Cisco TrustSec Software-Defined Segmentation Platform and Capability Matrix

Transcription

1 Sales Tool TrustSec Software-Defined Segmentation Platform and Capability Matrix TrustSec uniquely builds upon your existing identity-aware infrastructure by enforcing segmentation and access control policies in a scalable manner using the capabilities detailed below. This table summarizes the platforms and that are validated in the TrustSec testing. It is in current with the TrustSec 6.0 validation program. System Tag () Exchange Inline Identity Engine 2000 ISE 3515, 3595, 3415, and 3495 Appliance & VMware 2960-Plus Switches Base ISE 2.1, 2.0, ISE 1.4 ISE 2.0 -, VLAN to, Subnet to 2960-C -, VLAN to, Subnet to 2960-CX (3)E, VLAN to, Subnet to 2960-S and 2960-SF, VLAN to, Subnet to 2960-X and 2960-XR, VLAN to, Subnet to E and 3750-E 15.0(2)SE5 15.0(2)SE5 Dynamic, to, VLAN to 3560-C/CG 15.0(1)SE2, VLAN to, Subnet to 3560-CX 15.2(3)E 15.2(3)E Dynamic, to (v4, v6), VLAN to, Subnet to 3560-X and 3750-X 1 (prefix must be 32), VLAN to, Port to (only on switch to switch links) ; MACsec (with C3KX-SM- 10G uplink) (maximum of 8 VLANs on a VLAN-trunk link) 2016 and/or its affiliates. All rights reserved. This document is Public Information. Page 1 of 6

2 System Tag () Exchange Inline and 3850 ONE & above XE XE 3.6.0SE (v4,v6), VLAN to, Port to, Subnet to, L3IF to ; MACsec (3650 requires 3.7.1) 3650 and 3850 ONE XE XE (v4,v6), VLAN to, Port to, Subnet to, L3IF to ; MACsec (3650 requires 3.7.1) 3850-XS ONE XE XE 3.7.4, VLAN to, Port to, Subnet to, L3IF to ;**** MACsec E- Engine 6-E and 6L-E ; (1)SG 15.1(1)SG 4500 E- Engine 7-E and 7L-E ONE XE 3.5.1E XE 3.5.1E, VLAN to, Subnet to, L3IF to, Port to ; (See footnote for ed line cards) 4500 E- Engine 8-E and 8L-E ONE XE 3.6.3E XE 3.6.0E (v4, v6), VLAN to, Port to, Subnet to (Src & Dst), L3IF to ; (See footnote for ed line cards) 4500-X ONE XE XE 3.5.1E (v4,v6), VLAN to, Port to, Subnet to (Src & Dst), L3IF to ; Engine 32 and (33)SXJ2 15.1(2)SY Engine 2T 6807-XL 15.2(1)SY0a 15.2(1)SY0a (v4, v6), VLAN to, Port to, Subnet to (v4,v6), L3IF-to- (v4,v6) (v4, v6) & MACsec ed on: WS-X69xx modules, C P10G/G- XL, C P10G/G- XL, C6800-8P10G/G-XL (v4, v6) Caching 6880-X, 6840-X, and 6800ia ONE 15.2(1)SY0a, 15.2(3a)E 15.2(1)SY0a (v4, v6), VLAN to, Port to, Subnet to (v4,v6), L3IF-to- (v4,v6) (v4, v6) ; MACsec (v4, v6) Caching 2016 and/or its affiliates. All rights reserved. This document is Public Information. Page 2 of 6

3 System Tag () Exchange Inline Connected Grid s and Switches Industrial Switches 2010 Connected Grid s 2500 Connected Grid Switches IE 2000 & 2000U IE 3000 IE (2)T (3)EA ; for oe & 15.2(3)EA IE2000U: IOS 15.2(3)E3 15.2(4)EA, 15.2(5)E 15.4(1)T 15.0(2)EK1 15.2(1)EY IE2000U: IOS 15.2(3)E3 15.2(5)EA Dynamic, to, VLAN to, VLAN to, Port to, Subnet to, VLAN to, Subnet to, VLAN to, Subnet to GETVPN or sec VPN IE 5000 ; for oe & B1, 15.2(5)E 15.2(5)EA, VLAN to, Subnet to on1g interfaces only Wireless Controllers 5500 (5508,5520) 2500 (2504) - AireOS AireOS 30.0 Dynamic Wireless Module 2 (WiSM2) - AireOS AireOS 30.0 Dynamic 5760 Wireless Controller 8500 Wireless Controller (8540,8510) XE 3.7.1E - AireOS XE 3.3.1SE AireOS, VLAN to, Port to, Subnet to Dynamic over Nexus 7000 Nexus 7000 M- and F-*** modules Nexus 7700 F-*** modules Base License NX-OS 6.1 and later NX-OS 7.3(0)D1(1), 7.2(0)D1(1) NX-OS 7.3(0)D1(1) to 1, Port Profile to, VLAN to 2, Port to 2 Subnet to 5 1 :FabricPath requires 6.2(10) or later 2 VPC/VPC+ requires 7.2(0)D1(1) or later 3 ; MACsec 4 3 : F3 interfaces (L2 or L3) require 802.1Q or FabricPath 4 : M & F2e (Copper-) all ports; F2e (SFP) & F3 (10G)- last 8 ports; All others- no 5 Subnet to requires 2016 and/or its affiliates. All rights reserved. This document is Public Information. Page 3 of 6

4 System Tag () Exchange Inline Nexus 5000, 6000 Nexus 6000/ NX-OS 7.1(0)N1(1a) NX-OS 7.0(1)N1(1) Port to V1 Nexus 5548P, 5548UP, and 5596UP (te: for 5010 or 5020) - NX-OS 7.0(5)N1(1) NX-OS 6.0(2)N2(6) Port to V1 1 1 : FabricPath Nexus 1000 Nexus 1000V for VMware vsphere Advanced license for / NX-OS 5.2(1)S(1.3) NX-OS to, 5.2(1)S (1.1) Port Profile to v1 890, Integrated 1900, 2900, 3900 (ISR) / 890: 15.4(1)T1 IOS 15.4(3)M 1900/2900/390 0: 15.5(1)20T IOS 15.4(3)M 890: IOS 15.4(3)M 1900/2900/39 00: 15.6(1)T to, Subnet to, L3IF to (no on ISR G2-800 ), sec VPN (890: services) based Caching based 4000 (ISR 4451-X validated) 4000 ISR 4431, and 4451-X / / propa-gate; XE S XE XE S XE to, Subnet to, L3IF to to, Subnet to, L3IF to, over sec VPN,, over sec VPN based Caching based based Caching based SM-X Layer 2/3 EtherSwitch Module / T, VLAN to ; Cloud Cloud 1000V (CSR) / XE S XE S to, Subnet to, L3IF to, sec VPN, DMVPN based Caching 2016 and/or its affiliates. All rights reserved. This document is Public Information. Page 4 of 6

5 System Tag () Exchange Inline Aggregation (ASR) 1000 Processor 1 or 2 (RP1, RP2); ASR 1001, 1002,1004, 1006 and 1013 with ESP (10,20, 40, 100, 200) and S (10/40) / XE S S to, Subnet to, L3IF to, sec VPN, or DMVPN based (1000 RP2) based Caching Adaptive Security Appliance (ASA) Firepower (FP) ASR 1001-X and 1002-X ASR 1004, 1006, 1013, X, and 1009-X ASA 5510, 5520, 5540, 5550, 5580 ASA 5505**, 5512, 5515, 5525, 5545, 5555, 5585 ASA 5506-X, 5506H-X, 5506W-X, 5508-X, 5516-X ASA 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, 5585-X with FirePower / for classify/ / enforce-ment XE S XE - ASA 9.0.1, ASDM ASA 9.3.1, ASDM 7.3.1, CSM ASA - ASA ASAv - ASA ADSM FP 4100 FP 9300 Firepower Threat Defense Base FXOS 2.0(1) ASA XE S XE ASA 9.0.1, ASDM ASA 9.3.1, ASDM 7.3.1, CSM 4.8 ASA ASA ASA ASDM FXOS 2.0(1) ASA to, Subnet to, L3IF to to, Subnet to, L3IF to VPN (Sec, VPN (Sec, VPN (Sec, VPN (Sec, VPN (Sec, v2 (v4, v6), sec VPN, DMVPN, over sec VPN based based Caching based Caching based (v4, v6) based (v4, v6) based (v4, v6) based based FirePOWER 7000 and FireSIGHT , , FireSIGHT , , and/or its affiliates. All rights reserved. This document is Public Information. Page 5 of 6

6 tes Dynamic classification includes IEEE 802.1X, MAC Authentication Bypass (MAB), and Web Authentication (Web Auth). to, VLAN to, subnet to, port profile to, L2IF to, and L3IF to use the static classification method. Solution-level validated versions may not always represent the latest available platform version and feature set. For latest platform firmware version and feature set, refer to product release notes. * Product part numbers of ed line cards for and MACsec on the 4500 Engine 7-E, 7L-E, 8-E, and 8L-E include the following: WS-X4712-SFP+E, WS-X4712-SFP-E, WS-X4748-UPOE+E, WS-X4748-RJ45V+E, WS-X4748-RJ45- E, WS-X4724-SFP-E, WS-X4748-SFP-E, and WS-X X48U+E. ** ASA 5505 does not releases after 9.2. *** Nexus 7000 F1- modules do not TrustSec. ****Use of inline tagging with LACP requires future IOS XE Denali or IOS 3.7 release (CSCva22545) - With v6, DGT can be v4. - vwlc does not TrustSec. - Prior versions of this document listed 3750-X validated version, IOS 12.2(3)E1. It has a TrustSec defect and was deferred. Printed in USA v6.0a C / and/or its affiliates. All rights reserved. This document is Public Information. Page 6 of 6