The table below lists the Cisco TrustSec features to be eventually implemented on TrustSec-enabled Cisco switches. Successive
general availability releases of Cisco TrustSec will expand the number of switches supported and the number of Cisco TrustSec
features supported per switch.
| Cisco TrustSec Feature
| 802.1AE Tagging (MACsec)
IEEE 802.1AE-based wire-rate hop-to-hop Layer 2 encryption.
MACsec-capable devices, packets are encrypted on egress from the transmitting
device, decrypted on ingress to the receiving device, and in the clear within
feature is only available between TrustSec hardware-capable devices.
| Endpoint Admission Control (EAC)
EAC is an
authentication process for an endpoint user or a device connecting to the
TrustSec domain. Usually EAC takes place at the access level switch. Successful
authentication and authorization in the EAC process results in Security Group
Tag assignment for the user or device. Currently EAC can be 802.1X, MAC
Authentication Bypass (MAB), and Web Authentication Proxy (WebAuth).
| Network Device Admission Control (NDAC)
NDAC is an
authentication process where each network device in the TrustSec domain can
verify the credentials and trustworthiness of its peer device. NDAC utilizes an
authentication framework based on IEEE 802.1X port-based authentication and
uses EAP-FAST as its EAP method. Successful authentication and authorization in
NDAC process results in Security Association Protocol negotiation for IEEE
| Security Group Access Control List (SGACL)
A Security Group Access Control List (SGACL) associates a Security Group Tag with a policy. The policy is enforced upon SGT-tagged
traffic egressing the Cisco TrustSec domain.
In Cisco IOS XE Fuji 16.8.1, IPv6 support was enabled for SGACL enforcement and logging of VRF name was enabled in SGACL logs.
TrustSec SGACL High Availability
TrustSec Security Group access control lists (SGACLs) support the high
availability functionality on switches that support the Cisco StackWise
technology. Cisco StackWise technology provides stateful redundancy and allows
the switch stack to enforce and process access control entries.
There is no
Cisco TrustSec-specific configuration to enable this functionality.
| Security Association Protocol (SAP)
After NDAC authentication, the Security Association Protocol (SAP) automatically negotiates keys and the cipher suite for
subsequent MACSec link encryption between Cisco TrustSec peers. SAP is defined in IEEE 802.11i.
| Security Group Tag (SGT)
An SGT is a 16-bit single label indicating the security classification of a source in the Cisco TrustSec domain. It is appended
to an Ethernet frame or an IP packet.
In Cisco IOS XE Fuji 16.8.1, Layer 2 Inline Tagging is supported for IPv6 multicast traffic with unicast source IPv6 addresses.
Security Group Tag Exchange Protocol (SXP). With SXP, devices that are not Cisco TrustSec-hardware-capable can receive SGT
attributes for authenticated users and devices from the Cisco Identity Services Engine (ISE) or the Cisco Secure Access Control
System (ACS). The devices can then forward a source IP-to-SGT binding to a Cisco TrustSec-hardware-capable device will tag
the source traffic for SGACL enforcement.
When both ends of a link support 802.1AE MACsec, SAP negotiation occurs. An EAPOL-key exchange occurs between the supplicant
and the authenticator to negotiate a cipher suite, exchange security parameters, and manage keys. Successful completion of
these tasks results in the establishment of a security association (SA).
Depending on your
software version and licensing and link hardware support, SAP negotiation can
use one of these modes of operation:
Mode (GCM)—authentication and encryption
(GMAC)— GCM authentication, no encryption
Encapsulation—no encapsulation (clear text)
Null—encapsulation, no authentication or encryption