Which Cisco TrustSec feature uses a classification packet to carry security group information across network devices?
SGTs are inserted into packets to carry group information.
Why this answer
The Security Group Tag (SGT) is the Cisco TrustSec mechanism that embeds security group information directly into a packet's Ethernet frame (typically as a Cisco Meta Data or inline tag). This allows the packet to carry its source group identity across network devices, enabling consistent policy enforcement without requiring per-hop reclassification.
Exam trap
Cisco often tests the distinction between the tag that carries the group information (SGT) and the policy that enforces rules based on that tag (SGACL), so candidates mistakenly choose SGACL because they associate it with security group enforcement.
How to eliminate wrong answers
Option B is wrong because a Security Group Access Control List (SGACL) is a policy rule that defines permitted or denied actions based on SGTs, not a classification packet that carries group information. Option C is wrong because MACsec (802.1AE) provides link-layer encryption and integrity, not a mechanism to carry security group tags across devices. Option D is wrong because Cisco TrustSec (CTS) is the overarching architecture that includes SGT, SGACL, and other components; it is not a specific classification packet that carries group information.