Short note on Cisco Trustsec

Cisco TrustSec provides security improvements to Cisco network devices based on the capability to strongly identify users, hosts, and network devices within a network. TrustSec provides topology-independent and scalable access controls by uniquely classifying data traffic for a particular role. 

The Cisco TrustSec solution establishes clouds of trusted network devices to build secure networks. Each device in the Cisco TrustSec cloud is authenticated by its neighbors (peers). Communication between the devices in the TrustSec cloud is secured with a combination of encryption, message integrity checks, and data-path replay protection mechanisms. 

The key component of Cisco TrustSec is the Cisco Identity Services Engine (ISE). Cisco ISE can provision switches with TrustSec Identities and Security Group ACLs (SGACLs), though these may be configured manually on the switch.

Familiar with Trustsec terms

802.1AE Tagging (MACsec) - Protocol for IEEE 802.1AE-based wire-rate hop-to-hop Layer 2 encryption.Between MACsec-capable devices, packets are encrypted on egress from the transmitting device,decrypted on ingress to the receiving device, and in the clear within the devices.This feature is only available between TrustSec hardware-capable devices.

Endpoint Admission Control (EAC) - EAC is an authentication processfor an endpoint user or a device connecting to the TrustSec domain.Usually EAC takes place at the access level switch.Successful authentication and authorization in the EAC process results in Security Group Tag assignment for the user or device. Currently EAC can be 802.1X, MAC Authentication Bypass(MAB), and Web Authentication Proxy (WebAuth).

Network Device Admission Control (NDAC) - NDAC is an authentication process where each network device in the TrustSec domain can verify the credentials and trustworthiness of its peer device.NDAC utilizes an authentication framework based on IEEE 802.1X port-based authentication and uses EAP-FAST as its EAP method. Successful authentication and authorization in NDAC process results in Security Association Protocol negotiation for IEEE 802.1AE encryption 

Security Group Access Control List (SGACL) - A Security Group Access Control List (SGACL) associates a Security Group Tag with a policy. The policy is enforced uponSGT-tagged traffic egressing the TrustSec domain.

Security Association Protocol (SAP) - After NDAC authentication, the Security Association Protocol (SAP) automatically negotiates keys and the cipher suite for subsequent MACSec link encryption between TrustSec peers. SAP is defined in IEEE 802.11i.

Security Group Tag (SGT) - An SGT is a 16-bit single label indicating the security classification of a source in the TrustSec domain. It is appended to an Ethernet frame or an IP packet.

SGT Exchange Protocol (SXP) - Security Group Tag Exchange Protocol (SXP). With SXP, devicesthat are not TrustSec-hardware-capable can receive SGT attributes for authenticated users and devices from the Cisco Identity Services Engine (ISE) or the Cisco Secure Access Control System (ACS). The devices can then forward a sourceIP-to-SGT binding to a TrustSec-hardware-capable device will tag the source traffic for SGACL enforcement.

Points to Remember


  • Trustsec is a context based firewall or access control solution.Classification of system or users based on the context [users,user groups ,role of the user etc]
  • Key function of Trustsec is Classify , Propagate , Enforce 
  • Classification can be done Dynamically or statically .Need to keep in mind that NOT all platform support all types of static classification. It is  very important to verify support on hardware and software.
  • SGT information is carried in 802.1AE
  • A Cisco TrustSec-capable device that is directly connected to the authentication server, or indirectly connected but is the first device to begin the TrustSec domain, is called the seed device. Other Cisco TrustSec network devices are non-seed devices.
  • To prevent confidentiality and integrity there will be Hop by Hop encryption by 802.1AE
  • Packets are encrypted in Ingress and decrypted in Egress
  • Security Group Access Control List (SGACL) - This SGACL is not using IP addresses

Main 3 components of Cisco Trustsec are 


  • Authentication - Identify and access privileges
  • Secure Communication - Data is transferred by secure link level encryption with 802.1AE 
  • SGACL - SGACL enforces security policies before allowing endpoint access to resources

All the devices in Trustsec domain need to get authenticated itself in the Trustsec network.This will help to keep away unauthenticated devices getting network access.This is done by using
Security Group tag (SGT) 

- SGT uses a 16 bit tag for each individual role and device connected to a Trustsec domain. This Tag represent the privilege level across the entire domain
- SGT is added to packet header at the ingress point of the trustsec domain and SGT tag carry information that is used to endpoint access privilege 
- SGT will be adding to the packet at the time of authorization process when endpoint using 802.1x method to get authenticated to the network 
- SGT will be passed to a switch dynamically and later will be authenticated based on MAB /Web Auth/802.1x
- SGT will dynamically automate the process of network wired policy deployment and enforcement

1 comment:

  1. Excellent post. I used to be checking constantly this weblog and I'm
    inspired! Extremely useful info specifically the closing phase :) I care for such info a lot.
    I used to be looking for this particular info for a long time.

    Thanks and good luck.

    ReplyDelete