provides security improvements to Cisco network devices based on the capability
to strongly identify users, hosts, and network devices within a network.
TrustSec provides topology-independent and scalable access controls by uniquely
classifying data traffic for a particular role. TrustSec ensures data
confidentiality and integrity by establishing trust among authenticated peers
and encrypting links with those peers.
The key component of
Cisco TrustSec is the Cisco Identity Services Engine (ISE). Cisco ISE can
provision switches with TrustSec Identities and Security Group ACLs (SGACLs),
though these may be configured manually on the switch.
To configure Cisco
Trustsec on the switch, see the Cisco TrustSec Switch Configuration Guide at
the following URL:
The table below lists the Cisco TrustSec features implemented on Cisco
TrustSec-enabled Catalyst 2960-X and 2960-XR Series Switches:
Cisco TrustSec Feature
Endpoint Admission Control (EAC)
EAC is an authentication process for an endpoint user or a
device connecting to the TrustSec domain. Usually EAC takes place at the access
level switch. Successful authentication and authorization in the EAC process
results in Security Group Tag assignment for the user or device. Currently EAC
can be 802.1X, MAC Authentication Bypass (MAB), and Web Authentication Proxy
SGT Exchange Protocol (SXP)
Security Group Tag Exchange Protocol (SXP). With SXP, devices
that are not TrustSec-hardware-capable can receive SGT attributes for
authenticated users and devices from the Cisco Identity Services Engine (ISE)
or the Cisco Secure Access Control System (ACS). The devices can then forward a
sourceIP-to-SGT binding to a TrustSec-hardware-capable device will tag the
source traffic for SGACL enforcement.