast access. This command is not used to filter traffic based on security group tags.

The command "cts authorization list" configures an authorization list for Cisco TrustSec on the device. This command is used to specify the devices and users that are allowed to access the network.

The command "cts role-based policy priority-static" configures a role-based policy on the device that maps security group tags to network access policies. This command is used to prioritize the security policies that are enforced on the device.

The command "cts role-based enforcement" enables role-based enforcement of security policies on the device. This command is used to filter traffic based on security group tags and enforce network access policies on the device.

Therefore, the correct command to accomplish the task of filtering traffic based on security group tags using a security policy on a routed interface is "D. cts role-based enforcement".