Name: Cisco TrustSec
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

A-2

Cisco TrustSec Configuration Guide

OL-22192-02

Appendix A Notes for Catalyst 3000 and 2000 Series Switches and WLC 5700 Series Wireless LAN Controllers

Configuration Guidelines and Restrictions

Catalyst 3850 and Catalyst 3650 Switches, and WLC 5700 Wireless LAN

Controllers

• Cisco Trustsec can be configured only on physical interfaces; not on logical interfaces.

• Cisco TrustSec for IPv6 is not supported.

• Dynamic binding of IP-SGT is not supported for hosts on Layer 3 physical routed interfaces because

the IP Device Tracking feature for L3 physical interfaces is not currently supported.

• Cisco TrustSec can not be configured on a pure bridging domain with IPSG feature enabled, user

has to either enable ip routing, or disable IPSG feature in the bridging domain.

• Cisco TrustSec only supports up to 255 security group tag.

Catalyst 3750-X and Catalyst 3560-X switches

The following guidelines and limitations apply to configuring Cisco TrustSec SGT and SGACL:

• You cannot statically map an IP-subnet to an SGT. You can only map IP addresses to an SGT. When

you configure IP address-to-SGT mappings, the IP address prefix must be 32.

• If a port is configured in Multi-Auth mode, all hosts connecting on that port must be assigned the

same SGT. When a host tries to authenticate, its assigned SGT must be the same as the SGT assigned

to a previously authenticated host. If a host tries to authenticate and its SGT is different from the

SGT of a previously authenticated host, the VLAN port (VP) to which these hosts belong is

error-disabled.

• Cisco TrustSec enforcement is supported only on up to eight VLANs on a VLAN-trunk link. If there

are more than eight VLANs configured on a VLAN-trunk link and Cisco TrustSec enforcement is

enabled on those VLANs, the switch ports on those VLAN-trunk links will be error-disabled.

• The switch can assign SGT and apply corresponding SGACL to end-hosts based on SXP listening

only if the end-hosts are Layer2 adjacent to the switch.

• Port-to-SGT mapping can be configured only on Cisco TrustSec links (that is, switch-to-switch

links). Port-to-SGT mapping cannot be configured on host-to-switch links.

• When port-to-SGT mapping is configured on a port, an SGT is assigned to all ingress traffic on that

port. There is no SGACL enforcement for egress traffic on the port.

Questions and Answers:

Need help?

Do you have a question about the Cisco TrustSec and is the answer not in the manual?

Cisco TrustSec Specifications

General

Category	Network Security
Functionality	Provides role-based access control, network segmentation, and policy enforcement.
Key Components	Security Group Tags (SGT), Security Exchange Protocol (SXP).
Authentication Methods	802.1X, MAC Authentication Bypass (MAB), Web Authentication
Security Group Tagging (SGT)	Assigns security group tags to users and devices for identity-based segmentation.
Security Exchange Protocol (SXP)	A protocol used to propagate SGT information across network devices.
Policy Enforcement	Enforces security policies based on SGTs and SGACLs.
Benefits	Enhanced security, simplified policy management, and improved compliance.
Encryption	Supports encryption for data in transit through IPsec and MACsec.
Scalability	Scalable to large enterprise networks with thousands of devices.
Compatibility	Compatible with a wide range of Cisco network devices.
Description	Cisco TrustSec is a security architecture framework designed to build secure networks. It uses identity-based access control to segment the network and enforce policies based on user roles and device types, rather than relying solely on IP addresses.