Skip to content
Study CCNP

5.4.d TrustSec and MACsec

4 min read ENCOR 350-401 v1.2

Aligned to Cisco's 350-401 ENCOR v1.2 exam topics.

On this page

TrustSec and MACsec are easy to confuse because both are security technologies and both may show up in campus designs. They solve different problems.

One-sentence difference

  • TrustSec is group-based segmentation using Security Group Tags and policies.
  • MACsec is Layer 2 link encryption and integrity protection.

If the question is about who can talk to whom based on identity, think TrustSec. If the question is about encrypting traffic across an Ethernet link, think MACsec.

TrustSec in plain English

TrustSec assigns a Security Group Tag, or SGT, to traffic based on identity or classification. Policy can then use the source and destination group, not only IP addresses, to decide access.

Example:

Contractor SGT
Payroll Servers SGT: deny
Employee SGT
Payroll Servers SGT: permit required app only
Printer SGT
Internet SGT: deny

This is powerful because users and devices can move while their group identity stays meaningful.

TrustSec terms

TermMeaning
SGTSecurity Group Tag assigned to user, device, or traffic.
SGACLSecurity Group ACL; policy between source and destination groups.
CTSCisco TrustSec feature family.
ISECommon policy/identity source for SGT assignment and policy.
Enforcement pointSwitch, router, firewall, or fabric node applying policy.

Example policy concept:

Source group: Contractors
Destination group: Finance-Servers
Policy: deny ip

Platform syntax varies, so focus on the design concept unless your lab supports CTS.

Keep the TrustSec phases separate:

PhaseQuestion
ClassificationHow does the user, device, or traffic get an SGT?
PropagationHow is the SGT carried or mapped across the network?
EnforcementWhich device applies the SGACL or policy decision?
User logs in on access port
ISE classifies -> assigns SGT (e.g. Employees)
SGT propagated (inline tag, SXP, or policy download)
Enforcement point compares src-SGT + dst-SGT -> SGACL permit/deny

The tag alone does not block traffic. Policy is enforced only where an enforcement point has the tag context and the SGACL or equivalent policy. In capable fabrics, the SGT may be carried inline. In other designs, tags may be mapped or learned at the enforcement point through a control mechanism such as SXP.

MACsec in plain English

MACsec secures Ethernet links. It provides confidentiality, integrity, and origin authenticity at Layer 2. It is useful for protecting traffic on links where you do not fully trust the transport path.

Examples:

  • Switch-to-switch links across shared building cabling.
  • WAN handoff where the provider gives Ethernet transport.
  • High-security campus or data center links.

MACsec does not decide whether a contractor can access payroll. It encrypts/protects frames on a link.

MACsec is hop-by-hop link protection. A frame is protected on the MACsec-enabled Ethernet link, then decrypted and processed at the next MACsec endpoint. If the path continues across more links, those links need their own protection. MACsec does not replace end-to-end controls such as TLS or IPsec, and it does not create application policy.

The control-plane term to recognize is MKA, or MACsec Key Agreement, which manages secure association and keying between MACsec peers.

Conceptual MACsec sample

Exact syntax varies by platform and release. A simplified pattern looks like this:

key chain MKA-KEYS macsec
 key 01
  cryptographic-algorithm aes-128-cmac
  key-string 0 SharedMacsecKeyHere

mka policy MKA-POLICY
 key-server priority 0

interface GigabitEthernet1/0/48
 description MACsec-protected uplink
 mka policy MKA-POLICY
 mka pre-shared-key key-chain MKA-KEYS
 macsec network-link

Do not memorize platform-specific MACsec syntax for ENCOR unless your training path requires it. Know the problem it solves and how it differs from TrustSec.

Verification ideas

TrustSec:

show cts interface
show cts role-based permissions
show cts role-based sgt-map

MACsec:

show mka sessions
show macsec interface

Commands vary, but the goal is clear: TrustSec verification checks tags and group policy; MACsec verification checks secure link/session state.

Lab

Goal: Explain and model TrustSec versus MACsec.

Tasks:

  1. Draw two user groups: employees and contractors.
  2. Draw two destination groups: internet and finance servers.
  3. Write SGACL-style policy in plain English.
  4. Identify where enforcement would happen.
  5. Draw a switch-to-switch uplink that crosses an untrusted area.
  6. Label that link as a MACsec candidate.
  7. Explain why TrustSec alone does not encrypt the link and why MACsec alone does not create group-based access policy.

Success criteria:

  • You can explain SGT and SGACL without using IP subnets first.
  • You can explain MACsec as Layer 2 link protection.
  • You can choose the correct technology for a scenario.

Exam traps

  • TrustSec is segmentation, not encryption.
  • MACsec is encryption/integrity, not identity segmentation.
  • SGTs make policy more identity-aware than traditional IP-only ACLs.
  • MACsec protects a link; it does not inspect applications like an NGFW.