5.4.d TrustSec and MACsec
Aligned to Cisco's 350-401 ENCOR v1.2 exam topics.
On this page
TrustSec and MACsec are easy to confuse because both are security technologies and both may show up in campus designs. They solve different problems.
One-sentence difference
- TrustSec is group-based segmentation using Security Group Tags and policies.
- MACsec is Layer 2 link encryption and integrity protection.
If the question is about who can talk to whom based on identity, think TrustSec. If the question is about encrypting traffic across an Ethernet link, think MACsec.
TrustSec in plain English
TrustSec assigns a Security Group Tag, or SGT, to traffic based on identity or classification. Policy can then use the source and destination group, not only IP addresses, to decide access.
Example:
Contractor SGT
Payroll Servers SGT: deny
Employee SGT
Payroll Servers SGT: permit required app only
Printer SGT
Internet SGT: denyThis is powerful because users and devices can move while their group identity stays meaningful.
TrustSec terms
| Term | Meaning |
|---|---|
| SGT | Security Group Tag assigned to user, device, or traffic. |
| SGACL | Security Group ACL; policy between source and destination groups. |
| CTS | Cisco TrustSec feature family. |
| ISE | Common policy/identity source for SGT assignment and policy. |
| Enforcement point | Switch, router, firewall, or fabric node applying policy. |
Example policy concept:
Source group: Contractors
Destination group: Finance-Servers
Policy: deny ipPlatform syntax varies, so focus on the design concept unless your lab supports CTS.
Keep the TrustSec phases separate:
| Phase | Question |
|---|---|
| Classification | How does the user, device, or traffic get an SGT? |
| Propagation | How is the SGT carried or mapped across the network? |
| Enforcement | Which device applies the SGACL or policy decision? |
User logs in on access port
ISE classifies -> assigns SGT (e.g. Employees)
SGT propagated (inline tag, SXP, or policy download)
Enforcement point compares src-SGT + dst-SGT -> SGACL permit/denyThe tag alone does not block traffic. Policy is enforced only where an enforcement point has the tag context and the SGACL or equivalent policy. In capable fabrics, the SGT may be carried inline. In other designs, tags may be mapped or learned at the enforcement point through a control mechanism such as SXP.
MACsec in plain English
MACsec secures Ethernet links. It provides confidentiality, integrity, and origin authenticity at Layer 2. It is useful for protecting traffic on links where you do not fully trust the transport path.
Examples:
- Switch-to-switch links across shared building cabling.
- WAN handoff where the provider gives Ethernet transport.
- High-security campus or data center links.
MACsec does not decide whether a contractor can access payroll. It encrypts/protects frames on a link.
MACsec is hop-by-hop link protection. A frame is protected on the MACsec-enabled Ethernet link, then decrypted and processed at the next MACsec endpoint. If the path continues across more links, those links need their own protection. MACsec does not replace end-to-end controls such as TLS or IPsec, and it does not create application policy.
The control-plane term to recognize is MKA, or MACsec Key Agreement, which manages secure association and keying between MACsec peers.
Conceptual MACsec sample
Exact syntax varies by platform and release. A simplified pattern looks like this:
key chain MKA-KEYS macsec
key 01
cryptographic-algorithm aes-128-cmac
key-string 0 SharedMacsecKeyHere
mka policy MKA-POLICY
key-server priority 0
interface GigabitEthernet1/0/48
description MACsec-protected uplink
mka policy MKA-POLICY
mka pre-shared-key key-chain MKA-KEYS
macsec network-linkDo not memorize platform-specific MACsec syntax for ENCOR unless your training path requires it. Know the problem it solves and how it differs from TrustSec.
Verification ideas
TrustSec:
show cts interface
show cts role-based permissions
show cts role-based sgt-mapMACsec:
show mka sessions
show macsec interfaceCommands vary, but the goal is clear: TrustSec verification checks tags and group policy; MACsec verification checks secure link/session state.
Lab
Goal: Explain and model TrustSec versus MACsec.
Tasks:
- Draw two user groups: employees and contractors.
- Draw two destination groups: internet and finance servers.
- Write SGACL-style policy in plain English.
- Identify where enforcement would happen.
- Draw a switch-to-switch uplink that crosses an untrusted area.
- Label that link as a MACsec candidate.
- Explain why TrustSec alone does not encrypt the link and why MACsec alone does not create group-based access policy.
Success criteria:
- You can explain SGT and SGACL without using IP subnets first.
- You can explain MACsec as Layer 2 link protection.
- You can choose the correct technology for a scenario.
Exam traps
- TrustSec is segmentation, not encryption.
- MACsec is encryption/integrity, not identity segmentation.
- SGTs make policy more identity-aware than traditional IP-only ACLs.
- MACsec protects a link; it does not inspect applications like an NGFW.