Zero trust gets thrown around constantly, but Cisco TrustSec is one of the few frameworks that translates the concept into actual switch configurations. ISE combined with TrustSec uses Scalable Group Tags (SGTs) — 16-bit labels assigned during authentication — to enforce identity-based access policies across your entire infrastructure, replacing thousands of IP-based ACLs with a centralized policy matrix.
Here's how the full architecture works, end to end — with real configs, scalability limits, and the deployment pain points the docs don't mention.
How TrustSec SGT Segmentation Actually Works
Step 1: Authentication (802.1X / MAB)
Everything starts with identity. When an endpoint connects to a Catalyst switch port, it authenticates via:
- 802.1X — supplicant-based (Windows, macOS, Linux machines with a certificate or EAP credentials)
- MAB (MAC Authentication Bypass) — for devices that can't run a supplicant (IP phones, printers, IoT sensors)
The switch sends the authentication request to ISE via RADIUS. ISE evaluates its policy sets — ordered rules matching conditions like AD group membership, device type, location, and posture status.
! Catalyst switch port config for 802.1X + MAB
interface GigabitEthernet1/0/10
switchport mode access
switchport access vlan 100
authentication port-control auto
authentication order dot1x mab
authentication priority dot1x mab
dot1x pae authenticator
mab
authentication host-mode multi-auth
ip device tracking
Step 2: SGT Assignment
When ISE authorizes the endpoint, it pushes an SGT back to the switch along with the RADIUS authorization. The SGT is embedded in a Cisco meta-data (CMD) header on every frame from that endpoint.
Common SGT assignments:
| SGT Value | Name | Description |
|---|---|---|
| 2 | TrustSec_Devices | Network infrastructure |
| 5 | Employees | Corporate domain-joined machines |
| 8 | Guests | Guest Wi-Fi users |
| 10 | Contractors | Third-party contractors |
| 15 | IoT_Devices | Cameras, sensors, HVAC |
| 20 | Finance_Servers | Financial application servers |
| 25 | PCI_Zone | Payment card data environment |
In ISE, the authorization profile looks like:
Authorization Profile: Corp_Employee_Access
- Access Type: ACCESS_ACCEPT
- VLAN: data (dynamic)
- SGT: Employees (5)
- dACL: PERMIT_ALL_TRAFFIC
Step 3: SGT Propagation
This is where TrustSec gets interesting — and where most deployments hit their first real decision point. Two propagation methods:
Inline Tagging (Preferred)
The SGT is carried inside the Ethernet frame header as traffic traverses the network. Every switch in the path reads and forwards the tag. Requires:
- Hardware support (Catalyst 9000 series, Nexus 7000/9000)
- TrustSec-capable linecards
- CTS credentials configured on trunk links
! Enable inline tagging on a trunk
interface TenGigabitEthernet1/1/1
switchport mode trunk
cts role-based enforcement
cts manual
policy static sgt tag 0002 trusted
SXP (SGT Exchange Protocol)
SXP is a control-plane protocol that exchanges IP-to-SGT mappings between devices. It's the fallback when switches don't support inline tagging.
! Configure SXP on ISE peer
cts sxp enable
cts sxp default source-ip 10.1.1.1
cts sxp default password 7 <encrypted>
cts sxp connection peer 10.1.1.100 password default mode local listener hold-time 120 120
SXP scalability is the real-world pain point. A standalone ISE 3595 supports only 20,000 SXP bindings with 30 listener peers. Even the high-end 3895 tops out at 50,000 bindings with 50 peers. For large campus deployments with 100,000+ endpoints, you need inline tagging or a distributed PAN/PSN architecture.
Step 4: SGACL Enforcement
The policy matrix in ISE defines what traffic is permitted between any source SGT and destination SGT pair. SGACLs are ACLs applied based on tags rather than IP addresses.
| Source SGT → Dest SGT | Finance_Servers (20) | PCI_Zone (25) | Internet |
|---|---|---|---|
| Employees (5) | Permit | Deny | Permit |
| Contractors (10) | Deny | Deny | Permit (restricted) |
| Guests (8) | Deny | Deny | Permit (web only) |
| IoT_Devices (15) | Deny | Deny | Deny |
! SGACL denying Contractors from Finance servers
ip access-list role-based Contractors_to_Finance
deny ip
log
! Verify enforcement
show cts role-based permissions
show cts role-based counters
Enforcement happens at the egress switch closest to the destination. The switch downloads the SGACL policy from ISE and applies it to traffic matching the source-destination SGT pair.
Real-World Deployment Pain Points
SXP vs. Inline Tagging: The Hardware Gap
Not every switch supports inline tagging. Catalyst 9200/9300/9400/9500 and Nexus 9000 do. Older Catalyst 3850, 4500, and most third-party switches don't. This creates hybrid deployments running inline tagging on core/distribution and SXP at the access layer.
The hybrid approach works, but every SXP peering is another control-plane dependency. ISE's SXP speaker can become a bottleneck in campus networks with 20+ buildings.
ISE 3.x Licensing
| License Tier | Key Features | Required For |
|---|---|---|
| Essentials | 802.1X, MAB, Guest, basic RADIUS | Basic NAC |
| Advantage | Profiling, BYOD, TrustSec/SGT, pxGrid | TrustSec segmentation |
| Premier | Passive ID, 3rd-party MDM, AI Analytics | Advanced visibility |
TrustSec requires Advantage. The licensing is per-endpoint (concurrent active sessions), not per-user. A typical 10,000-endpoint campus deployment needs 10,000 Advantage licenses.
Posture Assessment Realities
ISE posture checks via AnyConnect compliance module are supposed to verify endpoint health before granting full SGT access. In practice:
- The AnyConnect agent adds deployment complexity on every managed endpoint
- BYOD devices can't run the full posture module
- Posture remediation workflows break if the RADIUS session times out
- Mac/Linux posture support lags behind Windows
Most mature deployments use posture as a day-two enhancement, not a day-one requirement.
ISE vs ClearPass vs Forescout
| Capability | Cisco ISE | Aruba ClearPass | Forescout |
|---|---|---|---|
| Best for | Cisco-heavy enterprise | Aruba/HPE wireless | Agentless IoT/OT |
| Segmentation | TrustSec SGT (deep) | Role-based (basic) | Limited |
| Switching integration | Native (Catalyst, Nexus) | Native (Aruba CX) | Agentless discovery |
| Cloud-native | No (on-prem VMs/appliances) | No | No |
| IoT profiling | AI Endpoint Analytics | ClearPass Device Insight | eyeSight |
| TACACS+ | Yes | No | No |
If you're running Catalyst switches, ISE is the only NAC that gives you full TrustSec SGT enforcement. For multi-vendor environments, some organizations deploy Forescout for visibility alongside ISE for enforcement — using pxGrid to share context.
Verification Commands to Know
show authentication sessions interface Gi1/0/10
show cts role-based sgt-map all
show cts role-based permissions
show cts interface summary
show cts sxp connections
show cts sxp sgt-map
Study topology for lab practice:
[Windows PC] --- 802.1X --- [Cat 9300 Access] --- trunk (inline SGT) --- [Cat 9500 Core]
| |
RADIUS ←→ [ISE 3.x PSN] [FTD/FMC]
| (SXP listener)
[IP Phone] --- MAB --- [Cat 9300 Access]
Bottom Line
TrustSec SGT-based segmentation is the practical zero trust implementation that enterprises are actually deploying. Whether you're implementing segmentation in production or studying for certification, mastering ISE and SGT-based policies is one of the highest-value investments you can make.
The combination of increasing vulnerability disclosures in network infrastructure and enterprise zero trust mandates means ISE/TrustSec expertise will stay in demand.
Originally published on FirstPassLab. For more deep dives on network security and automation, visit firstpasslab.com.
AI Disclosure: This article was adapted from the original with AI assistance. The technical content has been reviewed by CCIE-certified engineers.
Top comments (0)