Guest

Cisco TrustSec

Cisco TrustSec-Enabled Infrastructure

Cisco TrustSec- Facilitated Infrastructure

Cisco TrustSec uniquely builds upon your existing identity-aware infrastructure by enforcing these policies in a scalable manner with the innovative Cisco Security Group Access (SGA) and Device Sensors. It also helps to ensure complete data confidentiality using ubiquitous encryption between network devices with MAC sec encryption.

Cisco TrustSec Platform Support Matrix

System Component Platform Solution Minimum Version Solution-Level Validated Version SGT Classification Control Plane Propagation (SXP) SGT over Ethernet (Inline SGT) SGT over MACsec SGT over xVPN (for WAN) SGT Enforcement
Cisco Identity Services Engine Cisco ISE 3315, 3355, 3395, 3415, 3495
Appliances and VMware
ISE 1.0 ISE 1.2 Patch 1(Requires AdvancedLicense) - - - - -
Cisco Catalyst® 2000 Series Cisco Catalyst 2960-Plus Series (LAN Base required) IOS® 15.2(1)E - Dynamic,IP-SGT, VLAN-SGT SXP (speaker only) No No No No
Cisco Catalyst 2960C Series(LAN Base required) IOS 15.0(1)SE2 IOS 15.0(2)SE2 Dynamic,IP-SGT, VLAN-SGT SXP (speaker only) No No No No
Cisco Catalyst 2960S/SF Series(LAN Base required) IOS 15.0(1)SE2 IOS 15.0(2)SE2 Dynamic,IP-SGT,VLAN-SGT SXP (speaker only) No No No No
Cisco Catalyst 2960X/XR Series(LAN Base required) IOS 15.0(2)EX1 Dynamic,IP-SGT,VLAN-SGT SXP (speaker only) No No No No
Cisco Catalyst 3000 Series Cisco Catalyst 3560-E,3750-E(IP Base required) IOS 15.0(1)SE2 IOS 15.0(2)SE2 Dynamic,IP-SGT,VLAN-SGT SXP (S/L) No No No No
Cisco Catalyst 3560C Series(IP Base required) IOS 15.0(1)SE2 IOS 15.0(2)SE2 Dynamic,IP-SGT,VLAN-SGT SXP (S/L) No No No No
Cisco Catalyst 3560-X,3750-X(IP Base required) IOS 15.0(1)SE2 IOS 15.0(2)SE4 Dynamic,IP-SGT,VLAN-SGT SXP (S/L) Yes Yes (with C3KX -SM-10G) No SGACL
Cisco Catalyst 3850 - - No No No No No No
Cisco Catalyst 4000 Series Cisco Catalyst 4500(Sup6-E and Sup6L-E)(IP Base required) IOS15.1.(1)SG IOS 15.1(1)SG Dynamic,IP-SGT,VLAN-SGT SXP (S/L) No No No No
Cisco Catalyst 4500(Sup7-E and Sup7L-E)(IP Base required) IOS-XE 3.3.0SG IOS-XE 3.3.0SG Dynamic,IP-SGT,VLAN-SGT SXP (S/L) No No No No
Cisco Catalyst 6500 Series Cisco Catalyst 6500(Sup-32 and Sup-720)(IP Base required) IOS 12.2(33)SXJ2 IOS 12.2(33)SXJ2 Dynamic,IP-SGT SXP (S/L) No No No No
Cisco Catalyst 6500 (Sup-2T)(IP Base required) IOS 15.0(1)SY1 IOS 15.1(1)SY1 Dynamic,IP-SGT,VLAN-SGT,Subnet-SGT,L3IF-SGT SXP (S/L) Yes (requires WS-X69xx line card) Yes (with Sup2T built-in ports and WS-X69xx line card) No SGACL
Cisco Connected Grid Routers Cisco CGR 2010 Routers IOS 15.3(2)T IOS 15.3(2)T Dynamic, IP-SGT,VLAN-SGT SXP (S/L) No No SGT over GETVPN SG Firewall
Cisco Industrial Ethernet Switches Cisco IE 2000 IOS 15.0(2) EB IOS 15.0(2) EB No No No No No No
Cisco Wireless Controllers Cisco 5500 Series and 2500 Series, Cisco Wireless Services Module 2 (WiSM2),Cisco Wireless LAN Controller Module for Integrated Services Routers G2 (WLCM2)
Note: WLC7500/8500/vWLC do not support TrustSec
AirOS 7.2 MR1 AirOS 7.4.110 Dynamic SXP (speaker only) No No No No
Cisco WLC 5760 IOS-XE 3.2.1 SE IOS-XE 3.2.1 SE No No No No No No
Cisco Nexus® 7000/2000 All Cisco Nexus 7000 line cards and chassis NX -OS 6.1(1) (SGT support in base license from 6.1) NX -OS 6.2(2) Static IP-SGT,L2IF-SGT, Port Profile-SGT SXP (S/L) Yes Yes (All line cards except F1 and F2 line cards) No SGACL
Cisco Nexus 5000/2000 Cisco Nexus 5548P, 5596UP NX-OS 5.1(3)N1 NX-OS 5.1(3)N2(1c) L2IF-SGT SXP (speaker only) Yes (No MACsec option) No No SGACL
Cisco Nexus 1000v Cisco Nexus 1000v NX-OS 4.2(1)SV2(1.1) with Advanced feature license NX-OS 4.2(1)SV2(1.1) with Advanced feature license IP-SGT, Port Profile to SGT SXP (speaker only) No No No No
Cisco Integrated Services Router (ISR) G2 Cisco ISR 890, 1900, 2900, 3900 Series IOS 15.2(2)T IOS 15.3(2)T Dynamic, IP-SGT SXP (S/L) Only C2951 and C3945 No SGT over GETVPN SG Firewall
Cisco ASR 1000 Series Aggregation Services Routers Cisco ASR 1000 Series Router
Processor 1 or 2 (RP1/RP2)
ASR 1001, 1002, 1004, 1006, and 1013 Routers with ESP (10, 20, or 40 Gbps) and SIP (10/40)
IOS-XE 3.5 IOS-XE 3.9 Static IP-SGT SXP (S/L) Yes No SGT over GETVPN SG Firewall
Cisco ASA 5500 and 5500-X Series Cisco ASA 5505, 5510, 5520, 5540, 5550, 5580, 5585-X, ASA-SM and 5512-X, 5515-X, 5525-X, 5545-X, 5555-X ASA 9.0.1
ASDM 7.0.1
ASA 9.1
ASDM 7.0.1
SXP (S/L) No No No SG Firewall

Solution-level validated versions may not always represent the latest available platform version. Please visit www.cisco.com to find the latest version.
Solution Minimum Version indicates version of code that has all the necessary feature for solution, and does not indicate that this is the minimum version for individual feature.
Dynamic classification includes SGT classification based on 802.1X Authentication, MAC Authentication Bypass (MAB), or Web Authentication.
For SXP roles, "S" represents "Speaker" and "L" represents "Listener."
"IP-SGT," "VLAN-SGT," "Subnet-SGT," "Port Profile-SGT," "L2IF-SGT," and "L3IF-SGT" all use the static classification method.
For TrustSec classification, propagation, and enforcement, an IP Base K9 license is required for Cisco Catalyst 3560, 3560-E, 3750, 3750-E, 3560-C, 3560-X, 3750-X, 4500 Sup6(L)-E, 4500 Sup7(L)-E, 6500 Sup720, and 6500 Sup2T.
The ISR Base/K9 license is required for Secure Access features. For TrustSec classification, propagation, and enforcement functionalities, an ISR SEC/K9 license is required.
An ASR1000 SEC-FW license is required for ASR 1000 Series routers for all TrustSec functionalities.

Cisco Secure Access Platform Support Matrix

System Component Platform Solution Minimum Version Solution-Level Validated Version Secure Access Features Device Sensor
Cisco Identity Services Engine Cisco ISE 3315, 3355, 3395, 3415, 3495, Appliances and VMware ISE 1.0 ISE 1.2 Patch 1 - -
Cisco Catalyst® 2000 Series Cisco Catalyst 2960-Plus Series IOS 15.2(1)E - Yes (LAN Base) No
Cisco Catalyst 2960C Series IOS 15.0(1)SE2 IOS 15.0(2)SE2 Yes (LAN Base) No
Cisco Catalyst 2960S/SF Series IOS 15.0(1)SE2 IOS 15.0(2)SE2 Yes (LAN Base) No
Cisco Catalyst 2960X/XR Series IOS 15.0(2)EX1 - Yes (LAN Base) No
Cisco Catalyst 3000 Series Catalyst 3560, 3750 IOS12.2.55SE3* IOS12.2.55SE3* Yes Yes
Cisco Catalyst 3560G/-E, 3750G/-E IOS 15.0(1)SE2 IOS 15.0(2)SE2 Yes Yes
Cisco Catalyst 3560C Series IOS 15.0(1)SE2 IOS 15.0(2)SE2 Yes Yes
Cisco Catalyst 3560-X, 3750-X IOS 15.0(1)SE2 IOS 15.0(2)SE4 Yes Yes
Cisco Catalyst 3850 IOS-XE 3.2.2SE IOS-XE 3.2.2SE Yes No
Cisco Catalyst 4000 Series Cisco Catalyst 4500 (Sup6-E and Sup6L-E) IOS 15.1(1)SG IOS 15.1(1)SG Yes Yes
Cisco Catalyst 4500 (Sup7-E and Sup7L-E) IOS-XE 3.3.0SG IOS-XE 3.3.0SG Yes Yes
Cisco Catalyst 6500 Series Cisco Catalyst 6500 (Sup-32 & Sup-720) IOS 12.2(33)SXJ2 IOS 12.2(33)SXJ3 Yes No
Cisco Catalyst 6500 (Sup-2T) IOS 15.0(1)SY1 IOS 15.0(1)SY1 Yes No
Cisco Industrial Ethernet Switches Cisco IE 2000 Series, IE 3000 Series IOS 15.0(2) EB IOS 15.0(2) EB Yes No
Cisco Connected Grid Routers CiscoCGR 2010 Series IOS 15.3(2)T IOS 15.3(2)T Yes No
CiscoCGS 2520 IOS 15.0(2)ED IOS 15.0(2)ED Yes No
Cisco Wireless Controllers Cisco Flex 7500 Series, Cisco 5500 Series and 2500 Series, Cisco Wireless Services Module 2 (WiSM2), Cisco Wireless LAN Controller Module for Integrated Services Routers G2 (WLCM2) AirOS 7.2 MR1 AirOS 7.4 AirOS 7.3 Y** No
Cisco WLC 5760 IOS-XE3.2.1SE IOS-XE 3.2.1 SE - No
Cisco Integrated Services Router (ISR) G2 Cisco ISR 890, 1900, 2900, 3900 Series IOS 15.2(2)T IOS 15.3(2)T Y*** No
Cisco AnyConnect® Secure Mobility Client Software only AnyConnect 3.0 AnyConnect 3.1 - No
Supported Client Supplicant OS embedded supplicants Windows 7, XP, Vista, and Mac OS 10.6.5 and 10.7.1 - -
Cisco Unified IP Phones Cisco Unified IP Phones, including the following models: 791x, 794x, 796x, 690x, 691x, 692x, 694x, and 696x Skinny Client Control Protocol (SCCP) Software, Version 9.2(1) SR1 - -

System-level validated versions do not always represent the latest available platform version. Please visit www.cisco.com to find the latest version.
Solution Minimum Version indicates version of code that has all the necessary feature for solution, and does not indicate that this is the minimum version for individual feature.

* Cisco Catalyst 3560 and 3750 do not support new features supported in IOS15.0 train.
* The Secure Access feature set for WLC AirOS 7.x is different from the feature set for Catalyst switches.

** The Secure Access feature set for ISR G2 Routers is different from the feature set for Catalyst switches. Please refer to table below for known limitation for ISRG2 platforms

Baseline Secure Access Functionalities

Following is a list of Cisco IOS Software-based switch Secure Access functionalities validated in the TrustSec program.

Cisco TrustSec Release Secure Access Feature
TrustSec 1.99
  • 802.1X Authentication
  • MAC Authentication Bypass
  • Open Access
  • Flexible Authentication
  • Single Host Mode
  • Multi Host Mode
  • Multi Domain Authentication Mode (MDA)
  • Multi Authentication Mode
  • VLAN Assignment
  • Downloadable ACL
  • Inactivity Timer (MAB / 802.1X)
  • Local Web Authentication (LWA)
  • Wake on LAN
  • CDP second port disconnectIntegration with DAI, IPSG, Port Security
  • MDA with Dynamic Voice VLAN Assignment
  • Filter ID
  • RADIUS Supplied Timeout
  • Guest VLAN
  • Authentication Failed VLAN
  • RADIUS Accounting
  • Critical Port / Inaccessible Authentication Bypass (IAB) for Data Domain
  • Conditional Logging / Debugging on Per-Port Basis
Cisco TrustSec 2.0 Change of Authorization (Catalyst 2000, 3000, and 6000 Series; Wireless LAN Controller)
Central Web Authentication - CWA (URL-Redirect) with ISE
Cisco TrustSec 2.1 Device Sensor (Catalyst 3000 and 4000 Series; Wireless LAN Controller)
802.1AE MACsec + MKA Cat3K-X, Cat4K-Sup7E)
MAC Move
MAC Replace
Downloadable ACL Enhancement
Critical Port / IAB for Voice Domain (Catalyst 2000, 3000, 4000, and 6000 Series)
Change of Authorization (Catalyst 4000 Series)
CoA with CWA (Wireless LAN Controller)

** ISR G2 Secure Access features have the following restrictions:

Secure Access Feature Restriction
IEEE 802.1X with ACL Enhancements Only available on non-800 ISR G2
IEEE 802.1X / MAB with Downloadable ACL Only available on non-800 ISR G2
IEEE 802.1X / MAB with Filter-ID Only available on non-800 ISR G2
IEEE 802.1X / MAB Port ACL enhancement Only available on non-800 ISR G2
IEEE 802.1X / MAB with URL redirect Only available on non-800 ISR G2
IEEE 802.1X / MAB with Per-User ACL Support Only available on non-800 ISR G2
Web Authentication with URL Redirect Not available on all ISR G2 platforms
Inactivity Aging Not available on all ISR G2 platforms
IEEE 802.1X User Distribution Not available on all ISR G2 platforms
IEEE 802.1X Supplicant Support for MD5 Not available on all ISR G2 platforms
IEEE 802.1x Voice Aware Security Violations Not available on all ISR G2 platforms
MAC Move Support Not available on all ISR G2 platforms
IEEE 802.1X Readiness Check Not available on all ISR G2 platforms

Cisco IEEE802.1AE (MACsec) Platform Support Matrix

System Component Platform Solution Minimum Version Solution Level Validated Version MACsec for Endpoint Switch to Switch Encryption
Cisco Identity Services Engine Cisco ISE 3315, 3355, 3395, 3415, 3495, Appliances and VMware ISE 1.0 ISE 1.2 Patch 1(Base License required) ISE (required) ISE (optional)
Cisco AnyConnect® Supplicant Network Access Module (NAM) - Hardware acceleration with Intel 82567LM Intel 82579LM AnyConnect 3.0 AnyConnect 3.0 AnyConnect (required) N/A
Cisco Catalyst® 3000 Series Catalyst 3560C Series WS-C3560CG-8TC-S WS-C3560CG-8PC-S WS-C3560CDP-8PT-S IOS 15.0(1) SE2 IOS 15.0(2)SE (MKA*) Yes (SAP**)
Catalyst 3560-X, 3750-X Requires C3KX-SM-10G for uplink (C3KX-NM-XX does not support MACsec) IOS 15.0(1) SE2 IOS 15.0(2) SE4 Yes (MKA) Yes (SAP)
Cisco Catalyst 4000 Series Catalyst 4500 (Sup7-E and Sup7L-E) - Requires following line cards S-X4712-SFP+E WS-X4748-UPOE+E WS-X4748-RJ45V+E WS-X4748-RJ45-E IOS-XE 3.3.0SG IOS-XE 3.3.0SG Yes (MKA) Yes (SAP)
Cisco Catalyst 6500 Series Catalyst 6500 (Sup-2T) - Requires following line cards WS-X6908-10G-2T WS-X6908-10G-2TXL WS-X6904-40G-2T WS-X6904-40G-2TXL IOS 15.0(1)SY1 IOS 15.1(1)SY1 No Yes (SAP)
Cisco Nexus® 7000 Series Nexus 7x00 (Sup1, 2, and 2e) - Requires following line cards N7K-M108X2-12L N7K-M132XP-12 N7K-M132XP-12L N7K-M148GT-11 N7K-M148GT-11L N7K-M148GS-11 N7K-M148GS-11L N7K-M202CF-22L N7K-M206FQ-23L N7K-M224XP-23L N7K-F248XT-25E (All Ports) N7K-F248XP-25E (port 41~48) NX-OS 5.2.4NX-OS 6.1.1 NX-OS 6.2(2) No Yes (SAP)

System-level validated versions do not always represent the latest available platform version. Please visit www.cisco.com to find the latest version.
Solution Minimum Version indicates version of code that has all the necessary feature for solution, and does not indicate that this is the minimum version for individual feature.

* MKA = MACsec Key Agreement Protocol specified in IEEE802.1X-2010.

** SAP = Security Association Protocol developed by Cisco.

A LAN Base K9 License is required for Cisco Catalyst 2960 Switchesfor all Secure Access features. 2960 LAN Lite is supported but not recommended with ISE 1.2 due to limited feature support. LAN Lite supports only 802.1X and VLAN assignments.