Guest

Cisco TrustSec

Cisco TrustSec-Enabled Infrastructure

Cisco TrustSec- Facilitated Infrastructure

Cisco TrustSec uniquely builds upon your existing identity-aware infrastructure by enforcing these policies in a scalable manner with the innovative Cisco Security Group Access (SGA) and Device Sensors. It also helps to ensure complete data confidentiality using ubiquitous encryption between network devices with MAC sec encryption.

Cisco TrustSec Platform Support Matrix

System Component Platform Solution Minimum Version Solution-Level Validated Version Security Group Tag (SGT) Classification SGT Exchange Protocol (SXP) Support and Version Inline SGT Tagging SGT Enforcement
Cisco Identity Services Engine Cisco ISE 3315, 3355, 3395, 3415, and 3495; appliances and VMware Cisco ISE 1.0 Cisco ISE 1.2 Patch 5 (requires Advanced license) - - -
Cisco Catalyst® 2000 Series Cisco Catalyst 2960-Plus Series Switches (LAN Base required) Cisco IOS® Software Release 15.2(1)E1 - Dynamic, IP to SGT, VLAN to SGT Subnet to SGT S v2 No No
Cisco Catalyst 2960-C Series (LAN Base required) Cisco IOS Software Release 15.0(1)SE2 - Dynamic, IP to SGT, VLAN to SGT Subnet to SGT S v2 No No
Cisco Catalyst 2960-S and 2960-SF Series (LAN Base required) Cisco IOS Software Release 15.0(1)SE2 Cisco IOS Software Release 15.0(2)SE2 Dynamic, IP to SGT, VLAN to SGT Subnet to SGT S v2 No No
Cisco Catalyst 2960-X and 2960-XR Series (LAN Base required) Cisco IOS Software Release 15.0(2)EX1 Cisco IOS Software Release 15.0(2)EX4 Dynamic, IP to SGT, VLAN to SGT Subnet to SGT S v3 No No
Cisco Catalyst 3000 Series Cisco Catalyst 3560-E and 3750-E Series (IP Base required) Cisco IOS Software Release 15.0(1)SE2 Cisco IOS Software Release 15.0(2)SE5 Dynamic, IP to SGT, VLAN to SGT S, L v2 No No
Cisco Catalyst 3560-C Series (IP Base required) Cisco IOS Software Release 15.0(1)SE2 Cisco IOS Software Release 15.0(1)SE2 Dynamic, IP to SGT, VLAN to SGT S, L v2 No No
Cisco Catalyst 3560-X and 3750-X Series (IP Base required) Cisco IOS Software Release 15.0(2)SE Cisco IOS Software Release 15.2(1)E1 Dynamic, IP to SGT, VLAN to SGT S, L v2 SGT over Ethernet, SGT over MACsec (with fixed port & C3KX-SM-10G) SG-ACL
Cisco Catalyst 3650 and 3850 Series (IP Base required) Cisco IOS XE 3.3.1SE Cisco IOS XE 3.3.1SE Dynamic, IP to SGT, VLAN to SGT, port to SGT, subnet to SGT S, L v4 SGT over Ethernet (MACsec in future release) SG-ACL
Cisco Catalyst 4000 Series Cisco Catalyst 4500 Supervisor Engine 6-E and 6L-E (IP Base required) Cisco IOS Software Release 15.1.(1)SG Cisco IOS Software Release 15.1.(1)SG Dynamic, IP to SGT, VLAN to SGT S, L v2 No No
Cisco Catalyst 4500 Supervisor Engine 7-E and 7L-E (IP Base required) Cisco IOS XE 3.3.0SG Cisco IOS XE 3.5.1E Dynamic, IP to SGT, VLAN to SGT, subnet to SGT, Layer 3 Interface (L3IF) to SGT S. L v4 SGT over Ethernet, SGT over MACsec (See footnote for list of supported line cards) SG-ACL
Cisco Catalyst 4500 Supervisor Engine 8-E (IP Base required) Cisco IOS XE 3.3.0X0 Cisco IOS XE 3.3.0XO Dynamic, IP to SGT, VLAN to SGT, port to SGT, Subnet to SGT S, L v4 No No
Cisco Catalyst 4500-X Series (IP Base required) Cisco IOS XE 3.3.0SG Cisco IOS XE 3.5.1E Dynamic, IP to SGT, VLAN to SGT, subnet to SGT S, L v4 SGT over Ethernet, SGT over MACsec SG-ACL
Cisco Catalyst 6500 Series Cisco Catalyst 6500 Series Supervisor Engine 32 and 720 (IP Base required) Cisco IOS 12.2(33)SXJ2 Cisco IOS Software Release 12.2(33)SXJ2 Dynamic, IP to SGT S, L v2 No No
Cisco Catalyst 6500 Series Supervisor Engine 2T (IP Base required) Cisco IOS Software Release 15.0(1)SY1 Cisco IOS Software Release 15.1(2)SY1 Dynamic, IP to SGT, VLAN to SGT, subnet to SGT, L3IF-to-SGT S, L v4 SGT over Ethernet, SGT over MACsec (requires WS-X6900 line card for both features) SG-ACL
Cisco Catalyst 6800-X and 6800ia (IP Base required) Cisco IOS Software Release 15.0(1)SY1 Cisco IOS Software Release 15.1(2)SY1 Dynamic, IP to SGT, VLAN to SGT, subnet to SGT, L3IF to SGT S, L v4 SGT over Ethernet, SGT over MACsec (requires WS-X6900 for Catalyst 6807) SG-ACL
Cisco Connected Grid Routers and Switches Cisco 2010 Connected Grid Routers Cisco IOS Software Release 15.3(2)T Cisco IOS Software Release 15.4(1)T Dynamic, IP to SGT, VLAN to SGT S, L v4 SGT over Ethernet, SGT over GETVPN or IPsecVPN SG Firewall
Cisco 2500 Series Connected Grid Switches Cisco IOS Software Release 15.0(1)SE2 Cisco IOS Software Release 15.0(2)EK1 Dynamic, IP to SGT, VLAN to SGT, subnet to SGT S, L v3 No No
Cisco Industrial Ethernet Switches Cisco IE 2000 Series Cisco IOS Software Release 15.0(2)EB - Dynamic, IP to SGT, VLAN to SGT, subnet to SGT S v2 (available as of 15.2(1)EY) No No
Cisco IE 3000 Series Cisco IOS Software Release 15.2(1)EY Cisco IOS Software Release 15.2(1)EY Dynamic, IP to SGT, VLAN to SGT, subnet to SGT S, L v4 No No
Cisco Wireless Controllers Cisco 5500 Series and 2500 Series; Cisco Wireless Services Module 2 (WiSM2); and Cisco Wireless LAN Controller Module for Integrated Services Routers G2 (WLCM2) (WLC 7500, 8500 and vWLC do not support Cisco TrustSec) Cisco AireOS 7.4 Cisco AireOS 7.5.102 Dynamic S v2 No No
Cisco 5760 Wireless LAN Controller Cisco IOS XE 3.2.1SE Cisco IOS XE 3.3.1SE Dynamic, IP to SGT, VLAN to SGT, port to SGT, subnet to SGT S, L v4 SGT over Ethernet SG-ACL (requires Cisco IOS XE 3.3.1 SE)
Cisco Nexus® 7000 Series All Cisco Nexus 7000 line cards and chassis Cisco NX-OS Software 6.1(1) (SGT support in Base license 6.1 and later) Cisco NX-OS Software 6.2(6) Static IP to SGT, L2IF to SGT, port Profile to SGT, VLAN to SGT S, L v1 SGT over Ethernet, SGT over MACsec (supported on all line cards except F1 and F2 line cards) SG-ACL
Cisco Nexus 5000 Series Cisco Nexus 5548P, 5548UP, and 5596UP (Note: No support for 5010 or 5020) Cisco NX-OS Software 5.1(3)N1 Cisco NX-OS Software 6.0(2)N2(2) L2IF to SGT S v1 SGT over Ethernet (no MACsec option) SG-ACL
Cisco Nexus 1000V Cisco Nexus 1000V Cisco NX-OS Software 4.2(1)SV2(1.1) with Advanced feature license Cisco NX-OS Software 4.2(1)SV2(1.1) with Advanced feature license IP to SGT, port profile to SGT S v1 No No
Cisco Integrated Services Router (ISR) G2 Cisco 890, 1900, 2900, 3900 Series Cisco IOS Software Release 15.2(2)T Cisco IOS Software Release 15.4(1)T1 Dynamic, IP to SGT S, L v4 SGT over Ethernet (no support on ISR G2-Cisco 800 Series), SGT over GETVPN or IPsec VPN SG Firewall
Cisco 4451-X ISR Cisco IOS XE 3.11.0S Cisco IOS XE 3.11.0S Dynamic, IP to SGT S, L v4 SGT over Ethernet, SGT over GETVPN or IPsec VPN SG Firewall
Cisco SM-X Layer 2/3 EtherSwitch Module Cisco IOS Software Release 15.0(2)SE5 Cisco IOS Software Release 15.0(2)SE5 Dynamic, IP to SGT, VLAN to SGT S, L v2 SGT over Ethernet, SGT over MACsec SG-ACL
Cisco Cloud Services Router 1000V Series Cisco IOS XE 3.11.0S - Static IP to SGT S, L v4 SGT over Ethernet, SGT over IPsec VPN SG Firewall
Cisco ASR 1000 Series Aggregation Services Routers Cisco ASR 1000 Series Router Processor 1 or 2 (RP1/RP2); ASR 1001, 1002, 1004, 1006, and 1013 Routers with Embedded Services Processor (10, 20, or 40 Gbps) and SPA Interface Processor (10/40) Cisco IOS-XE 3.5 Cisco IOS XE 3.11.0S Static IP to SGT S, L v4 SGT over Ethernet, SGT over GETVPN or IPsec VPN SG Firewall
Cisco ASAv 5500 and 5500-X Series Cisco ASA 5505, 5510, 5512-X, 5515-X, 5520, 5525-X, 5540, 5545-X 5550, 5555-X, 5580, 5585-X, and ASA Services Module Cisco ASA 9.0.1, ASAv 9.2.1, Adaptive Security Device Manager (ASDM) 7.0.1 ASA 9.2.1, ASAv 9.2.1, ASDM 7.1.5.100, Cisco Security Manager** Dynamic, IP to SGT (for remote access only) S, L v2 No SG Firewall

Notes

  • * Product part numbers of supported line cards for SGT over Ethernet on the Cisco Catalyst 4500 Supervisor Engine 7-E and Supervise Engine 7L-E include the following: WS-X4712-SFP+E, WS-X4748-UPOE+E, WS-X4748-RJ45V+E, WS-X4748-RJ45-E, WS-X4640-CSP-E, WS-X4724-SFP-E, WS-X4748-SFP-E
    ** Cisco Security manager 4.5 supports upto ASA v9.1.3 and does not support ASA v9.2.1.
  • Solution-level validated versions may not always represent the latest available platform version. Please visit www.cisco.com to find the latest version.
  • “Solution Minimum Version” indicates the earliest software or OS version for each platform that has all the necessary features for Cisco TrustSec solution support.
  • Dynamic classification includes SGT classification based on 802.1X authentication, MAC Authentication Bypass (MAB), or web authentication.
    For SXP roles, "S" represents Speaker and "L" represents Listener.
  • IP to SGT, VLANto SGT, subnet to SGT, port profile to SGT, L2IF to SGT, and L3IF to SGT all use the static classification method.
    For Cisco TrustSec classification, propagation, and enforcement, an IP Base K9 license is required for Cisco Catalyst 3560, 3560-E, 3750, 3750-E, 3560-C, 3560-X, 3750-X, 4500 Sup6(L)-E, 4500 Sup7(L)-E, 6500 Sup720, and 6500 Sup2T.
  • The Cisco ISR Base/K9 license is required for Secure Access features. For Cisco TrustSec classification, propagation, and enforcement, an ISR SEC/K9 license is required.
  • A Cisco ASR1000 SEC-FW license is required for ASR 1000 Series routers for all Cisco TrustSec functions.

Cisco Secure Access Platform Support Matrix

System Component Platform Solution Minimum Version Solution-Level Validated Version Secure Access Features Device Sensor
Cisco Identity Services Engine Cisco ISE 3315, 3355, 3395, 3415, 3495, Appliances and VMware ISE 1.0 ISE 1.2 Patch 1 - -
Cisco Catalyst® 2000 Series Cisco Catalyst 2960-Plus Series IOS 15.2(1)E - Yes (LAN Base) No
Cisco Catalyst 2960C Series IOS 15.0(1)SE2 IOS 15.0(2)SE2 Yes (LAN Base) No
Cisco Catalyst 2960S/SF Series IOS 15.0(1)SE2 IOS 15.0(2)SE2 Yes (LAN Base) No
Cisco Catalyst 2960X/XR Series IOS 15.0(2)EX1 - Yes (LAN Base) No
Cisco Catalyst 3000 Series Catalyst 3560, 3750 IOS12.2.55SE3* IOS12.2.55SE3* Yes Yes
Cisco Catalyst 3560G/-E, 3750G/-E IOS 15.0(1)SE2 IOS 15.0(2)SE2 Yes Yes
Cisco Catalyst 3560C Series IOS 15.0(1)SE2 IOS 15.0(2)SE2 Yes Yes
Cisco Catalyst 3560-X, 3750-X IOS 15.0(1)SE2 IOS 15.0(2)SE4 Yes Yes
Cisco Catalyst 3850 IOS-XE 3.2.2SE IOS-XE 3.2.2SE Yes No
Cisco Catalyst 4000 Series Cisco Catalyst 4500 (Sup6-E and Sup6L-E) IOS 15.1(1)SG IOS 15.1(1)SG Yes Yes
Cisco Catalyst 4500 (Sup7-E and Sup7L-E) IOS-XE 3.3.0SG IOS-XE 3.3.0SG Yes Yes
Cisco Catalyst 6500 Series Cisco Catalyst 6500 (Sup-32 & Sup-720) IOS 12.2(33)SXJ2 IOS 12.2(33)SXJ3 Yes No
Cisco Catalyst 6500 (Sup-2T) IOS 15.0(1)SY1 IOS 15.0(1)SY1 Yes No
Cisco Industrial Ethernet Switches Cisco IE 2000 Series, IE 3000 Series IOS 15.0(2) EB IOS 15.0(2) EB Yes No
Cisco Connected Grid Routers CiscoCGR 2010 Series IOS 15.3(2)T IOS 15.3(2)T Yes No
CiscoCGS 2520 IOS 15.0(2)ED IOS 15.0(2)ED Yes No
Cisco Wireless Controllers Cisco Flex 7500 Series, Cisco 5500 Series and 2500 Series, Cisco Wireless Services Module 2 (WiSM2), Cisco Wireless LAN Controller Module for Integrated Services Routers G2 (WLCM2) AirOS 7.2 MR1 AirOS 7.4 AirOS 7.3 Y** No
Cisco WLC 5760 IOS-XE3.2.1SE IOS-XE 3.2.1 SE - No
Cisco Integrated Services Router (ISR) G2 Cisco ISR 890, 1900, 2900, 3900 Series IOS 15.2(2)T IOS 15.3(2)T Y*** No
Cisco AnyConnect® Secure Mobility Client Software only AnyConnect 3.0 AnyConnect 3.1 - No
Supported Client Supplicant OS embedded supplicants Windows 7, XP, Vista, and Mac OS 10.6.5 and 10.7.1 - -
Cisco Unified IP Phones Cisco Unified IP Phones, including the following models: 791x, 794x, 796x, 690x, 691x, 692x, 694x, and 696x Skinny Client Control Protocol (SCCP) Software, Version 9.2(1) SR1 - -
  • System-level validated versions do not always represent the latest available platform version. Please visit www.cisco.com to find the latest version.
    Solution Minimum Version indicates version of code that has all the necessary feature for solution, and does not indicate that this is the minimum version for individual feature.
  • * Cisco Catalyst 3560 and 3750 do not support new features supported in IOS15.0 train.
    * The Secure Access feature set for WLC AirOS 7.x is different from the feature set for Catalyst switches.
  • ** The Secure Access feature set for ISR G2 Routers is different from the feature set for Catalyst switches. Please refer to table below for known limitation for ISRG2 platforms
  • Baseline Secure Access Functionalities
  • Following is a list of Cisco IOS Software-based switch Secure Access functionalities validated in the TrustSec program.
Cisco TrustSec Release Secure Access Feature
TrustSec 1.99
  • 802.1X Authentication
  • MAC Authentication Bypass
  • Open Access
  • Flexible Authentication
  • Single Host Mode
  • Multi Host Mode
  • Multi Domain Authentication Mode (MDA)
  • Multi Authentication Mode
  • VLAN Assignment
  • Downloadable ACL
  • Inactivity Timer (MAB / 802.1X)
  • Local Web Authentication (LWA)
  • Wake on LAN
  • CDP second port disconnectIntegration with DAI, IPSG, Port Security
  • MDA with Dynamic Voice VLAN Assignment
  • Filter ID
  • RADIUS Supplied Timeout
  • Guest VLAN
  • Authentication Failed VLAN
  • RADIUS Accounting
  • Critical Port / Inaccessible Authentication Bypass (IAB) for Data Domain
  • Conditional Logging / Debugging on Per-Port Basis
Cisco TrustSec 2.0 Change of Authorization (Catalyst 2000, 3000, and 6000 Series; Wireless LAN Controller)
Central Web Authentication - CWA (URL-Redirect) with ISE
Cisco TrustSec 2.1 Device Sensor (Catalyst 3000 and 4000 Series; Wireless LAN Controller)
802.1AE MACsec + MKA Cat3K-X, Cat4K-Sup7E)
MAC Move
MAC Replace
Downloadable ACL Enhancement
Critical Port / IAB for Voice Domain (Catalyst 2000, 3000, 4000, and 6000 Series)
Change of Authorization (Catalyst 4000 Series)
CoA with CWA (Wireless LAN Controller)

** ISR G2 Secure Access features have the following restrictions:

Secure Access Feature Restriction
IEEE 802.1X with ACL Enhancements Only available on non-800 ISR G2
IEEE 802.1X / MAB with Downloadable ACL Only available on non-800 ISR G2
IEEE 802.1X / MAB with Filter-ID Only available on non-800 ISR G2
IEEE 802.1X / MAB Port ACL enhancement Only available on non-800 ISR G2
IEEE 802.1X / MAB with URL redirect Only available on non-800 ISR G2
IEEE 802.1X / MAB with Per-User ACL Support Only available on non-800 ISR G2
Web Authentication with URL Redirect Not available on all ISR G2 platforms
Inactivity Aging Not available on all ISR G2 platforms
IEEE 802.1X User Distribution Not available on all ISR G2 platforms
IEEE 802.1X Supplicant Support for MD5 Not available on all ISR G2 platforms
IEEE 802.1x Voice Aware Security Violations Not available on all ISR G2 platforms
MAC Move Support Not available on all ISR G2 platforms
IEEE 802.1X Readiness Check Not available on all ISR G2 platforms

Cisco IEEE802.1AE (MACsec) Platform Support Matrix

System Component Platform Solution Minimum Version Solution Level Validated Version MACsec for Endpoint Switch to Switch Encryption
Cisco Identity Services Engine Cisco ISE 3315, 3355, 3395, 3415, 3495, Appliances and VMware ISE 1.0 ISE 1.2 Patch 1(Base License required) ISE (required) ISE (optional)
Cisco AnyConnect® Supplicant Network Access Module (NAM) - Hardware acceleration with Intel 82567LM Intel 82579LM AnyConnect 3.0 AnyConnect 3.0 AnyConnect (required) N/A
Cisco Catalyst® 3000 Series Catalyst 3560C Series WS-C3560CG-8TC-S WS-C3560CG-8PC-S WS-C3560CDP-8PT-S IOS 15.0(1) SE2 IOS 15.0(2)SE (MKA*) Yes (SAP**)
Catalyst 3560-X, 3750-X Requires C3KX-SM-10G for uplink (C3KX-NM-XX does not support MACsec) IOS 15.0(1) SE2 IOS 15.0(2) SE4 Yes (MKA) Yes (SAP)
Cisco Catalyst 4000 Series Catalyst 4500 (Sup7-E and Sup7L-E) - Requires following line cards S-X4712-SFP+E WS-X4748-UPOE+E WS-X4748-RJ45V+E WS-X4748-RJ45-E IOS-XE 3.3.0SG IOS-XE 3.3.0SG Yes (MKA) Yes (SAP)
Cisco Catalyst 6500 Series Catalyst 6500 (Sup-2T) - Requires following line cards WS-X6908-10G-2T WS-X6908-10G-2TXL WS-X6904-40G-2T WS-X6904-40G-2TXL IOS 15.0(1)SY1 IOS 15.1(1)SY1 No Yes (SAP)
Cisco Nexus® 7000 Series Nexus 7x00 (Sup1, 2, and 2e) - Requires following line cards N7K-M108X2-12L N7K-M132XP-12 N7K-M132XP-12L N7K-M148GT-11 N7K-M148GT-11L N7K-M148GS-11 N7K-M148GS-11L N7K-M202CF-22L N7K-M206FQ-23L N7K-M224XP-23L N7K-F248XT-25E (All Ports) N7K-F248XP-25E (port 41~48) NX-OS 5.2.4NX-OS 6.1.1 NX-OS 6.2(2) No Yes (SAP)
  • System-level validated versions do not always represent the latest available platform version. Please visit www.cisco.com to find the latest version.
  • Solution Minimum Version indicates version of code that has all the necessary feature for solution, and does not indicate that this is the minimum version for individual feature.
  • * MKA = MACsec Key Agreement Protocol specified in IEEE802.1X-2010.
  • ** SAP = Security Association Protocol developed by Cisco.
  • A LAN Base K9 License is required for Cisco Catalyst 2960 Switchesfor all Secure Access features. 2960 LAN Lite is supported but not recommended with ISE 1.2 due to limited feature support. LAN Lite supports only 802.1X and VLAN assignments.