Cisco TrustSec - Simplified Network Access Control Policies


Today let's talk about Cisco’s latest approach to simplify the network access control policies using TrustSec. Yes, it is playing a significant role while implementing the Secure Access Campus network using SD-Access. You all know why secure access is a need in today’s campus network [click to read]. 

Users are roaming in their workspace, so are their network access policies. Organizations doing traditional ACL-based network access control based on network topologies such as IP Addresses, Subnet information, and VLANs is a time-consuming task. Not only this, policies are not consistent and un-used policies are not removed once defined, leading to policy violations sometimes unauthorized access to network resources.

How does TrustSec Help?

Cisco TrustSec developed to simplify provisioning and managing of secure access to network services in a campus environment. The policies in TrustSec are group-based that make security policies consistent throughout the network. It simplifies the complex task of maintaining security policies. With TrustSec, wired and wireless policies are common as they are not dependent on network topologies and are defined using groups.

How does TrustSec work?

TrustSec work on basic three principles –

  1. Classification and assignment of a Tag
  2. Transport Tag throughout the network
  3. Policy Enforcement


A policy group tag (SGT) is assigned to an endpoint based on rich attributes such as user, device type, device posture status, location, etc. Scalable Group Tag (SGT) is a 16-bit tag assigned by the Cisco ISE to the endpoint using dynamic and static methods. 

Dynamic classification is used in the access layer by using dynamic authentication methods like 802.1x, MAB, or WebAuth. Static classification is used on the Data Center switches where servers are connected.


Once the SGT is assigned to the endpoint, this SGT information to be transport throughout the network by capable devices. This transport is achieved using inline tagging and Secure Exchange protocol. Inline tagging is performed by adding the SGT information (16-bit tag) to the Ethernet frame by the switches. 

When the device does not support inline tagging, Secure Exchange Protocol (SXP) is used for the transportation of SGT. Inline tagging is supported on switches and SXP is used in routing and firewall domains.

Figure 1: TrustSec SGT Transport

Policy Enforcement

It is achieved using Secure Group ACL (SGACL). Using SGACLs, policies can be defined based on source and destination SGT. Policy enforcement is represented as a permission matrix, with source security group members on one axis and destination security group members on the other axis. 

Each box in the body of the matrix contains SGACL that specifies the permission between source and destination. SGACLs don’t have any source and destination information – it contains only what is permit or denied. For example, deny TCP dest eq 21 says destination port 21 is denied. Wherever this SGACL is implemented in the Matrix, will use source and destination reference.

Figure 2: Permission Matrix and SGACL Snapshot

Traditional Way of defining the Access Control Policies on the device –

Figure 3: Traditional Network ACL Entries Snapshot

Not only the representation, if we do a calculation, the complexities and the number of entries are greatly reduced in the TrustSec domain. The  number of  access  control  entries  (ACEs)  in  an  ACL  can  be  determined  by  a  formula.  The  formula  takes  the number of  sources  multiplied  by  the  number  of  destinations  multiplied  by  the  permissions  of  the  ACL.

(sources) * (destinations) * permissions = ACEs

4 VLANs (sources) * 30 (Destinations) * 4 Permissions = 480 ACL Entries

In SGACL, the magnitude is greatly reduced. Instead of specifying the sources and destinations now we are dealing with groups –

4 SGT (Sources) * 3 SGT (Destinations) * 4 Permissions = 48 ACL Entries

Using solutions like TrustSec is definitely going to make an IT Admin life simple with a reduced number of entries, centralized definition, and maintenance of the policies which is the ask of today's agile networks. It's a promise to a network team to give them their time back which is mostly taken by manual repetitive tasks - with more time in hand now the team can spend more time in Digital Transformation Initiatives.