5.5 Describe components of network security design
📘CCNP Encore (350-401-ENCORE-v1.1)
Overview
In modern network security design, it is not enough to only control who can connect. We must also control:
- What a user or device is allowed to access
- How traffic is protected while moving through the network
Cisco addresses these needs using two key technologies:
- Cisco TrustSec – focuses on identity-based access control
- MACsec (Media Access Control Security) – focuses on encrypting traffic on wired links
Both technologies work together to improve network security, visibility, and control.
Part 1: Cisco TrustSec
What is Cisco TrustSec?
Cisco TrustSec is a security architecture that provides identity-based access control across the network.
Instead of making security decisions based on:
- IP addresses
- VLANs
- Subnets
TrustSec makes decisions based on:
- Who the user is
- What device is being used
- What role that user or device has
This allows security policies to follow the user or device anywhere in the network.
Why TrustSec is Needed
Traditional network security uses:
- VLANs
- ACLs
- IP-based rules
These methods have problems:
- Hard to manage
- Do not scale well
- Policies break when users move
- Same rules must be repeated on many devices
TrustSec solves this by using identity instead of IP addressing.
Core Components of TrustSec
TrustSec has three main components that you must know for the exam:
- Security Group Tags (SGTs)
- Security Group Access Control Lists (SGACLs)
- Policy Distribution and Enforcement
1. Security Group Tags (SGTs)
What is an SGT?
A Security Group Tag (SGT) is a number that represents the role or identity of a user or device.
- SGTs are assigned after authentication
- They travel with the traffic across the network
- They are independent of IP addresses
Example SGT roles in an IT environment:
- Employee
- Guest
- Contractor
- Server
- Network device
The exam expects you to understand that SGTs represent identity.
How SGTs are Assigned
SGTs are usually assigned by:
- Cisco ISE (Identity Services Engine)
Process:
- A user or device authenticates (for example using 802.1X)
- Cisco ISE verifies identity
- ISE assigns an SGT
- The network enforces policy based on that SGT
How SGTs Are Carried in the Network
SGTs can be carried:
- Inline (embedded in the packet)
- Out-of-band (mapped using IP-to-SGT tables)
Cisco devices understand these tags and enforce policies based on them.
2. Security Group Access Control Lists (SGACLs)
What is an SGACL?
An SGACL defines which security groups can talk to which other security groups.
Instead of:
- Source IP
- Destination IP
SGACLs use:
- Source SGT
- Destination SGT
This makes policies much simpler and scalable.
How SGACLs Work
An SGACL says:
- “Traffic from SGT A is allowed or denied to SGT B”
Example in an IT environment:
- Employee group → Server group → Allowed
- Guest group → Server group → Denied
You do NOT need to write syntax for the exam, but you must understand the concept.
Advantages of SGACLs
- Policies are easier to read
- No dependency on IP addressing
- One policy works everywhere
- Reduced configuration errors
3. TrustSec Policy Enforcement
TrustSec policies can be enforced at different points:
- Switches
- Routers
- Firewalls
- Wireless controllers
Enforcement happens after identity is known, not before.
This is known as:
- Identity-based access control
TrustSec Architecture Summary
For exam purposes, remember this flow:
- User/device connects to the network
- Authentication occurs (usually via 802.1X)
- Cisco ISE assigns an SGT
- Traffic carries the SGT
- Network devices enforce SGACLs
- Access is allowed or denied
Key TrustSec Benefits (Exam-Friendly)
- Identity-based security
- Centralized policy control
- Simplified network design
- Scales better than VLAN-based security
- Policies remain consistent across the network
Part 2: MACsec (Media Access Control Security)
What is MACsec?
MACsec is a Layer 2 security technology that provides:
- Encryption
- Integrity
- Authentication
for wired Ethernet traffic.
MACsec protects data between directly connected devices, such as:
- Switch-to-switch
- Switch-to-host
Why MACsec is Needed
Without MACsec:
- Wired traffic is usually unencrypted
- Anyone with access to the physical link can capture data
MACsec ensures that:
- Traffic cannot be read
- Traffic cannot be modified
- Traffic comes from a trusted device
MACsec Key Characteristics
| Feature | Description |
|---|---|
| OSI Layer | Layer 2 |
| Encryption | AES-128 or AES-256 |
| Scope | Point-to-point Ethernet links |
| Protection | Confidentiality, integrity, authentication |
How MACsec Works (Simplified)
- Devices authenticate each other
- A secure session key is created
- All Ethernet frames are encrypted
- Only authorized devices can decrypt the traffic
MACsec protects every frame, including:
- Data traffic
- Control traffic
MACsec and 802.1X Relationship
MACsec often works with 802.1X:
- 802.1X authenticates the device
- MACsec encrypts the traffic after authentication
Important exam note:
802.1X provides authentication, MACsec provides encryption
MACsec Use in Enterprise Networks
In an IT environment, MACsec is used to protect:
- Switch uplinks
- Access layer connections
- Sensitive network segments
MACsec is especially important when:
- Physical security is not guaranteed
- Data confidentiality is required at Layer 2
MACsec Limitations (Exam Awareness)
- Only protects hop-by-hop traffic
- Both devices must support MACsec
- Not end-to-end encryption across multiple hops
TrustSec vs MACsec (Very Important for Exam)
| Feature | TrustSec | MACsec |
|---|---|---|
| Purpose | Access control | Traffic encryption |
| Focus | Identity-based security | Link-level security |
| OSI Layer | Layer 2–4 (policy-based) | Layer 2 |
| Uses | Who can access what | Protecting data on the wire |
| Encryption | No | Yes |
How TrustSec and MACsec Work Together
In a secure network design:
- TrustSec controls who is allowed to communicate
- MACsec protects the data while it is being transmitted
Together they provide:
- Strong access control
- Strong data protection
- End-to-end security architecture
Exam Key Points to Remember
For CCNP ENCOR, you must remember:
- TrustSec uses Security Group Tags (SGTs)
- Policies are enforced using SGACLs
- TrustSec is identity-based, not IP-based
- MACsec provides Layer 2 encryption
- MACsec protects wired Ethernet traffic
- TrustSec controls access, MACsec protects data
Final Summary
- Cisco TrustSec simplifies security by using identity instead of IP addresses
- SGTs identify users and devices
- SGACLs define access rules between groups
- MACsec encrypts Ethernet traffic at Layer 2
- Both technologies are key components of modern Cisco network security design
