Sign in Subscribe

CCNP 350-401 ENCOR: TrustSec and MACsec Explained for Secure Enterprise Segmentation and Link Protection

CCNP 350-401 ENCOR: TrustSec and MACsec Explained for Secure Enterprise Segmentation and Link Protection

Introduction

For CCNP ENCOR, the cleanest separation of these topics is simple—well, simple once you stop trying to make one technology do the other’s job. TrustSec is mainly about classification, propagation, and group-based policy enforcement; MACsec, by contrast, is about securing an Ethernet link. Complementary? Absolutely. Interchangeable? Not really—they solve very different problems. A better way to think about it is: what role does this endpoint belong to, and what should that role actually be allowed to access? That is TrustSec. But how do you keep frames on a directly connected Ethernet segment from being sniffed, altered, or replayed... that is MACsec.

And that distinction matters—more than it first appears to. In campus designs, the conversation often blends identity-aware segmentation for users, printers, phones, and servers with encryption on sensitive switch uplinks. So yeah, it’s pretty common to see them deployed together. Naturally. TrustSec is a Cisco architecture; MACsec is an IEEE standard, 802.1AE. TrustSec by itself doesn’t make a network fully Zero Trust, and MACsec by itself doesn’t protect traffic end to end once it leaves the local Ethernet link. Still, paired together? They become powerful building blocks in modern enterprise security design.

TrustSec Fundamentals

Cisco TrustSec is an architecture for classifying sessions, propagating security context, and enforcing policy using Security Group Tags (SGTs). An SGT is a 16-bit identifier that stands for a role—Employee, Contractor, Guest, Voice, IoT, Finance-Server, and so on. The policy itself is usually enforced through Security Group ACLs (SGACLs), those role-to-role rules that say what one source group may do to one destination group.

The operational idea is elegant, really: policy follows identity or role more cleanly than it follows IP addressing. VLANs still matter. VRFs still matter. IP ACLs still matter. But none of them quite gives you the same abstraction, do they? TrustSec does not replace switching or routing; it layers a policy model on top of them (quietly, but decisively).

In most enterprise deployments, Cisco ISE serves as the policy authority for authentication, authorization, profiling, posture evaluation, and SGT assignment. Enforcement, though, happens on a TrustSec-capable network device—an access switch, distribution switch, wireless controller, or another supported node. That split is important. ISE decides and distributes policy; the network device enforces it.

SGT assignment can happen in several ways:

  • Dynamic via 802.1X or MAB authorization from ISE
  • Static on an interface, device, or mapping entry
  • Derived from profiling/posture in ISE-based workflows

Dynamic assignment is generally preferred—because it scales better and follows mobility. Static assignment still has its place, of course: infrastructure devices, fixed-function endpoints, limited deployments. Different tools, different jobs.

802.1X, MAB, and ISE Authorization

A common TrustSec access workflow begins with 802.1X. The endpoint authenticates with EAP, the switch acts as authenticator, and ISE returns an authorization result that may include VLAN, dACL, and SGT information. If the endpoint cannot do 802.1X, the switch may fall back to MAB. Remember this carefully—because the exam will care: MAB is not strong authentication. It’s basically an authorization method that keys off the MAC address, so it doesn’t give you the same level of assurance as 802.1X.

In practice, ISE policy sets can look at identity groups, directory attributes, device profiling, posture, location, or even endpoint type before deciding on the authorization result. A printer might receive a static printer role through MAB and profiling, while an employee laptop gets an SGT through 802.1X. Then the switch applies that result locally. Clean enough. Until it isn’t.

High-level access modes matter too. Closed mode, low-impact mode, and critical authorization behavior all influence what happens during authentication failures or AAA outages. If ISE becomes unreachable, the network may fall back to a critical VLAN, restricted access, or another fail-open/fail-closed design depending on policy. So, for TrustSec, classification and authorization behavior during outages must be planned—not guessed at.

TrustSec Control Plane, Data Plane, and Enforcement Logic

TrustSec works best when thought of in four steps: authentication, classification, propagation, and enforcement.

  1. Authentication/identification: The endpoint is authenticated with 802.1X or identified through MAB.
  2. Classification: ISE or local policy assigns a source SGT.
  3. Propagation: The source SGT, and the destination SGT context, must be available to enforcement-capable devices.
  4. Enforcement: The device evaluates source SGT + destination SGT and applies the SGACL result.

Now—here’s the part people forget. The destination SGT matters just as much as the source SGT. Enforcement requires both sides of the conversation. A device may learn destination group context through inline tagging on supported Cisco links, through SXP IP-to-SGT bindings, through static mappings, or through local classification. If destination classification is missing, the SGACL decision may not behave as expected. Surprise? Usually not a pleasant one.

SGACLs are ACL-like role-based filters, not stateful firewall sessions. They generally match protocol and port criteria and then permit or deny accordingly, with behavior varying by platform support. So don’t treat SGACLs like full next-generation firewall objects. Different beast.

Inline Tagging vs SXP

This is one of the most testable ENCOR areas. Naturally.

Aspect Inline Tagging SXP
What is carried SGT context on supported Cisco TrustSec-capable links IP-to-SGT bindings exchanged out of band
How it works Uses Cisco TrustSec-capable frame handling; not generic 802.1Q-style tagging TCP-based control-plane peering between SXP-capable devices
Interoperability Not universally preserved across arbitrary non-Cisco devices Useful across non-inline segments, but only SXP peers participate
Best fit Supported modern Cisco campus paths Migration or mixed environments lacking inline support
Tradeoff Cleaner and usually preferred where supported More operational state, more IP dependency, more synchronization overhead

Be precise here: SXP does not carry the tag in the data plane. It exchanges bindings between SXP-capable peers over TCP. Non-TrustSec transit devices do not “run SXP”; they simply sit between the peers. Useful? Very. But in environments with lots of DHCP churn, mobile users, or just plain scale, stale or missing bindings can become a pretty annoying operational headache.

And don’t mix up TrustSec inline tagging with MACsec. Easy to do in conversation; dangerous to do on the exam. TrustSec uses group context for policy. MACsec provides link protection. Some Cisco platforms relate them at the frame-handling level, yes—but the security purpose differs: TrustSec = policy context, MACsec = link confidentiality/integrity.

TrustSec Configuration and Policy Example

Exact syntax varies by platform and IOS XE release, but a representative access-layer example looks like this:

aaa new-model
radius server ISE1
address ipv4 10.10.10.10 auth-port 1812 acct-port 1813 /* example only; syntax can vary by platform and release */
key cisco123
aaa group server radius ISE-GRP
server name ISE1
aaa authentication dot1x default group ISE-GRP
aaa authorization network default group ISE-GRP
dot1x system-auth-control

interface GigabitEthernet1/0/12
switchport mode access
authentication port-control auto
mab
dot1x pae authenticator
access-session host-mode multi-domain

In ISE, an authorization profile might return an SGT such as Employee for a successfully authenticated user, while a profiled printer using MAB might receive Printer. VLAN assignment and SGT assignment can coexist; TrustSec does not eliminate VLANs. It overlays policy. That’s the point.

A simple policy matrix might look like this:

Source SGT Destination SGT Action
Employee App-Servers Permit required protocols
Employee Finance-Servers Deny by default; permit only through explicit exception policy
Guest Internal-Servers Deny
IoT IoT-Controller Permit required protocols

The design lesson? Keep the number of groups manageable. Too many SGTs create policy sprawl just like too many ACLs do. Build a taxonomy around business roles and trust zones, then document exceptions carefully. Otherwise... chaos dressed up as structure.

TrustSec Verification and Troubleshooting

The best troubleshooting sequence is this:

  1. Verify the access session and authentication method.
  2. Verify the authorization result and assigned SGT.
  3. Verify source and destination group propagation.
  4. Verify SGACL download and enforcement on the correct device.
  5. Verify the actual traffic path and any asymmetry.

Useful commands include:

  • show authentication sessions interface Gi1/0/12 details
  • show cts interface
  • show cts role-based permissions
  • show cts sxp connections
  • show cts sxp bindings
  • show cts role-based sgt-map all (platform dependent)

Common scenario: the endpoint authenticates, but the wrong access is applied. Start with show authentication sessions and the ISE authorization record. If the SGT is wrong, the problem is usually classification, profiling, rule order, or unintended MAB fallback. If the SGT is correct at the edge but policy is wrong downstream, look at propagation and destination mapping. If both SGTs are known but traffic still misbehaves, inspect the effective SGACL on the enforcement device. Simple sequence. Very often the issue hides in the first step you skipped.

For SXP-based designs, verify that the speaker/listener relationship is established and that the expected IP-SGT bindings exist. Missing—or aged-out—bindings often explain why a downstream device treats traffic as unknown.

What MACsec Is and How It Works

MACsec is IEEE 802.1AE, a standard for protecting Ethernet frames on a directly connected Ethernet link. It can provide integrity and data origin authenticity, and when confidentiality is enabled, it also encrypts payload content. It includes replay protection as well. MACsec is Ethernet-only; it is not a substitute for IPsec across routed WAN or Internet paths.

In practical terms, MACsec secures the point-to-point link between two devices that both support it. If MACsec is enabled on just one hop in the path, then only that single hop gets protection. That is why the exam likes the phrase hop-by-hop. And that matters more than people sometimes realize. That’s really the whole point of using it.

Key terms worth knowing:

  • CA — Connectivity Association
  • SC — Secure Channel
  • SA — Secure Association
  • SAK — Secure Association Key
  • AN — Association Number
  • PN — Packet Number used for replay protection
  • SCI — Secure Channel Identifier

MKA is the key management component associated with IEEE 802.1X that establishes and maintains MACsec security associations. Be exact here: MACsec is the data-plane protection mechanism; MKA manages keying and secure association parameters. Depending on platform and design, deployments may use 802.1X/EAP-derived keying or pre-shared CAK-based models.

MACsec does not hide every bit of Ethernet framing. Some header information needed for forwarding remains visible, while protected portions gain integrity checking and—when enabled—confidentiality. That is still enough to make passive interception of useful payload data on the protected link much harder. Much, much harder.

MACsec vs IPsec vs TLS

Aspect MACsec IPsec TLS
Layer focus Layer 2 Ethernet Layer 3 IP Upper-layer/application security
Scope Single Ethernet link End-to-end or tunnel between IP peers Application session
Typical use Campus uplinks, trunks, switch interconnects Site-to-site VPN, remote access, WAN protection Secure web sessions, application programming interfaces, and client/server applications

Exam shortcut: protect a campus uplink = MACsec, protect routed WAN traffic = IPsec, protect an application session = TLS. Easy to remember, and very hard to confuse if you keep the layer in mind.

MACsec Deployment, Verification, and Failure Modes

MACsec is commonly used on switch-to-switch uplinks, trunks, and other sensitive Ethernet interconnects where supported. Platform support is highly specific. Do not assume all Catalyst models, uplink modules, port-channels, breakout ports, optics, or speeds support it equally. Validate the model. Validate the ASIC. Validate the interface type, the optics, the software release, and the license. Yes, all of them.

Representative verification commands include:

  • show macsec interface
  • show mka session

What to check:

  • Interface up/down state
  • Whether MACsec is enabled and whether confidentiality is actually on
  • MKA peer status and key server election
  • CAK or policy mismatch
  • Replay or PN-related counters
  • Secure channel / secure association state

Common scenario: MACsec is configured, but the link is not secured. First confirm hardware support. Then inspect MKA status. If the peers do not agree on CAK, cipher suite, policy mode, or keying method, the secure association will not form. And remember—failure behavior depends on the design. Some deployments effectively fail open; others require secure connectivity and fail closed.

TrustSec and MACsec Together in Campus Design

The clean design pattern is straightforward:

  • TrustSec controls who can talk to what.
  • MACsec protects the Ethernet link carrying that traffic.

Example: a healthcare user connects with 802.1X, ISE assigns the Employee SGT, and SGACLs permit clinical apps while denying finance systems. At the same time, access-to-distribution uplinks use MACsec so traffic on those closet links is protected from interception or tampering. Two different threats. Two different controls. Lateral access control on one hand, link-level exposure on the other.

This fits alongside SDA, VRFs, firewalls, and traditional ACLs. TrustSec is not a replacement for every segmentation tool, and MACsec is not a replacement for IPsec or TLS. Enterprise security, after all, is layered.

Design Caveats, Operations, and Exam Traps

Important caveats for both production and ENCOR:

  • TrustSec is Cisco-specific; MACsec is an IEEE standard.
  • Inline tagging is not generic VLAN tagging and is not universally interoperable across arbitrary devices.
  • SXP carries bindings, not inline tags.
  • MAB is weaker assurance than 802.1X.
  • SGACLs are role-based ACL-style controls, not full stateful firewall policy.
  • MACsec protects a link, not the whole path unless every hop is protected.
  • Support varies heavily by platform, interface, optics, and release.

Operationally, TrustSec can consume policy and hardware resources, and SXP adds control-plane state. MACsec usually depends on hardware offload for practical throughput. So yes—stage the rollout. Validate it. Plan rollback. Before deployment, verify support, test interoperability, define fallback behavior, and document what should happen during ISE or MKA failures. A little planning now saves a lot of pain later.

Exam-Focused Rapid Review

Memorize these one-line recalls:

  • SGT = security label for a role
  • SGACL = policy between source and destination groups
  • ISE = common policy authority in dynamic TrustSec deployments
  • Inline tagging = native SGT propagation on supported Cisco TrustSec links
  • SXP = TCP-based IP-to-SGT binding exchange
  • MACsec = Layer 2 Ethernet link protection
  • MKA = key management for MACsec

Likely exam traps:

  • Need encryption on a campus uplink? Choose MACsec, not TrustSec.
  • Need identity-based segmentation that survives subnet changes? Choose TrustSec, not just VLANs.
  • User authenticated but wrong access? Check authorization result and SGT first.
  • Correct SGT at edge but no policy downstream? Check propagation and destination mapping.
  • MACsec not secure? Check support and MKA session before anything else.

Conclusion

For ENCOR, keep the distinction sharp. TrustSec is Cisco’s group-based policy architecture built around classification, SGT propagation, and SGACL enforcement. MACsec is IEEE 802.1AE Ethernet link protection with MKA-based key management. One governs access by role; the other protects the local wire. If you understand authentication versus authorization, inline tagging versus SXP, SGACL enforcement versus firewall behavior, and MACsec versus IPsec, you will be in very good shape for both the exam and the real network.