Cisco TrustSec- Facilitated Infrastructure
Cisco TrustSec uniquely builds upon your existing identity-aware infrastructure by enforcing these policies in a scalable manner with the innovative Cisco Security Group Access (SGA) and Device Sensors. It also helps to ensure complete data confidentiality using ubiquitous encryption between network devices with MAC sec encryption.
|Platforms||Models||802.1x / Identity Features||Security Group Access||Device Sensors||MACsec|
|Classification||Transport||Enforcement||Switch to Switch||Client to Switch|
|Using C.Plane||Using D.Plane|
|Cat 2K||2960-S, 2960-SF, 2960-C*||SXPv2(S)*||-||-||-||-||-|
|Cat 3K||3560, 3650E, 3750, 3750E||SXPv2(S)||-||-||-||-|
|Cat 4K||Sup6E, Sup 6L-E||SXPv2(S)||-||-||-||-|
|Sup7E, Sup 7L-E||SXPv2(S)||-||-|
|Cat 6K||Sup32 / Sup720||SXPv4(S,L)||-||-||-||-||-|
|ASR 1K||Pr1 / Pr2, 1001, 1002, 1004, 1006, 1013, ESP10/20/40, SIP 10/40||-||SXPv2||-||SG-FW||-||-||-|
|ISR G2||89X 19xx 29xx 39xx||SXPv2||SGToIPSEC||SG-FW||-||-||-|
|ASA||5505, 5510, 5520,5540, 5550, 5580,5585-X, Â ASA-SM and ASA Platforms Â (5512-X, 5515-X, 5525-X, 5545-X, 5555-X)*||-||-||SXPv2(L)*||-||SG-FW*||-||-||-|
|Wireless LAN Controller||7500, 5500, 2500, WiSM2, WLCM2||SXPv2(S)||-||-||-||-|
Asterisks indicate that the functionality is new in TrustSec 3.0
Further definition of the matrix
- Security Group Access is a unique way of classifying traffics based on user role after user is granted for access. It helps to ensure that users and devices are granted access to network resource based on their privilege. SGA clarification is enforced at ingress using a special tag called Security Group Tag. Based on SGT value, a filtering process is enforced at egress of your network. This filtering is called Security Group based Access Control List (SGACL). SGACL facilitates topology independent access control by reducing network redesign such as VLAN addition, and new network address scoping. The access control using SGT also simplifies the traditional access control list. The endpoint is now represented by not an IP address, but SGT. The operational task of managing the access control list is simplified, and any change to IP address in the network can be easily handled. Firewalls may take full advantage of this SGA technology to further simply firewall access rules and become another enforcement point.
- Device Sensor integration allows the selected network infrastructure to collect and analyze device- specific traffic, and sends it to the Identity Service Engine.
- MACsec first hop security can provide a consistent security policy across networks using next generation cryptography to protect data at Layer 2.