Guest

Cisco TrustSec

Cisco TrustSec 2.1 Product Bulletin

Hierarchical Navigation

Downloads

PB712066

Introduction

The Cisco TrustSec® solution, a core component of the Cisco SecureX Architecture, is an intelligent access control solution that mitigates security risks by providing comprehensive visibility into who, when, and what is connecting across the entire network infrastructure, and that provides exceptional control over what and where they can go.
Cisco TrustSec builds upon your existing identity-aware access layer infrastructure (switches, routers, wireless controllers, and so on) and is a fully validated solution in which all the components are thoroughly vetted and rigorously tested as an integrated system.
The Cisco TrustSec system not only combines standards-based identity and enforcement models, such as IEEE 802.1X and VLAN control, but also has many more advanced identity and enforcement capabilities, such as flexible authentication, downloadable access control lists (dACLs), Security Group Access (SGA), device profiling, posture assessments, guest access management and more.

New in Cisco TrustSec 2.1

The Cisco TrustSec 2.1 solution covers additional identity, SGA, and MACsec features on additional platforms. This makes it easier to deploy Cisco TrustSec at remote sites, at data centers, and in the access layer. New features and platforms since the release of Cisco TrustSec 2.0 include the following:

• ISE 1.1.1 now supports device registration and device onboarding to make bring-your-own-device (BYOD) environments easier to manage.

• Branch-to-campus solution scenario:

– Cisco® ISR Integrated Services Router Generation 2 (ISR G2) now supports basic identity features such as 802.1X, multi-authentication host mode, flex authentication, monitor mode, low-impact mode, and close mode. Also ISR G2 supports Security Group Tag (SGT) Exchange Protocol (SXP) to pass IP-to-SGT binding tables to its peer node. Additionally, ISR G2 supports Zone-Based Security Group Firewall (using SXP) to support SGT-based policies in ISR G2 systems. Cisco ASR 1000 Series Aggregation Services Routers also support SXP to receive IP-to-SGT binding tables from other nodes such as ISR G2. The ASR 1000 Series also supports Zone-Based Security Group Firewall (SGFW) to permit or deny traffic based on tags.

• Campus to data center solution scenario:

– Cisco Catalyst® 2960 and Catalyst 2960S Series Switches support advanced identity features at the access layer.

– Cisco Catalyst 3000 and 4000 Series platforms now have device sensor capability to collect endpoint information for Cisco Identify Services Engine (ISE) classification. Cisco Catalyst 3560-X and 3570-X and Catalyst 4000 Series with Supervisor Engine 7-E also are MACsec-capable in this release.

– Cisco Wireless LAN Controller (WLC) also supports device sensors in the TrustSec 2.1 release and provides SXP support to transport IP-to-SGT binding tables to its peer Cisco IOS® device SXP node.

• Data center solution scenario:

Cisco Nexus® 5000 Series Switches now support SXP (speaker role), SGT, and Security Group Access Control List (SGACL) enforcement in TrustSec 2.1. This enables traffic policy enforcement based on SGACL on Cisco Nexus® 5000 Series Switches, allowing endpoint to server enforcement as well as server to server segmentation, similar to the Cisco Nexus® 7000 and Cisco Catalyst® 6500 Series Switches.

Cisco TrustSec 2.1 Product Components and Features

Table 1 summarizes the platforms that support Cisco TrustSec 2.1 and the features available in each product.

Table 1. Cisco TrustSec 2.1 Platforms and Features

Component

Platforms

Key Features

Release Number

Cisco Identity Services Engine (ISE)

Cisco ISE 3315 and 3355 or 3395 Appliances and VMware
• Integrated authentication, authorization, and accounting (AAA) policy server
• Profiling
• Posture
• Guest Services
• BYOD
• Device registration
• Device onboarding

Cisco ISE Software Version 1.1.1

Cisco Integrated Services Router (ISR) G2

Cisco ISR 890, 1900, 2900, 3900 Series

Basic identity services include:

• 802.1X authentication
• MAC authentication bypass (MAB)
• Multi-authentication
• Multi-domain authentication, Flexible authentication
• Change of authorization (CoA)
• SXP
• SG-FW

Cisco IOS® Software Release 15.2(2)T

Cisco ASR 1000 Series Aggregation Services Routers

Cisco ASR 1000 Series Router Processor 1 or 2 (RP1/RP2), Cisco ASR 1001 Router, Cisco ASR 1002 Fixed Router, Cisco 1004, 1006, and 1013 Routers with

• Embedded Services Processor (ESP) with 10, 20, or 40 Gbps
• SPA Interface Processor (SIP) 10/40
• SXP
• SG-FW

Cisco IOS Software Release 15.2(1)S or XE3.5

Cisco Catalyst 2000 Series

Cisco Catalyst 2960 and 2960S Series
• Critical Voice VLAN
• MAC Move/Replace
• dACL enhancement

Cisco IOS Software Release 15.0(1)SE2

Cisco Catalyst 3000 Series

Cisco Catalyst 3560, 3560-E, 3560-X, 3750, 3750-E, 3750-X
• Critical Voice VLAN
• MAC Move/Replace
• dACL enhancement
• Device sensor
• SXP

Note: MACsec support only on 3560-X and 3750-X Series

Cisco IOS Software Release 15.0(1)SE2 (for Non-E series)

Cisco Catalyst 4000 Series

Cisco Catalyst 4500 Supervisor Engine 7-E and Supervisor Engine 7L-E
• Critical Voice VLAN
• MAC Move/Replace
• dACL enhancement
• SXP
• CoA
• Device sensor
• MACsec

Cisco IOS-XE Software Release 3.3.0SG or 15.1(1)SG

Cisco Catalyst 4500 Supervisor Engine 6-E and Supervisor Engine 6L-E
• Critical Voice VLAN
• MAC Move/Replace
• dACL enhancement
• SXP
• Device sensor
• CoA

Cisco IOS-XE Software Release 3.2.2SG or 15.0(2)SG2

Cisco Catalyst 6000 Series

Catalyst 6000 Series with Supervisor Engine 2T
• SXP
• SGT
• SGACL enforcement
• SG name download
• Subnet to SGT mapping
• VLAN to SGT mapping
• MACsec
• Identity to Port Mapping (IPM)

Cisco IOS Software Release 15.0(1)SY1

Cisco Catalyst 6000 Series with SUP-32 & SUP-720
• Critical Voice VLAN
• MAC Move/Replace
• dACL enhancement
• SXP

Cisco IOS Software Release 12.2(33)SXJ2

Cisco Nexus 7000 Series

All Nexus 7K line cards & chassis. F-series line cards don't support MACsec
• Bug fix verification
• Requalification of SXP
• SGT
• SGACL enforcement
• MACsec

Cisco NX-OS Release Release 5.2.4 and Release 6.1.1

Cisco Nexus 5000 Series

Cisco Nexus 5000 Series, including 5548P, 5548P, and 5596UP Switches. No support for Cisco 5010 or 5020 Series
• SXP
• SGT
• SGACL enforcement

Cisco NX-OS Release 5.1(3)N1

Cisco Wireless Controllers

Cisco Flex 7500 Series, Cisco 5500 Series and 2500 Series, Cisco Wireless Services Module 2 (WiSM2), Cisco Wireless LAN Controller Module for Integrated Services Routers G2 (WLCM2)
• 802.1X
• CoA with central web authentication (CWA)
• Device sensor
• SXP

Wireless Network Cisco Software Release 7.2 MR1

Cisco AnyConnect Secure Mobility Client

Software only

MACsec

Cisco AnyConnect Software Version 3.x MR5

Cisco Secure Access Control System (ACS)

Software only

Requalification

Cisco Secure Access Control System 5.3

Cisco Prime LAN Management Solution (LMS)

Software only
• Identity mode
• MACsec
• Readiness assessment

Cisco Prime LAN Management Solution 4.1 or 4.2

Cisco Prime Network Control System

Software only

Wireless configuration

Cisco Prime Network Control System 1.1

Supported Client Supplicant

Software only

Windows and Mac OS client supplicants

Native supplicants for Windows 7, XP, Vista, and Mac OS 10.6.5 and 10.7.1

IP Phones

Cisco Unified IP Phones, including the following models: 791x, 794x, 796x, 690x, 691x, 692x, 694x, and 696x

Requalification

Skinny Client Control Protocol (SCCP) Software, Version 9.2(1)SR1

Systems Testing of Cisco TrustSec 2.1

Cisco TrustSec 2.1 and systems testing provides validated use cases, features and platforms for a specific systems releases. Features not included in TrustSec 2.1 may still be supported on platforms, but not validated at the systems level.