Your software release may not support all the features documented in
this module. For the latest caveats and feature information, see Bug Search
Tool and the release notes for your platform and software release. To find
information about the features documented in this module, and to see a list of
the releases in which each feature is supported, see the feature information
table at the end of this module.
Use Cisco Feature Navigator to find information about platform support
and Cisco software image support. To access Cisco Feature Navigator, go to
http://www.cisco.com/go/cfn. An account on Cisco.com is
guidelines and limitations apply to configuring Cisco TrustSec SGT and SGACL:
statically map an IP-subnet to an SGT. You can only map IP addresses to an SGT.
When you configure IP address-to-SGT mappings, the IP address prefix must be
If a port is
configured in Multi-Auth mode, all hosts connecting on that port must be
assigned the same SGT. When a host tries to authenticate, its assigned SGT must
be the same as the SGT assigned to a previously authenticated host. If a host
tries to authenticate and its SGT is different from the SGT of a previously
authenticated host, the VLAN port (VP) to which these hosts belong is
enforcement is supported only on up to eight VLANs on a VLAN-trunk link. If
there are more than eight VLANs configured on a VLAN-trunk link and Cisco
TrustSec enforcement is enabled on those VLANs, the switch ports on those
VLAN-trunk links will be error-disabled.
The switch can
assign SGT and apply corresponding SGACL to end-hosts based on SXP listening
only if the end-hosts are Layer2 adjacent to the switch.
mapping can be configured only on Cisco TrustSec links (that is,
switch-to-switch links). Port-to-SGT mapping cannot be configured on
port-to-SGT mapping is configured on a port, an SGT is assigned to all ingress
traffic on that port. There is no SGACL enforcement for egress traffic on the
Cisco TrustSec uses AES-128 GCM and GMAC and is compliant with the
802.1AE standard. GCM is not supported on switches running the NPE or the LAN
Cisco TrustSec NDAC SAP is supported on trunk ports because it is
intended only for network device to network device links, that is,
switch-to-switch links. It is not supported on:
Host facing access
ports (these ports support MKA MACsec)
SPAN destination ports
The switch also does not support security group ACLs.
provides security improvements to Cisco network devices based on the capability
to strongly identify users, hosts, and network devices within a network.
TrustSec provides topology-independent and scalable access controls by uniquely
classifying data traffic for a particular role. TrustSec ensures data
confidentiality and integrity by establishing trust among authenticated peers
and encrypting links with those peers.
The key component of
Cisco TrustSec is the Cisco Identity Services Engine (ISE). Cisco ISE can
provision switches with TrustSec Identities and Security Group ACLs (SGACLs),
though these may be configured manually on the switch.
The table below lists
the TrustSec features to be eventually implemented on TrustSec-enabled Cisco
switches. Successive general availability releases of TrustSec will expand the
number of switches supported and the number of TrustSec features supported per
Cisco TrustSec Feature
802.1AE Tagging (MACsec)
IEEE 802.1AE-based wire-rate hop-to-hop Layer 2 encryption.
MACsec-capable devices, packets are encrypted on egress from the transmitting
device, decrypted on ingress to the receiving device, and in the clear within
feature is only available between TrustSec hardware-capable devices.
Endpoint Admission Control (EAC)
EAC is an
authentication process for an endpoint user or a device connecting to the
TrustSec domain. Usually EAC takes place at the access level switch. Successful
authentication and authorization in the EAC process results in Security Group
Tag assignment for the user or device. Currently EAC can be 802.1X, MAC
Authentication Bypass (MAB), and Web Authentication Proxy (WebAuth).
Network Device Admission Control (NDAC)
NDAC is an
authentication process where each network device in the TrustSec domain can
verify the credentials and trustworthiness of its peer device. NDAC utilizes an
authentication framework based on IEEE 802.1X port-based authentication and
uses EAP-FAST as its EAP method. Successful authentication and authorization in
NDAC process results in Security Association Protocol negotiation for IEEE
Security Group Access Control List (SGACL)
Group Access Control List (SGACL) associates a Security Group Tag with a
policy. The policy is enforced upon SGT-tagged traffic egressing the TrustSec
Security Association Protocol (SAP)
authentication, the Security Association Protocol (SAP) automatically
negotiates keys and the cipher suite for subsequent MACSec link encryption
between TrustSec peers. SAP is defined in IEEE 802.11i.
Security Group Tag (SGT)
An SGT is a
16-bit single label indicating the security classification of a source in the
TrustSec domain. It is appended to an Ethernet frame or an IP packet.
Group Tag Exchange Protocol (SXP). With SXP, devices that are not
TrustSec-hardware-capable can receive SGT attributes for authenticated users
and devices from the Cisco Identity Services Engine (ISE) or the Cisco Secure
Access Control System (ACS). The devices can then forward a sourceIP-to-SGT
binding to a TrustSec-hardware-capable device will tag the source traffic for
When both ends of a
link support 802.1AE MACsec, SAP negotiation occurs. An EAPOL-key exchange
occurs between the supplicant and the authenticator to negotiate a cipher
suite, exchange security parameters, and manage keys. Successful completion of
these tasks results in the establishment of a security association (SA).
Depending on your
software version and licensing and link hardware support, SAP negotiation can
use one of these modes of operation:
Galois Counter Mode
(GCM)—authentication and encryption
GCM authentication (GMAC)—
GCM authentication, no encryption
encapsulation (clear text)
authentication or encryption
Various TrustSec Featurette
configurations and examples
Support website provides extensive online resources, including documentation
and tools for troubleshooting and resolving technical issues with Cisco
products and technologies.
security and technical information about your products, you can subscribe to
various services, such as the Product Alert Tool (accessed from Field Notices),
the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS)
most tools on the Cisco Support website requires a Cisco.com user ID and