Cisco Group Based Policy – Trustsec 6.5 Platform Capability Matrix

Cisco Group Based Policy Platform and Capability Matrix Release 6.5 (inclusive of TrustSec Software-Defined Segmentation)

Cisco Group Based Policy (also known as TrustSec Software-Defined Segmentation) uniquely builds upon your existing identity-aware infrastructure by enforcing segmentation and access control policies in a scalable manner using the capabilities detailed below. This document summarizes the platforms and features that are validated in the Cisco Group Based Policy testing. It is in current with the validation program for Release 6.5.

Table 1 provides cross-platform group-based policy exchange interoperability testing results. Application Centric Infrastructure (ACI) and Group Based Policy integration enables customers to apply consistent security policy across the enterprise- leveraging user roles and device type together with application context. The validated Open Source Open Daylight SDN use case included Nexus 7k SXPv3, ASA SXPv3, and OpenDaylight SXPv4 (Nitrogen and earlier releases) working together in the Data Center.

Table 1. TrustSec Group-Based Policy (GBP) Interoperability

System Component Platform Solution-Level Group Information Interoperability Platform & Validated Version Exchange Propagation method

Cisco Nexus 9000 Cisco 9000 NX-OS 13.2 (4e) Series: Series Switches EndPoint Group – Spine & Leaf Security Group Mappings Cisco ISE 2.4 Patch 6 ACI API Cisco Application Policy Cisco APIC-DC APIC-DC 3.2 (4e) via TrustSec-ACI policy Infrastructure Controller – Policy plane; and data plane exchange Data Center Open Daylight SDN ODL SDN Lithium, Beryllium, SGT via SXP v4 Cisco ISE 2.1- SXP v4 controller Carbon Nexus 7000 7.3- SXP v3 ASA 9.6.1- SXP v3 Open Daylight SDN ODL SDN Nitrogen IPv4, IPv6 SXP Peering Cisco ISE 2.4 controller ASR 1001-X IOS XE 16.5.1b CSR 1000v IOS XE 16.6.3 Cat 6500 IOS 15.4(1)SY2 Cat 3850 IOS 3.6.8E

In Tables 2 and 3, Cisco Platform Support Matrix, Dynamic classification includes IEEE 802.1X, MAC Authentication Bypass (MAB), Web Authentication (Web Auth), and Easy Connect. IP to SGT, VLAN to SGT, subnet to SGT, port profile to SGT, L2IF to SGT, and L3IF to SGT use the static classification method.

Cisco DNA Premier is a simple and economical solution for deploying branch and campus switches and wireless access points. It offers an uncompromised user experience in a highly secure and feature-rich access infrastructure and simplify the licensing requirements for Group Based Policy deployment. Cisco DNA Advantage requires Network Advantage hardware licenses.

Solution-level validated versions listed in the tables below may not always represent the latest available © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 12 platform version and feature set. Releases may encounter issues in other subsystems and be deferred. For latest platform firmware version and feature set, refer to product release notes.

As an aid to deployment, products are grouped into Tier I, II, and III with regard to feedback on design and deployment. Tier I  products have full Group Based Policy functionality with few caveats, and they are common components in successful deployments. Tier II  products have full Group Based Policy functionality but there are some caveats involved in their deployment. Tier III  do not have full Group Based Policy functionality and support Classification and SXP based Propagation only. These products tend to be older with a less rich feature set and more caveats to consider when deploying. Security products are not listed in a tier. End of Sale Products are listed in Table 3.

VXLAN is supported on several platforms but not all are listed in the matrix pending review of solution test verification.

Table 2. Cisco Group Based Policy Platform Support Matrix

System Platform License Solution-Level Minimum Security Group SGT Exchange Inline SGT SGT Component Validated version for all Tag (SGT) Protocol (SXP) Tagging Enforcement Version features Classification Support and ______Version Services

Cisco Catalyst LAN Base - Cisco IOS Dynamic, IP to Speaker No No ® Catalyst 2960-Plus K9 15.2(2)E3 SGT, VLAN to V4 2000 Series  SGT, Subnet to Series SGT Catalyst 2960- LAN Base - Cisco IOS Dynamic, IP to Speaker No No C Series  K9 15.2(2)E3 SGT, VLAN to V4 SGT, Subnet to SGT

Catalyst 2960- LAN Base - Cisco IOS Dynamic, IP to Speaker No No CX Series  K9 15.2(3)E SGT, VLAN to V4 SGT, Subnet to SGT

Catalyst 2960- LAN Base Cisco IOS Cisco IOS Dynamic, IP to Speaker No No X Series  K9 15.2(2)E 15.2(2)E3 SGT, VLAN to V4 SGT, Subnet to SGT

Catalyst 2960- IP Lite K9 Cisco IOS Cisco IOS Dynamic, IP to Speaker No No XR Series  15.2(2)E 15.2(2)E3 SGT, VLAN to V4 SGT, Subnet to SGT

Cisco Catalyst 3650 IP Base K9 Cisco IOS XE Cisco IOS XE Dynamic, IP to Speaker, SGT over SGACL, Catalyst and 3850 & above or 3.7.4E 3.6.4E SGT (v4,v6), Listener Ethernet; Logging 3000 Series Cisco ONE 3.6.8E VLAN to SGT, V4 SGT over (3.6.6E) Series Port to SGT,  Foundation 3.6.6E MACsec & above Subnet to SGT, (3650 requires L3IF to SGT SGT Netflow 3.7.1) v9

Catalyst 3650 IP Base K9 Cisco IOS XE Cisco IOS XE Dynamic, IP to Speaker, SGT over SGACL, and 3850 & above or Denali 16.6.4 Denali 16.3.1 SGT (v4,v6), Listener Ethernet; SGT Monitor mode, Series Cisco ONE VLAN to SGT, V4 over MACsec; Logging  Foundation & Port to SGT, SGT over above Subnet to SGT, VXLAN L3IF to SGT

Catalyst 3850- IP Base K9 Cisco IOS XE Cisco IOS XE Dynamic, IP to Speaker, SGT over SGACL XS Series & above or 3.7.4 3.7.4 SGT, VLAN to Listener Ethernet Note5;  Cisco ONE SGT, Port to V4 SGT over Foundation SGT, Subnet to MACsec & above SGT, L3IF to SGT

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 12 System Platform License Solution-Level Minimum Security Group SGT Exchange Inline SGT SGT Component Validated version for all Tag (SGT) Protocol (SXP) Tagging Enforcement Version features Classification Support and ______Version Services

Cisco Catalyst IP Base K9 Cisco IOS Cisco IOS (L2 adjacent Speaker, No SGACL Note16 Catalyst 3560-CX 15.2(3)E 15.2(4)E hosts only) Listener 3000 Series Dynamic, IP to V4 Series  SGT (v4, v6), VLAN to SGT, Subnet to SGT Catalyst IP Base K9 Cisco IOS Cisco IOS (L2 adjacent Speaker, No No 3560-C/CG 15.0(1)SE2 15.2(2)E hosts only) Listener Series Dynamic, IP to V4  SGT, VLAN to SGT, Subnet to SGT Cisco Catalyst 4500 IP Base K9 Cisco IOS XE Cisco IOS XE Dynamic, IP to Speaker, SGT over SGACL, Catalyst E-Series & above or 3.7.1E 3.6.0E SGT (v4, v6), Listener Ethernet; SGT Logging Supervisor VLAN to SGT, over MACsec 4500 Cisco ONE V4 Engine 8-E Port to SGT, (See note 2 for Series Foundation 3.8.0E- and 8L-E Subnet to SGT supported line SGT Netflow & above Logging  (Src & Dst), L3IF cards) v9 to SGT Note12

Catalyst 4500- IP Base K9 Cisco IOS XE Cisco IOS XE Dynamic, IP to Speaker, SGT over SGACL, X Series & above or 3.6.3E 3.5.1E SGT (v4,v6), Listener Ethernet; SGT Logging over MACsec  Cisco ONE 3.6.6 3.8.0E- VLAN to SGT, V4 Port to SGT, Foundation logging & above Subnet to SGT (Src & Dst), L3IF to SGT Note12

Cisco Catalyst 4500 IP Base K9 Cisco IOS XE Cisco IOS XE Dynamic, IP to Speaker, SGT over SGACL, Catalyst E-Series & above or 3.7.1E 3.5.1E SGT, VLAN to Listener Ethernet; SGT Logging over MACsec 4500 Supervisor Cisco ONE SGT, Subnet to V4 [3.8.0E] Series Engine 7-E Foundation SGT, L3IF to (See note 2 and 7L-E SGT, Port to for supported & above SGT Netflow SGT Note12 line cards)  v9

Catalyst IP Base K9 Cisco IOS Cisco IOS Dynamic, IP to Speaker, No No Note12 4500 E-Series 15.1(1)SG 15.1(1)SG SGT Listener Supervisor V4 Engine 6-E and 6L-E; 

Cisco Catalyst 6500 2T: IP Base Cisco IOS Cisco IOS Dynamic, IP to Speaker, SGT over SGACL (IPv4, Catalyst Series K9 15.4(1)SY2 15.2(1)SY0a SGT (v4, v6), Listener Ethernet & IPv6), 6500 Supervisor Sup 6T VLAN to SGT, V4 SGT over Monitor mode, Series Engine 2T & 15.2(1)SY05 Port to SGT, MACsec 15.2(1)SY0a Cisco IOS (IPv4, IPv6) Logging Supervisor 6T 15.4(1)SY1 Subnet to SGT supported on: 6T: IP Sup 6T (v4,v6), WS-X69xx  Services K9 Cisco IOS L3IF-to- SGT modules, SGT Caching 15.4(1)SY1 (v4,v6) C6800- SGT Netflow 32P10G/G- Catalyst v9 XL, C6800- 6807-XL 16P10G/G-  XL, C6800- 8P10G/G-XL; SGT over VXLAN Catalyst IP Base K9 Cisco IOS Cisco IOS Dynamic, IP to Speaker, SGT over SGACL (IPv4, 6880-X, & above or 15.2(2)SY2, 15.2(1)SY0a SGT (v4, v6), Listener Ethernet; IPv6), 6840-X (incl Cisco ONE 15.2(1)SY0a, VLAN to SGT, V4 SGT over Monitor mode, 6816-X-LE), 15.2(3a)E Port to SGT, MACsec Foundation (IPv4, IPv6) Logging and 6800ia & above Subnet to SGT  (v4,v6), L3IF-to- SGT (v4,v6) SGT Caching

SGT Netflow v9

Catalyst 6500 IP Base K9 Cisco IOS Cisco IOS Dynamic, IP to Speaker, No No Series 12.2(33)SXJ2 15.1(2)SY1 SGT Listener Supervisor V4 Engine 32 and 720 

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 12 System Platform License Solution-Level Minimum Security Group SGT Exchange Inline SGT SGT Component Validated version for all Tag (SGT) Protocol (SXP) Tagging Enforcement Version features Classification Support and ______Version Services

Cisco Cisco Catalyst Network Cisco IOS XE Cisco IOS XE Dynamic, Speaker, SGT over SGACL V4, V6 Catalyst 9200 Series Advantage 16.10.1 16.10.1 IP to SGT, Listener Ethernet (Note 17), 9200 VLAN to SGT, V4 SGT over Monitor mode, Series Port to SGT, VXLAN Logging Subnet to SGT, _ L3IF to SGT SGT Netflow v9

Cisco Catalyst 9300 Network Cisco IOS XE Cisco IOS XE Dynamic, Speaker, SGT over SGACL V4, V6 Catalyst Series Advantage Everest 16.6.2 Everest 16.6.2 IP to SGT, Listener Ethernet (Note 17), 9300  SMU SMU VLAN to SGT, V4 SGT over Monitor mode, Series (Note 10) Port to SGT, VXLAN Logging 16.8.1 Subnet to SGT, _ L3IF to SGT SGT Netflow v9 Cisco Catalyst 9400 Network Cisco IOS XE Cisco IOS XE Dynamic, IP to Speaker, SGT over SGACL V4, V6 Catalyst Series Advantage 16.6.2, Everest 16.6.2 SGT, Listener Ethernet (Note 17), 9400 Supervisor 16.8.1 SMU VLAN to SGT, V4 SGT over Monitor mode, Series Engine-1 & (Note 10) Port to SGT, VXLAN Logging -1XL 16.8.1 Subnet to SGT, _ L3IF to SGT  SGT Caching SGT Netflow v9

Cisco Catalyst 9500 Network Cisco IOS XE Cisco IOS XE Dynamic, IP to Speaker, SGT over SGACL V4, V6 Catalyst Series Advantage Everest 16.6.2 Everest 16.6.2 SGT, Listener Ethernet (Note 17), SMU 9500  SMU VLAN to SGT, V4 SGT over Monitor mode Series (Note 10) Port to SGT, VXLAN Note13 _ Subnet to SGT, L3IF to SGT SGT Caching SGT Netflow v9 Catalyst Network Cisco IOS XE CiscoNetwork IOS Advantage XE Dyna mNetworkic, Speaker,Network AdvantageSGT over NetworkSGACL Advantage V4, V6 Network Network 9500H Series Advantage 16.12.2 16.12.2 IP to SGAdvantageT, Listener Ethernet (Note 17), Advantage Advantage VLAN to SGT, V4 SGT over Monitor mode, Port to SGT, VXLAN Logging Subnet to SGT, _ L3IF to SGT SGT Netflow v9 Cisco Cisco Network Cisco IOS XE Cisco IOS XE Dynamic, Speaker, SGT over SGACL V4, V6 Catalyst Catalyst 9600 Advantage Everest16.12.2 16.12.2 IP to SGT, Listener Ethernet (Note 17), 9600 Series 16.12.2 VLAN to SGT, V4 SGT over Monitor mode, Series Port to SGT, VXLAN Logging Subnet to SGT, _ L3IF to SGT SGT Netflow v9 Cisco CGR 2010 - Cisco IOS Cisco IOS Dynamic, Speaker, SGT over SG Firewall Connected Series 15.5(2)T 15.4(1)T IP to SGT, Listener GETVPN, Grid  VLAN to SGT V4 SGT over Router IPsec VPN Series

Cisco CGS 2500 - Cisco IOS Cisco IOS Dynamic, IP to Speaker, No No Connected Series 15.2(3)EA 15.0(2)EK1 SGT, VLAN to Listener Grid Switch  SGT, Port to V3 Series SGT, Subnet to SGT

Cisco IE 2000 & LAN Base Cisco IOS Cisco IOS (L2 adjacent Speaker, No No Industrial 2000U Series 15.2(3)EA 15.2(1)EY hosts only) Listener Ethernet IE 3000 Dynamic, IP to V4 Switches SGT, VLAN to Series IE2000U: IOS IE2000U: IOS SGT, Subnet to  15.2(3)E3 15.2(3)E3 SGT

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 12 IE 3400 Network Cisco IOS-XE Cisco IOS-XE Dynamic, Speaker, SGT over SGACL V4, V6 Series Advantage 16.11.1 16.11.1 IP to SGT, Listener Ethernet (Note 17), VLAN to SGT, V4 Monitor mode, Port to SGT, Logging Subnet to SGT, _ L3IF to SGT SGT Netflow v9

IE 4000 LAN Base; Cisco IOS Cisco IOS (L2 adjacent Speaker Note11 SGT over SGACL Note16 Series IP Services 15.2(4)EA, 15.2(5)E hosts only) V4 Ethernet  for SGToE & 15.2(5)E Dynamic, IP to SGACL SGT, VLAN to SGT, Subnet to SGT

IE 5000 LAN Base; Cisco IOS Cisco IOS (L2 adjacent Speaker Note11 SGT over SGACL Note16 Series IP Services 15.2(2)EB1, 15.2(5)E1 hosts only) V4 Ethernet  for SGToE & 15.2(5)E Dynamic, IP to on1G & 10G SGACL SGT, VLAN to interfaces only SGT, Subnet to SGT

Cisco 1700, 2700, - Cisco AireOS Cisco AireOS Dynamic Speaker, SGT over SGACL Access 3700, AP 8.9 8.9 Listener Ethernet Note6 Points Series (Wave V4Note6 1) 

1815, 1830, - Cisco AireOS Cisco AireOS Dynamic Speaker, SGT over SGACL 1850, 2800, 8.9 8.9 Listener Ethernet Note6 3800 AP V4Note6 Series (Wave 2) 

Cisco 8540 Series - Cisco AireOS Cisco AireOS Dynamic Speaker v2 SGT over Supports AP Wireless Wireless 8.9 8.9 Ethernet SGACL in Controller Controller  Centralized Series and Flex Connect mode) 5520 Series - Cisco AireOS Cisco AireOS Dynamic Speaker v2 SGT over Supports AP Wireless 8.9 8.9 Ethernet SGACL in Controller  Centralized and Flex Connect mode)

3504 Wireless - Cisco AireOS Cisco AireOS Dynamic Speaker v2 SGT over Supports AP Controller  8.9 8.9 Ethernet SGACL in (Centralized Centralized mode) and Flex Connect mode) vWLC - Cisco AireOS Cisco AireOS Dynamic Speaker v2 Supports APs  8.5 8.5 in Flex mode only

5500 Series - Cisco AireOS Cisco AireOS Dynamic Speaker V2 No No (5508,5520) 8.3.102.0, 7.6.130.0 7.6.130.0 2500 Series (2504) 

8500 Series - Cisco AireOS Cisco AireOS Dynamic Speaker V2 No No (8540,8510) 8.3.102.0 8.1  (pre 8.4)

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 12 Cisco Nexus 7000 Base Cisco NX-OS Cisco NX-OS IP to SGT1, Speaker, SGT over SGACL, Nexus® with M3- License 8.1(2), 8.1(1), 8.0(1) Port Profile to Listener Ethernet5; NX-OS 6.1 Monitor mode 7000 Series 8.0(1) SGT, VLAN to V4 SGT over & logging and later 2 Series modules 7.3.2 SGT , MACsec; 2  Port to SGT 7.3(0)D1(1) Subnet to SGT over [logging, SGT5 Note14 VXLAN monitor mode], 5: F3 interoperability 7.2(0)D1(1) requires M3 ‘no propagate- sgt l2 control’ command

Nexus 7000 Base Cisco NX-OS Cisco NX-OS IP to SGT1, Speaker, SGT over SGACL with M2- License 8.1(1), 8.0(1) 8.0(1) Port Profile to Listener Ethernet5; NX-OS 6.1 Monitor mode Series 7.3(0)D1(1) SGT, VLAN to V4 SGT over & limited and later 2 modules [Monitor mode SGT , MACsec logging 2  & limited Port to SGT Subnet to logging], 5 SGT5 Note14 : M2 cannot link to F3 7.2(0)D1(1) 1:FabricPath module. support requires 6.2(10) or later

2 VPC/VPC+ support requires 7.2(0)D1(1) or later

5 Subnet to SGT requires 7.3(0)D1(1) or later

Cisco Nexus 7700 Base Cisco NX-OS Cisco NX-OS IP to SGT1, Speaker, SGT over SGACL Nexus® F-SeriesNote4 License 8.1(1), 8.0(1) 8.0(1) Port Profile to Listener Ethernet35; NX-OS 6.1 7.3(0)D1(1), 7000 modules  SGT, VLAN to V4 SGT over Series and later 2 F3 modules 7.2(0)D1(1) SGT , MACsec4 Port to SGT2 do not support 3 Subnet to : F3 interfaces SGT tagging 5 Note14 (L2 or L3) with other SGT require 802.1Q Cisco 1 or FabricPath products :FabricPath unless these support 4: F2e products requires (Copper) all support the 6.2(10) or later ports; F2e (SFP) & F3 SGT tagging 2 exemption VPC/VPC+ (10G)- last 8 feature for support ports; All Layer 2 requires others- no protocols. M3 7.2(0)D1(1) or support later series support 5: Not

this by supported 5 Subnet to enabling ‘no between F3 SGT requires propagate-sgt and either M2 7.3(0)D1(1) or l2-control’ or F2e command. later

Cisco Nexus - Cisco NX-OS Cisco NX-OS (L2 adjacent Speaker SGT over SGACL Note16 Nexus 6000/5600 7.1(0)N1(1a) 7.0(1)N1(1) hosts only) V1 Ethernet 5000, Series Port to SGT 6000  Series - Nexus Cisco NX-OS Cisco NX-OS (L2 adjacent Speaker SGT over SGACL Note16 5548P, 7.0(5)N1(1) 6.0(2)N2(6) hosts only) V1 1 Ethernet 5548UP, and Port to SGT 5596UP 1: FabricPath 

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 12 Cisco Nexus 1000V Advanced Cisco NX-OS Cisco NX-OS Dynamic (802.1x) Speaker, SGT over SGACL, Nexus for VMware license for 5.2(1)SV3 (1.1) Note15, EthernetNote9 Logging SGToE/ 5.2(1)SV3(3.1) Listener v4 1000 vSphere [Logging] IP to SGT, Series SGACL v1 (prior to  support 5.2(1)SV3(1.3) Port Profile to 5.2(1)SV3(3.1) SGT

Nexus Advanced Cisco NX-OS Cisco NX-OS Port Profile to Speaker, No SGACL license for 1000VE 5.2(1)SV5(1.1) 5.2(1)SV5(1.1) SGT, Listener v4 Virtual Edge SGACL support IP to SGT  Cisco 4000 Series IP Base/K9 Cisco IOS XE Cisco IOS XE IP to SGT, Speaker, SGT over SGACL, Integrated ISR 4431, for classify/ Denali 16.3.2, Denali 16.3.2 Subnet to SGT, Listener Ethernet, SGT Monitor mode Services 4451-X, propagate, Everest 16.4.1 L3IF to SGT V4 over & Logging Router 4321, 4331, SGACL; GETVPN, SG Firewall (ISR) DMVPN, or 4351 Security/K9 IPsec VPN  for SG FW SGT based enforcement PBR SGT Caching SGT based QoS

ISRv IP Base/K9 Cisco IOS XE Cisco IOS XE IP to SGT, Speaker, SGT over SGACL, Ethernet,  for classify/ Denali 16.3.2 Denali 16.3.2 Subnet to SGT, Listener Monitor mode propagate, L3IF to SGT V4 SGT over & Logging SGACL IPsec VPN, DMVPN

890, 1900, IP Base/K9 890: Cisco IOS 890: Cisco IP to SGT, Speaker, SGT over SG Firewall Ethernet (no 2900, 3900 for classify/ 15.4(1)T1 IOS 15.4(3)M Subnet to SGT, Listener Series propagate; L3IF to SGT support on ISR IOS 15.4(3)M V4 G2-Cisco 800 (890:No services)  Security/K9 1900/2900/390 1900/2900/39 Series), SGT based for SG FW 0:Cisco IOS 00: Cisco IOS SGT over PBR enforcement 15.5(1)20T 15.6(1)T GETVPN, SGT Caching IOS 15.4(3)M DMVPN, or SGT based IPsec VPN QoS

Cisco 4000 Series IP Base/K9 Cisco IOS XE Cisco IOS XE IP to SGT, Speaker, SGT over SG Firewall Integrated (ISR 4451-X for classify/ 3.15.01S 3.17.0S Subnet to SGT, Listener Ethernet, SGT Services validated) propagate; L3IF to SGT V4 over SGT based Router Security/K9 GETVPN, PBR (ISR)  DMVPN, or for SG FW SGT Caching enforcement IPsec VPN SGT based QoS SGT Netflow v9

SM-X Layer IP Cisco IOS Cisco IOS Dynamic, IP to Speaker, SGT over SGACL 2/3 Services/K9 15.5.2T 15.2(2)E SGT, VLAN to Listener Ethernet; SGT EtherSwitch SGT V4 over MACsec Module 

Cisco CSR 1000V IP Base/K9 Cisco IOS XE Cisco IOS XE IP to SGT, Speaker, SGT over SGACL, Cloud  for classify/ 16.6.3 Denali 16.3.2 Subnet to SGT, Listener Ethernet, Monitor mode Services propagate, L3IF to SGT V4 SGT over & Logging Router SGACL; Denali 16.3.2, Everest 16.4.1 IPsec VPN, DMVPN

Cloud IP Base/K9 Cisco IOS XE Cisco IOS XE IP to SGT, Speaker, SGT over SG Firewall Services for classify/ 3.15.01S 3.11.0S Subnet to SGT, Listener Ethernet, Router propagate; L3IF to SGT V4 SGT over SGT based 1000V Security/K9 IPsec VPN, PBR Series for enforce- DMVPN SGT Caching (CSR) ment  SGT Netflow v9

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 12 Cisco ASR 1004, IP Base/K9 Cisco IOS XE Cisco IOS XE IP to SGT, Speaker, SGT over SGACL, Aggreg- 1006, 1013, for classify/ 16.5.1b Denali 16.3.2 Subnet to SGT, Listener Ethernet, SGT Monitor mode ation 1001-X, 1002- propagate, L3IF to SGT V4 over & Logging Services X,1002-HX, SGACL; Denali 16.3.2, GETVPN, Everest 16.4.1 SG Firewall Router 1006-X, and Security/K9 DMVPN, or

(ASR) 1009-X for SGFW IPsec VPN  enforce- SGT based ment PBR SGT Caching SGT based QoS

ASR 1000 IP Base/K9 Cisco IOS XE Cisco IOS IP to SGT, Speaker, SGT over SG Firewall Series Router for classify/ 3.15.0S 3.17.0S Subnet to SGT, Listener Ethernet, Processor 1 or propagate; L3IF to SGT V4 SGT over SGT based 2 (RP1, RP2); Security/K9 GETVPN, PBR (1000 ASR 1001, for enforce- IPsec VPN, or RP2) 1002,1004, ment DMVPN 1006 and SGT based 1013 with ESP QoS (10,20, 40, SGT Caching 100, 200) and SGT Netflow SIP (10/40)  v9

ASR 1001- Cisco IOS XE Cisco IOS XE IP to SGT, Speaker, SGT over SG Firewall X and 3.13.0S 3.17.0S Subnet to SGT, Listener Ethernet, IP Base/K9 1002-X L3IF to SGT V4 SGT over SGT based for classify/  GETVPN, PBR propagate; IPsec VPN, SGT based Security/K9 DMVPN QoS for enforcement SGT Caching SGT Netflow v9

Cisco ISE 3515, Base Cisco ISE 2.4, Cisco ISE 2.2 Dynamic, IP to Speaker, – – Identity 3595, 3415, 2.3P1, 2.2, 2.1, SGT, Subnet to Listener Services and 3495 2.0, 1.4 SGT V4 Engine Plus for Appliance & pxGrid pxGrid VMware

Cisco ASA 5580 - Cisco ASA Cisco ASA Speaker, SG Firewall Adaptive 9.0.1, ASDM 9.0.1, ASDM Listener Security 7.1.6 7.1.6 v2 Appliance

ASA 5506-X, - Cisco ASA Cisco ASA Remote Access Speaker, SGT over SG Firewall 5506H-X, 9.6.1, ASDM 9.6.1, ASDM VPN (IPsec, Listener Ethernet (IPv4, IPv6) SSL-VPN) 5506W-X, 7.6.1 7.6.1 V3 5508-X, 5516- SGT based X PBR

ASA 5525-X, - Cisco ASA Cisco ASA Remote Access Speaker, SGT over SG Firewall 5545-X, 9.6.1, ASDM 9.6.1, ASDM VPN (IPsec, Listener Ethernet (IPv4, IPv6) SSL-VPN) 5555-X with 7.6.1 7.6.1 V3 FirePower SGT based Services PBR

ASAv - Cisco ASA Cisco ASA Remote Access Speaker, SGT over SG Firewall VPN (IPsec, Listener 9.3.1 ADSM 9.6.1 ASDM Ethernet SSL-VPN) V3 7.1.6 7.6.1 SGT based PBR

Cisco Cisco Firepower Cisco Cisco - pxGrid SGT over SG Firewall Firepower Firepower Threat Firepower Firepower Ethernet (src SGTs NGFW 2100 Defense System 6.2.1 System 6.2.1 only) Base SGT based PBR

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 12 FP 4100 - Cisco FXOS Cisco FXOS Remote Access Speaker, SGT over SG Firewall 2.0.1.37 2.0.1.37 VPN (IPsec, Listener Ethernet SSL-VPN) FP 9300 Cisco ASA Cisco ASA V3 SGT based 9.6.1 9.6.1 PBR

Cisco Firepower Cisco Firepower Cisco - pxGrid SGT over SG Firewall Firepower Threat System 6.1.0 Firepower Ethernet (src SGTs Threat Defense Defense System 6.1.0 only) Firepower Base 4100 & 9300 SGT based PBR

FTDv Threat & Cisco Firepower Cisco - pxGrid SGT over SG Firewall Apps (TA) System 6.2.0.2 Firepower Ethernet (src SGTs System only) 6.2.0.2 SGT based PBR

Cisco ISA 3000 - Cisco ASA Cisco ASA Remote Access Speaker, SGT over SG Firewall Industrial Series 9.6.1 9.6.1 VPN (IPsec, Listener Ethernet (IPv4, IPv6) Security SSL-VPN) V3 Appliance SGT based PBR

Table 3. End of Sale Group Based Policy Platform Support Matrix (https://www.cisco.com/c/en/us/products/eos-eol-listing.html )

EOS Platform License Solution-Level Minimum Security Group SGT Exchange Inline SGT SGT System Validated version for all Tag (SGT) Protocol (SXP) Tagging Enforcement Component Version features Classification Support and ______Version Services

Cisco Catalyst 2960- LAN Base Cisco IOS Cisco IOS Dynamic, IP to Speaker No No ® Note1 Catalyst S and 2960-SF K9 15.0(2)SE 15.2(2)E3 SGT, VLAN to V4 Note1 2000 Series 15.2(2)E SGT, Subnet to SGT Series

Cisco Catalyst 3560- IP Base K9 Cisco IOS Cisco IOS (L2 adjacent Speaker, No No Catalyst E and 3750-E 15.0(2)SE5 15.0(2)SE5 hosts only) Listener 3000 Series Dynamic, V2 Series IP to SGT, VLAN to SGT

Catalyst 3560- IP Base K9 Cisco IOS Cisco IOS (L2 adjacent Speaker SGT over SGACL Note16 X and 3750-X 15.2(2)E3 15.2(2)E1 hosts only) V4 Ethernet; SGT (maximum of Series Dynamic, IP to over MACsec 8 VLANs on a SGT (prefix must (with C3KX-SM- VLAN-trunk be 32), VLAN to 10G uplink); link) SGT, Port to SGT over SGT (only on VXLAN switch to switch links) Cisco Cisco Catalyst IP Base K9 Cisco IOS Cisco IOS Dynamic, IP to Speaker, No No Catalyst 4948 Series 15.1(1)SG 15.1(1)SG SGT Listener 4500 V4 Series

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 12 Cisco Cisco Nexus Base Cisco NX-OS Cisco NX-OS IP to SGT1, Speaker, SGT over SGACL Nexus® 7000 F2- License 7.3(0)D1(1), 7.3(0)D1(1) Port Profile to Listener Ethernet; 7000 NX-OS 6.1 Series*** SGT, VLAN to V3 SGT over Series and later 2 modules SGT , MACsec4 7.2(0)D1(1) Port to SGT2 4 Subnet to : M & F2e SGT5 (Copper-) all ports; F2e 1:FabricPath (SFP) - last 8 support ports; All requires 6.2(10) others- no or later support

2 VPC/VPC+ support requires 7.2(0)D1(1) or later

5 Subnet to SGT requires 7.3(0)D1(1) or later

Cisco 5760 IP Base K9 Cisco IOS XE Cisco IOS XE Dynamic, IP to Speaker, SGT over SGACL Wireless Wireless 3.7.1E 3.3.1SE SGT, VLAN to Listener Ethernet Controller Controller SGT, Port to V4 Series SGT, Subnet to SGT Wireless - Cisco AireOS Cisco AireOS Dynamic Speaker V2 No No Services 8.3.102.0, 7.6.130.0 Module 2 7.6.130.0 (WiSM2) Flex 7500 - Cisco AireOS Cisco AireOS Dynamic Speaker V2 No No Series 8.3.102.0, 8.3 Wireless 7.6.130.0 Controller

EoS Platform License Solution-Level Minimum Security Group SGT Exchange Inline SGT SGT System Validated version for all Tag (SGT) Protocol (SXP) Tagging Enforcement Component Version features Classification Support and ______Version Services

Cisco ASR 1001, IP Base/K9 Cisco IOS XE Cisco IOS IP to SGT, Speaker, SGT over SG Firewall Aggreg- 1002 for classify/ 3.15.0S 3.17.0S Subnet to SGT, Listener Ethernet, ation propagate; L3IF to SGT V4 SGT over SGT based Services Security/K9 GETVPN, PBR (1000 Router for enforce- IPsec VPN, or RP2) (ASR) ment DMVPN SGT based QoS SGT Caching SGT Netflow v9

Cisco ISE 3315, Cisco ISE 1.0, – – Identity 3355, 3395, 1.1, 1.2 Services Appliance Engine

Cisco ASA 5510, - Cisco ASA Cisco ASA Speaker, SG Firewall Adaptive 5520, 5540, 9.0.1, ASDM 9.0.1, ASDM Listener Security 5550 7.1.6 7.1.6 v2 Appliance

ASA - ASA 9.3.1, Cisco ASA Remote Access Speaker, SGT over SG Firewall 5505Note3, ASDM 7.3.1, 9.3.1, ASDM VPN (IPsec, Listener Ethernet (IPv4, IPv6) 5512, 5515, CSM 4.8 7.3.1, CSM SSL-VPN) V2 (IPv4, IPv6) 5525, 5545, 4.8 SGT based 5555, 5585 PBR

ASA 5512- - Cisco ASA Cisco ASA Remote Access Speaker, SGT over SG Firewall X, 5515-X, 9.6.1, ASDM 9.6.1, ASDM VPN (IPsec, Listener Ethernet (IPv4, IPv6) SSL-VPN) 5585-X with 7.6.1 7.6.1 V3 FirePower SGT based Services PBR

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 12 Cisco Fire FirePOWER Threat & Cisco Cisco - - SGT over - POWER 7000 and Apps (TA) FireSIGHT FireSIGHT Ethernet 8000 Series 5.4.0.6, 5.4.1.5, 5.4.0.6, 6.0.1.1, 6.2 5.4.1.5, 6.0.1.1

Notes

1: Catalyst 2960 S/SF Product management recommends 15.0(2)SE which supports SXP v2. 2: Product part numbers of supported line cards for SGT over Ethernet and SGT over MACsec on the Cisco Catalyst 4500 Supervisor Engine 7-E, 7L-E, 8-E, and 8L-E include the following: WS-X4712-SFP+E, WS-X4712- SFP-E, WS-X4748-UPOE+E, WS-X4748-RJ45V+E, WS-X4748-RJ45- E, WS-X4724-SFP-E, WS-X4748-SFP-E, and WS-X4748-12X48U+E. 3: Cisco ASA 5505 does not support releases after 9.2. 4: Cisco Nexus 7000 F1-Series modules do not support Cisco TrustSec. 5: Use of inline tagging with LACP requires future IOS XE Denali or IOS 3.7 release (CSCva22545) 6: For SXP support, AP must run in FlexConnect Mode 7: With IPv6 support, DGT can be IPv4. 8: Prior versions of this document listed Cisco Catalyst 3750-X validated version, IOS 12.2(3)E1, and WLC AireOS 8.1. These releases have been deferred. 9: When inline tagging (SGToE) is enabled with the VIC 12xx and VIC 13xx, packet processing is handled at the processor level which will attribute to lower network I/O performance. An alternative solution is to use Intel adaptors. 10: IOS XE Everest 16.6.2 SMU is required for ISE BYOD, Guest, and Posture features. See ISE Compatibility Matrix: https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables- list.html 11: The IE 4000 and IE 5000 platforms perform similarly to the Catalyst 3560-X and 3750-X platforms in the reliance on IP Address, MAC Address, and physical port/VLAN of the device, learned via dot1x or MAB or IP Device Tracking (IPDT). These devices cannot use information learned via SXP for either enforcement or tag propagation as the device is not directly attached. SXP v4 is supported in Speaker mode only. 12: Catalyst 4500 Series Release 3.9 and later, with the introduction of VRF, an SVI is needed for L3 lookup to derive SGT for switched traffic, and a SVI is also needed on the VLAN for the derivation of source group for L2 traffic. 13: C9500 as a border node does not currently support transferring the tag from the VXLAN header to the CMD field for inline tagging. C9500 outside the fabric supports inline tagging 14: The N7K must have an SVI on the VLAN if the mappings reside in the VRF. If N7K is L2 only, create an SVI without IP to be able to utilize the mappings from the VRF. SVI is not required if entered into the VLAN. 15: Dynamic classification with IEEE 802.1x on Nexus 1000V requires 5.2(1)SV3(4.1). This is validated with VMware Horizon 7 VDI. 16: Port based platforms cannot do enforcement of policy for remote IP addresses, ie. they can only classify or enforce for IP addresses present in the IPDT table (hosts that are L2 adjacent). 17: IPv6 SGACL Support added in IOS-XE 16.10.1 and validation in solution validation 6.5 release was carried out with IOS-XE 16.12.1

Printed in USA C96-731479-00 v6.4c 1/19