TrustSec and MACsec: A Comprehensive Guide for CCNP ENCOR

TrustSec and MACsec: A Comprehensive Guide for CCNP ENCOR

Why TrustSec and MACsec Are Important

In modern enterprise networks, traditional perimeter-based security models are no longer sufficient. With the proliferation of mobile devices, cloud services, and remote work, organizations need a more sophisticated approach to security. TrustSec and MACsec address this need by implementing a zero-trust model and providing Layer 2 encryption and authentication.

These technologies are critical for:

• Protecting sensitive data in transit across network links
• Enforcing network segmentation based on identity and security posture
• Preventing unauthorized access at Layer 2
• Complying with regulatory requirements such as PCI-DSS, HIPAA, and SOX
• Reducing attack surface by limiting lateral movement

What is TrustSec?

Cisco TrustSec (also known as Security Group Access Control) is a comprehensive security framework that implements identity-based network access control and micro-segmentation. It uses the concept of Security Group Tags (SGTs) to classify users, devices, and applications, and then applies policies based on these classifications.

Key Components of TrustSec:

• Security Group Tags (SGTs): 16-bit numeric values that identify the security group to which a device or user belongs. Tags range from 0-65535.
• Identity Service Engine (ISE): Cisco's policy platform that authenticates users, assigns SGTs, and enforces policies
• Security Group ACLs (SGACLs): Access control lists that define what traffic is allowed between security groups
• Trustworthy devices: Network infrastructure devices (switches, routers) that enforce TrustSec policies
• Cisco Trustworthy Network Framework: A holistic security approach encompassing visibility, segmentation, and enforcement

What is MACsec?

Media Access Control Security (MACsec) is an IEEE 802.1AE standard that provides Layer 2 (data link layer) encryption, authentication, and integrity checking for Ethernet frames. It operates transparently at the MAC layer, securing all traffic between two directly connected ports without requiring changes to upper-layer protocols.

Key Features of MACsec:

• Encryption: Uses AES (Advanced Encryption Standard) with 128-bit or 256-bit keys
• Authentication: Ensures the source of frames using ICV (Integrity Check Value)
• Confidentiality: Prevents eavesdropping on sensitive data
• Anti-replay protection: Uses packet numbers to prevent replay attacks
• Key Agreement: Supports both static keys and dynamic key distribution via MKA (MACsec Key Agreement)

How TrustSec Works

TrustSec operates in several stages:

1. Authentication and Authorization

When a user or device connects to the network:

• The access point or switch authenticates the user (via 802.1X, MAC authentication, web portal, etc.)
• The user's credentials are sent to Cisco ISE
• ISE evaluates the user's security posture and identity
• ISE assigns an appropriate Security Group Tag (SGT) based on authorization policies

2. SGT Assignment

Once authenticated, the user's device receives an SGT through one of these mechanisms:

• In-band tagging: The SGT is embedded in the RADIUS Access-Accept message
• Out-of-band tagging: The SGT is propagated through the network infrastructure independent of the authentication message

3. Propagation

The SGT is propagated through the network infrastructure (VLANs, switches, routers). Cisco devices use a special 802.1Q tag extension to carry the SGT along with the frame.

4. Policy Enforcement

Network devices check the source SGT and destination SGT against the Security Group ACL (SGACL) policies. The SGACL defines what traffic is permitted between different security groups. For example:

Permit Traffic: SGT Finance → SGT Database (Source to Destination)

Deny Traffic: SGT Guest → SGT FinanceServer

How MACsec Works

MACsec secures point-to-point Ethernet links through the following process:

1. Authentication Phase (via MKA - MACsec Key Agreement)

• Two directly connected ports negotiate a shared secret using MACsec Key Agreement (MKA)
• MKA is based on 802.1X EAP (Extensible Authentication Protocol)
• Both parties verify each other's identity using pre-shared keys (PSK) or certificate-based authentication
• A Session Key (SAK) is dynamically generated for the session

2. Encryption and Integrity Checking

Once the session key is established:

• All frames between the two ports are encrypted using AES
• An Integrity Check Value (ICV) is added to each frame
• The ICV ensures frames have not been tampered with in transit
• An encrypted SCI (Secure Channel Identifier) is added to the frame header

3. Transmission

The secured Ethernet frame includes:

• Original MAC header (source/destination MAC addresses)
• MACsec header with SCI and packet number
• Encrypted payload
• ICV (8 or 16 bytes depending on configuration)

4. Reception and Decryption

The receiving port:

Integration of TrustSec and MACsec

While TrustSec and MACsec serve different purposes, they work together in modern security architectures:

• TrustSec provides identity-based segmentation and policy enforcement
• MACsec protects the actual data transmission between network points
• Together, they implement a zero-trust model: "Verify every device, encrypt every session"

Practical Implementation Considerations

TrustSec Implementation:

• Requires Cisco ISE for policy management and SGT assignment
• Needs compatible Cisco network devices (switches, routers, wireless controllers)
• Supports both wired and wireless networks
• Can be implemented incrementally, starting with critical network segments
• Requires proper RADIUS integration for authentication

MACsec Implementation:

• Requires both endpoints to support MACsec (both must be capable ports)
• Can use static keys or dynamic key agreement (MKA)
• Introduces minimal latency and overhead (typically 1-3%)
• Works transparently with IP, MPLS, and other upper-layer protocols
• Commonly deployed on inter-switch links, uplinks, and critical infrastructure

Exam Tips: Answering Questions on TrustSec and MACsec

Question Type 1: Identifying the Purpose

What to look for: Questions asking what TrustSec or MACsec solves

Key Points to Remember:

• TrustSec = Identity-based access control and micro-segmentation
• MACsec = Layer 2 encryption and authentication
• TrustSec works at Layer 3-7 (identity and policy)
• MACsec works at Layer 2 (data link)

Example Answer Strategy: If asked "Which technology provides Layer 2 encryption between switches?", the answer is MACsec. If asked "Which technology assigns security group tags based on user identity?", the answer is TrustSec.

Question Type 2: Understanding Security Group Tags (SGT)

What to look for: Questions about SGT assignment, propagation, or purpose

Key Points to Remember:

• SGTs are 16-bit numeric values (0-65535)
• SGTs are assigned by Cisco ISE during authentication
• SGTs are propagated via 802.1Q tag extensions or out-of-band mechanisms
• SGTs can be assigned based on user role, device type, location, or security posture
• Default SGT values: SGT 0 (Unknown), SGT 255 (Trusted)

Example Question: "A user connects to a wireless network and authenticates to ISE. What happens next?"
Answer Framework: ISE evaluates the user's identity and device posture → Assigns an appropriate SGT → The SGT is propagated to the access point → Policies are enforced based on SGT-to-SGT rules.

Question Type 3: MACsec Key Agreement (MKA)

What to look for: Questions about MKA, session keys, or dynamic key distribution

Key Points to Remember:

• MKA dynamically negotiates session keys between two ports
• MKA is based on 802.1X EAP
• MKA uses a Connectivity Association Key (CAK) as the master shared secret
• The CAK is used to derive a Session Key (SAK)
• MKA regularly rotates the SAK for added security
• If MKA fails, MACsec cannot protect the link

Example Question: "Two switches connected via a fiber link need to encrypt all traffic between them. What should be configured?"
Answer Framework: Enable MACsec on both ports, configure a pre-shared key or certificate for authentication, enable MKA for dynamic key exchange, verify that both switches support MACsec.

Question Type 4: Security Group ACLs (SGACL)

What to look for: Questions about SGACL policies, permit/deny rules, or policy enforcement

Key Points to Remember:

• SGACLs define what traffic is allowed between SGTs
• SGACLs are source-SGT and destination-SGT specific
• Default behavior is deny (implicit deny all)
• SGACLs are configured and managed by ISE
• Policies are enforced on TrustSec-capable network devices
• SGACLs can be based on ports, protocols, and addresses

Example Question: "Finance users (SGT 30) should not access the Guest network (SGT 40). What is configured?"
Answer Framework: Create a SGACL that denies traffic from SGT 30 to SGT 40, apply this policy to network devices, verify enforcement in device logs.

Question Type 5: MACsec vs. TrustSec Comparison

What to look for: Questions comparing the two technologies or asking which to use in a scenario

Comparison Table to Remember:

Question Type 6: Deployment Scenarios

What to look for: Scenario-based questions asking where and how to implement these technologies

Common Scenarios:

Scenario 1: Inter-Switch Link Protection

Question: "You need to encrypt traffic between core switches. What should be implemented?"
Answer: MACsec on the link between switches, configured with MKA for dynamic key agreement.

Scenario 2: Preventing Lateral Movement by Users

Question: "Users should only access resources matching their role. What should be implemented?"
Answer: TrustSec with role-based SGT assignment and SGACL policies enforced on network devices.

Scenario 3: Compliance Requirements

Question: "Your organization needs to comply with regulations requiring data encryption in transit. What is the best approach?"
Answer: Implement both TrustSec (for access control) and MACsec (for encryption) on critical infrastructure links.

Question Type 7: Troubleshooting and Verification

What to look for: Questions asking how to verify or troubleshoot TrustSec/MACsec

Key Commands and Verification Points:

TrustSec Verification:

• Check ISE for SGT assignments
• Verify RADIUS integration
• Confirm network device compatibility with TrustSec
• Check SGACL policies are applied
• Monitor device logs for policy enforcement events

MACsec Verification:

• Verify MACsec is enabled on both ports
• Confirm MKA status (Active/Inactive)
• Check for MKA key agreement failures
• Verify encryption algorithm and key agreement mode
• Monitor for replay protection violations

General Exam Strategy for TrustSec and MACsec Questions

1. Read Carefully: Determine whether the question is asking about:

• Identity-based access (→ TrustSec)
• Layer 2 encryption (→ MACsec)
• Policy enforcement (→ TrustSec)
• Link protection (→ MACsec)

2. Identify Keywords:

• "SGT", "Security Group", "Identity", "ISE", "Policy" → TrustSec
• "Layer 2", "Encryption", "802.1AE", "MAC", "Link Protection", "MKA" → MACsec

3. Eliminate Wrong Answers:

• If an answer mentions only encryption without identity context, it's likely MACsec
• If an answer mentions ISE, SGTs, or policies without encryption, it's likely TrustSec
• If an answer mentions both, consider the primary problem being solved

4. Use Process of Elimination: Cross-reference the question context with the technology's primary purpose:

• Problem = User Access Control → TrustSec
• Problem = Data Encryption on Links → MACsec
• Problem = Both → Likely requires both technologies

Common Misconceptions to Avoid

• ❌ Misconception: "TrustSec provides encryption."
  ✓ Correct: TrustSec provides identity-based policy enforcement. MACsec provides encryption.


• ❌ Misconception: "MACsec assigns security group tags."
  ✓ Correct: ISE assigns SGTs. MACsec encrypts frames.


• ❌ Misconception: "MACsec works across multiple hops."
  ✓ Correct: MACsec is point-to-point. TrustSec policies can span multiple hops.


• ❌ Misconception: "TrustSec replaces traditional firewalls."
  ✓ Correct: TrustSec is a segmentation tool that complements firewalls.

Summary Table for Quick Reference

Final Exam Preparation Tips

• Practice scenario questions: Understand when to apply each technology
• Study ISE policies: Know how TrustSec policies are created and enforced
• Understand MKA: Know the key negotiation process for MACsec
• Review device compatibility: Know which Cisco devices support TrustSec and MACsec
• Study integration: Understand how TrustSec and MACsec work together in zero-trust architectures
• Practice troubleshooting: Know common issues and how to verify functionality

With a solid understanding of TrustSec's identity-based segmentation and MACsec's Layer 2 encryption, you'll be well-prepared to answer CCNP ENCOR exam questions on these critical security technologies.