Cisco Group Based Policy Platform and Capability

Matrix Release 6.5

(inclusive of TrustSec Software-Defined Segmentation)

Cisco Group Based Policy (also known as TrustSec Software-Defined Segmentation) uniquely builds upon your
existing identity-aware infrastructure by enforcing segmentation and access control policies in a scalable manner
using the capabilities detailed below. This document summarizes the platforms and features that are validated in the
Cisco Group Based Policy testing. It is in current with the validation program for Release 6.5.

Table 1 provides cross-platform group-based policy exchange interoperability testing results. Application
Centric Infrastructure (ACI) and Group Based Policy integration enables customers to apply consistent
security policy across the enterprise- leveraging user roles and device type together with application context.
The validated Open Source Open Daylight SDN use case included Nexus 7k SXPv3, ASA SXPv3, and
OpenDaylight SXPv4 (Nitrogen and earlier releases) working together in the Data Center.

Table 1. TrustSec Group-Based Policy (GBP) Interoperability

System Component Platform Solution-Level Group Information Interoperability Platform &

Validated Version Exchange Propagation method

Cisco Nexus 9000 Cisco 9000 NX-OS 13.2 (4e)

Series Switches
Cisco Application Policy Cisco APIC-DC
Infrastructure Controller –
Data Center
Open Daylight SDN
controller
Open Daylight SDN
controller
Series:
EndPoint Group –
Spine & Leaf
Security Group Mappings
Cisco ISE 2.4 Patch 6 ACI API
APIC-DC 3.2 (4e) via TrustSec-ACI policy
Policy plane; and data plane exchange
ODL SDN Lithium, Beryllium, SGT via SXP v4 Cisco ISE 2.1- SXP v4
Carbon Nexus 7000 7.3- SXP v3
ASA 9.6.1- SXP v3
ODL SDN Nitrogen IPv4, IPv6 SXP Peering Cisco ISE 2.4
ASR 1001-X IOS XE 16.5.1b
CSR 1000v IOS XE 16.6.3
Cat 6500 IOS 15.4(1)SY2
Cat 3850 IOS 3.6.8E

In Tables 2 and 3, Cisco Platform Support Matrix, Dynamic classification includes IEEE 802.1X, MAC
Authentication Bypass (MAB), Web Authentication (Web Auth), and Easy Connect. IP to SGT, VLAN to SGT,
subnet to SGT, port profile to SGT, L2IF to SGT, and L3IF to SGT use the static classification method.

Cisco DNA Premier is a simple and economical solution for deploying branch and campus switches and
wireless access points. It offers an uncompromised user experience in a highly secure and feature-rich
access infrastructure and simplify the licensing requirements for Group Based Policy deployment. Cisco DNA
Advantage requires Network Advantage hardware licenses.

Solution-level validated versions listed in the tables below may not always represent the latest available
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 12
 platform version and feature set. Releases may encounter issues in other subsystems and be deferred. For
latest platform firmware version and feature set, refer to product release notes.

As an aid to deployment, products are grouped into Tier I, II, and III with regard to feedback on design and
deployment. Tier I  products have full Group Based Policy functionality with few caveats, and they are
common components in successful deployments. Tier II  products have full Group Based Policy
functionality but there are some caveats involved in their deployment. Tier III  do not have full Group Based
Policy functionality and support Classification and SXP based Propagation only. These products tend to be
older with a less rich feature set and more caveats to consider when deploying. Security products are not
listed in a tier. End of Sale Products are listed in Table 3.

VXLAN is supported on several platforms but not all are listed in the matrix pending review of solution test
verification.

Table 2. Cisco Group Based Policy Platform Support Matrix

System Platform License Solution-Level Minimum Security Group SGT Exchange Inline SGT SGT
Component Validated version for all Tag (SGT) Protocol (SXP) Tagging Enforcement
Version features Classification Support and ______
Version Services

Cisco Catalyst LAN Base - Cisco IOS Dynamic, IP to Speaker No No

®
Catalyst 2960-Plus K9 15.2(2)E3 SGT, VLAN to V4
2000 Series  SGT, Subnet to
Series SGT
Catalyst 2960- LAN Base - Cisco IOS Dynamic, IP to Speaker No No
C Series  K9 15.2(2)E3 SGT, VLAN to V4
SGT, Subnet to
SGT

Catalyst 2960- LAN Base - Cisco IOS Dynamic, IP to Speaker No No

CX Series  K9 15.2(3)E SGT, VLAN to V4
SGT, Subnet to
SGT

Catalyst 2960- LAN Base Cisco IOS Cisco IOS Dynamic, IP to Speaker No No
X Series  K9 15.2(2)E 15.2(2)E3 SGT, VLAN to V4
SGT, Subnet to
SGT

Catalyst 2960- IP Lite K9 Cisco IOS Cisco IOS Dynamic, IP to Speaker No No

XR Series  15.2(2)E 15.2(2)E3 SGT, VLAN to V4
SGT, Subnet to
SGT

Cisco Catalyst 3650 IP Base K9 Cisco IOS XE Cisco IOS XE Dynamic, IP to Speaker, SGT over SGACL,
Catalyst and 3850 & above or 3.7.4E 3.6.4E SGT (v4,v6), Listener Ethernet; Logging
3000 Series Cisco ONE 3.6.8E VLAN to SGT, V4 SGT over (3.6.6E)
Series  Foundation Port to SGT, MACsec
3.6.6E Subnet to SGT,
& above (3650 requires SGT Netflow
L3IF to SGT 3.7.1) v9
Catalyst 3650 IP Base K9 Cisco IOS XE Cisco IOS XE Dynamic, IP to Speaker, SGT over SGACL,
and 3850 & above or Denali 16.6.4 Denali 16.3.1 SGT (v4,v6), Listener Ethernet; SGT Monitor mode,
Series Cisco ONE VLAN to SGT, V4 over MACsec; Logging
 Foundation & Port to SGT, SGT over
above Subnet to SGT, VXLAN
L3IF to SGT

Catalyst 3850- IP Base K9 Cisco IOS XE Cisco IOS XE Dynamic, IP to Speaker, SGT over SGACL
XS Series & above or 3.7.4 3.7.4 SGT, VLAN to Listener Ethernet Note5;
 Cisco ONE SGT, Port to V4 SGT over
Foundation SGT, Subnet to MACsec
& above SGT, L3IF to
SGT

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 12
 System Platform License Solution-Level Minimum Security Group SGT Exchange Inline SGT SGT
Component Validated version for all Tag (SGT) Protocol (SXP) Tagging Enforcement
Version features Classification Support and ______
Version Services

Cisco Catalyst IP Base K9 Cisco IOS Cisco IOS (L2 adjacent Speaker, No SGACL Note16

Catalyst 3560-CX 15.2(3)E 15.2(4)E hosts only) Listener

3000 Series Dynamic, IP to V4
Series  SGT (v4, v6),
VLAN to SGT,
Subnet to SGT
Catalyst IP Base K9 Cisco IOS Cisco IOS (L2 adjacent Speaker, No No
3560-C/CG 15.0(1)SE2 15.2(2)E hosts only) Listener
Series Dynamic, IP to V4
 SGT, VLAN to
SGT, Subnet to
SGT
Cisco Catalyst 4500 IP Base K9 Cisco IOS XE Cisco IOS XE Dynamic, IP to Speaker, SGT over SGACL,
Catalyst E-Series & above or 3.7.1E 3.6.0E SGT (v4, v6), Listener Ethernet; SGT Logging
Supervisor VLAN to SGT, over MACsec
4500 Cisco ONE V4
Series Engine 8-E Foundation Port to SGT, (See note 2 for
and 8L-E 3.8.0E- Subnet to SGT SGT Netflow
& above supported line
Logging (Src & Dst), L3IF cards) v9

to SGT Note12

Catalyst 4500- IP Base K9 Cisco IOS XE Cisco IOS XE Dynamic, IP to Speaker, SGT over SGACL,
X Series & above or 3.6.3E 3.5.1E SGT (v4,v6), Listener Ethernet; SGT Logging
VLAN to SGT, over MACsec
 Cisco ONE 3.6.6 3.8.0E- V4
Foundation logging Port to SGT,
& above Subnet to SGT
(Src & Dst), L3IF
to SGT Note12

Cisco Catalyst 4500 IP Base K9 Cisco IOS XE Cisco IOS XE Dynamic, IP to Speaker, SGT over SGACL,
Catalyst E-Series & above or 3.7.1E 3.5.1E SGT, VLAN to Listener Ethernet; SGT Logging
Supervisor Cisco ONE SGT, Subnet to over MACsec [3.8.0E]
4500 V4
Series Engine 7-E Foundation SGT, L3IF to (See note 2
and 7L-E & above SGT, Port to for supported
SGT Note12 SGT Netflow
 line cards)
v9

Catalyst IP Base K9 Cisco IOS Cisco IOS Dynamic, IP to Speaker, No No

4500 E-Series 15.1(1)SG 15.1(1)SG SGT Note12 Listener
Supervisor V4
Engine 6-E
and 6L-E; 

Cisco Catalyst 6500 2T: IP Base Cisco IOS Cisco IOS Dynamic, IP to Speaker, SGT over SGACL (IPv4,
Catalyst Series K9 15.4(1)SY2 15.2(1)SY0a SGT (v4, v6), Listener Ethernet & IPv6),
6500 Supervisor Sup 6T VLAN to SGT, V4 SGT over Monitor mode,
Series Engine 2T & 15.2(1)SY05 Port to SGT, MACsec
15.2(1)SY0a Cisco IOS (IPv4, IPv6) Logging
Supervisor 6T 15.4(1)SY1 Subnet to SGT supported on:
6T: IP Sup 6T (v4,v6), WS-X69xx
 Services K9 Cisco IOS modules, SGT Caching
L3IF-to- SGT
15.4(1)SY1 (v4,v6) C6800- SGT Netflow
32P10G/G- v9
Catalyst
XL, C6800-
6807-XL
16P10G/G-
 XL, C6800-
8P10G/G-XL;
SGT over
VXLAN
Catalyst IP Base K9 Cisco IOS Cisco IOS Dynamic, IP to Speaker, SGT over SGACL (IPv4,
6880-X, & above or 15.2(2)SY2, 15.2(1)SY0a SGT (v4, v6), Listener Ethernet; IPv6),
6840-X (incl Cisco ONE 15.2(1)SY0a, VLAN to SGT, V4 SGT over Monitor mode,
6816-X-LE), Foundation 15.2(3a)E Port to SGT, MACsec
and 6800ia Subnet to SGT (IPv4, IPv6) Logging
& above
 (v4,v6), L3IF-to-
SGT (v4,v6) SGT Caching
SGT Netflow
v9

Catalyst 6500 IP Base K9 Cisco IOS Cisco IOS Dynamic, IP to Speaker, No No

Series 12.2(33)SXJ2 15.1(2)SY1 SGT Listener
Supervisor V4
Engine 32 and
720


© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 12
 System Platform License Solution-Level Minimum Security Group SGT Exchange Inline SGT SGT
Component Validated version for all Tag (SGT) Protocol (SXP) Tagging Enforcement
Version features Classification Support and ______
Version Services

Cisco Cisco Catalyst Network Cisco IOS XE Cisco IOS XE Dynamic, Speaker, SGT over SGACL V4, V6
Catalyst 9200 Series Advantage 16.10.1 16.10.1 IP to SGT, Listener Ethernet (Note 17),
9200 VLAN to SGT, V4 SGT over Monitor mode,
Series Port to SGT, VXLAN Logging
Subnet to SGT, _
L3IF to SGT
SGT Netflow
v9

Cisco Catalyst 9300 Network Cisco IOS XE Cisco IOS XE Dynamic, Speaker, SGT over SGACL V4, V6
Catalyst Series Advantage Everest 16.6.2 Everest 16.6.2 IP to SGT, Listener Ethernet (Note 17),
9300  SMU SMU VLAN to SGT, V4 SGT over Monitor mode,
Series (Note 10) Port to SGT, VXLAN Logging
16.8.1 Subnet to SGT, _
L3IF to SGT
SGT Netflow
v9
Cisco Catalyst 9400 Network Cisco IOS XE Cisco IOS XE Dynamic, IP to Speaker, SGT over SGACL V4, V6
Catalyst Series Advantage 16.6.2, Everest 16.6.2 SGT, Listener Ethernet (Note 17),
9400 Supervisor 16.8.1 SMU VLAN to SGT, V4 SGT over Monitor mode,
Series Engine-1 & (Note 10) Port to SGT, VXLAN Logging
-1XL 16.8.1 Subnet to SGT, _
 L3IF to SGT
SGT Caching
SGT Netflow
v9

Cisco Catalyst 9500 Network Cisco IOS XE Cisco IOS XE Dynamic, IP to Speaker, SGT over SGACL V4, V6
Catalyst Series Advantage Everest 16.6.2 Everest 16.6.2 SGT, Listener Ethernet (Note 17),
9500 SMU SMU VLAN to SGT, Monitor mode
 V4 SGT over
Series (Note 10) Port to SGT, VXLAN Note13 _
Subnet to SGT,
L3IF to SGT SGT Caching
SGT Netflow
v9
Catalyst Network Cisco IOS XE Cisco IOSAdvantage
Network XE Dynamic,Network Speaker, SGT over
Network Advantage SGACL
Network V4, V6 Network
Advantage
9500H Series Advantage 16.12.2 16.12.2 IP to SGT,
Advantage Listener Ethernet (Note 17), Advantage
VLAN to SGT, V4 SGT over Monitor mode,
Port to SGT, VXLAN Logging
Subnet to SGT, _
L3IF to SGT
SGT Netflow
v9

Cisco Cisco Network Cisco IOS XE Cisco IOS XE Dynamic, Speaker, SGT over SGACL V4, V6
Catalyst Catalyst 9600 Advantage Everest
16.12.2 16.12.2 IP to SGT, Listener Ethernet (Note 17),
9600 Series 16.12.2 VLAN to SGT, V4 SGT over Monitor mode,
Series Port to SGT, VXLAN Logging
Subnet to SGT, _
L3IF to SGT
SGT Netflow
v9
Cisco CGR 2010 - Cisco IOS Cisco IOS Dynamic, Speaker, SGT over SG Firewall
Connected Series 15.5(2)T 15.4(1)T IP to SGT, Listener GETVPN,
Grid
Router
 VLAN to SGT V4 SGT over
IPsec VPN
Series

Cisco CGS 2500 - Cisco IOS Cisco IOS Dynamic, IP to Speaker, No No

Connected Series 15.2(3)EA 15.0(2)EK1 SGT, VLAN to Listener
Grid Switch  SGT, Port to V3
Series SGT, Subnet to
SGT

Cisco IE 2000 & LAN Base Cisco IOS Cisco IOS (L2 adjacent Speaker, No No
Industrial 2000U Series 15.2(3)EA 15.2(1)EY hosts only) Listener
Ethernet IE 3000 Dynamic, IP to V4
Switches Series SGT, VLAN to
IE2000U: IOS IE2000U: IOS SGT, Subnet to
 15.2(3)E3 15.2(3)E3 SGT

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 12
 IE 3400 Network Cisco IOS-XE Cisco IOS-XE Dynamic, Speaker, SGT over SGACL V4, V6
Series Advantage 16.11.1 16.11.1 IP to SGT, Listener Ethernet (Note 17),
VLAN to SGT, V4 Monitor mode,
Port to SGT, Logging
Subnet to SGT, _
L3IF to SGT
SGT Netflow
v9

IE 4000 LAN Base; Cisco IOS Cisco IOS (L2 adjacent Speaker Note11 SGT over SGACL Note16

Series IP Services 15.2(4)EA, 15.2(5)E hosts only) V4 Ethernet

 for SGToE & 15.2(5)E Dynamic, IP to
SGACL SGT, VLAN to
SGT, Subnet to
SGT

IE 5000 LAN Base; Cisco IOS Cisco IOS (L2 adjacent Speaker Note11 SGT over SGACL Note16

Series IP Services 15.2(2)EB1, 15.2(5)E1 hosts only) V4 Ethernet

 for SGToE & 15.2(5)E Dynamic, IP to on1G & 10G
SGACL SGT, VLAN to interfaces only
SGT, Subnet to
SGT

Cisco 1700, 2700, - Cisco AireOS Cisco AireOS Dynamic Speaker, SGT over SGACL
Access 3700, AP 8.9 8.9 Listener Ethernet Note6
Points Series (Wave V4Note6
1) 

1815, 1830, - Cisco AireOS Cisco AireOS Dynamic Speaker, SGT over SGACL
1850, 2800, 8.9 8.9 Listener Ethernet Note6
3800 AP V4Note6
Series (Wave
2) 

System Platform License Solution-Level Minimum Security Group SGT Exchange Inline SGT SGT
Component Validated version for all Tag (SGT) Protocol (SXP) Tagging Enforcement
Version features Classification Support and ______
Version Services

Cisco 8540 Series - Cisco AireOS Cisco AireOS Dynamic Speaker v2 SGT over Supports AP
Wireless Wireless 8.9 8.9 Ethernet SGACL in
Controller Controller  Centralized
Series and Flex
Connect
mode)
5520 Series - Cisco AireOS Cisco AireOS Dynamic Speaker v2 SGT over Supports AP
Wireless 8.9 8.9 Ethernet SGACL in
Controller  Centralized
and Flex
Connect
mode)

3504 Wireless - Cisco AireOS Cisco AireOS Dynamic Speaker v2 SGT over Supports AP
Controller  8.9 8.9 Ethernet SGACL in
(Centralized Centralized
mode) and Flex
Connect
mode)
vWLC - Cisco AireOS Cisco AireOS Dynamic Speaker v2 Supports APs
 8.5 8.5 in Flex mode
only

5500 Series - Cisco AireOS Cisco AireOS Dynamic Speaker V2 No No

(5508,5520) 8.3.102.0, 7.6.130.0
7.6.130.0
2500 Series
(2504)


8500 Series - Cisco AireOS Cisco AireOS Dynamic Speaker V2 No No

(8540,8510) 8.3.102.0 8.1
 (pre 8.4)

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 12
 Cisco Nexus 7000 Base Cisco NX-OS Cisco NX-OS IP to SGT 1, Speaker, SGT over SGACL,
Nexus® with M3- License 8.1(2), 8.1(1), 8.0(1) Port Profile to Listener Ethernet5;
NX-OS 6.1 Monitor mode
7000 Series 8.0(1) SGT, VLAN to V4 SGT over & logging
Series modules and later SGT 2,
7.3.2 MACsec;
 Port to SGT 2
7.3(0)D1(1) Subnet to SGT over
[logging, SGT 5 Note14 VXLAN
monitor mode], 5:F3
interoperability
7.2(0)D1(1) requires M3
‘no propagate-
sgt l2 control’
command

Nexus 7000 Base Cisco NX-OS Cisco NX-OS IP to SGT 1, Speaker, SGT over SGACL
with M2- License 8.1(1), 8.0(1) 8.0(1) Port Profile to Listener Ethernet5;
NX-OS 6.1 Monitor mode
Series 7.3(0)D1(1) SGT, VLAN to V4 SGT over & limited
modules and later SGT 2,
[Monitor mode MACsec logging
 & limited Port to SGT 2
logging], Subnet to
5: M2 cannot
SGT 5 Note14
link to F3
7.2(0)D1(1) 1:FabricPath module.
support
requires 6.2(10)
or later

2 VPC/VPC+
support
requires
7.2(0)D1(1) or
later
5 Subnet to SGT
requires
7.3(0)D1(1) or
later

System Platform License Solution-Level Minimum Security Group SGT Exchange Inline SGT SGT
Component Validated version for all Tag (SGT) Protocol (SXP) Tagging Enforcement
Version features Classification Support and ______
Version Services

Cisco Nexus 7700 Base Cisco NX-OS Cisco NX-OS IP to SGT 1, Speaker, SGT over SGACL
Nexus® F-SeriesNote4 License 8.1(1), 8.0(1) 8.0(1) Port Profile to Listener Ethernet35;
7000 modules  NX-OS 6.1 7.3(0)D1(1), SGT, VLAN to
and later V4 SGT over
Series 7.2(0)D1(1) SGT 2, MACsec4
F3 modules
Port to SGT 2
do not support 3:F3 interfaces
Subnet to
SGT tagging (L2 or L3)
with other SGT 5 Note14
require 802.1Q
Cisco 1:FabricPath or FabricPath
products
unless these support 4:F2e
products requires (Copper) all
support the 6.2(10) or later ports; F2e
SGT tagging (SFP) & F3
2 VPC/VPC+
exemption (10G)- last 8
feature for support ports; All
Layer 2 requires others- no
protocols. M3 7.2(0)D1(1) or support
series support later 5:Not
this by 5 supported
enabling ‘no Subnet to
between F3
propagate-sgt SGT requires
and either M2
l2-control’ 7.3(0)D1(1) or
or F2e
command. later

Cisco Nexus - Cisco NX-OS Cisco NX-OS (L2 adjacent Speaker SGT over SGACL Note16

Nexus 6000/5600 7.1(0)N1(1a) 7.0(1)N1(1) hosts only) V1 Ethernet

5000, Series Port to SGT
6000 
Series
Nexus - Cisco NX-OS Cisco NX-OS (L2 adjacent Speaker SGT over SGACL Note16

5548P, 7.0(5)N1(1) 6.0(2)N2(6) hosts only) V1 1 Ethernet

5548UP, and Port to SGT
5596UP
1: FabricPath


© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 12
 Cisco Nexus 1000V Advanced Cisco NX-OS Cisco NX-OS Dynamic (802.1x) Speaker, SGT over SGACL,
Nexus for VMware license for 5.2(1)SV3 (1.1) Note15, Ethernet Note9 Logging
SGToE/ 5.2(1)SV3(3.1) Listener v4
1000 vSphere [Logging] IP to SGT,
Series SGACL v1 (prior to
 support 5.2(1)SV3(1.3) Port Profile to 5.2(1)SV3(3.1)
SGT

Nexus Advanced Cisco NX-OS Cisco NX-OS Port Profile to Speaker, No SGACL
1000VE license for
SGACL 5.2(1)SV5(1.1) 5.2(1)SV5(1.1) SGT, Listener v4
Virtual Edge IP to SGT
support

Cisco 4000 Series IP Base/K9 Cisco IOS XE Cisco IOS XE IP to SGT, Speaker, SGT over SGACL,
Integrated ISR 4431, for classify/ Denali 16.3.2, Denali 16.3.2 Subnet to SGT, Listener Ethernet, SGT Monitor mode
Services 4451-X, propagate, Everest 16.4.1 L3IF to SGT V4 over & Logging
Router 4321, 4331, SGACL; GETVPN, SG Firewall
(ISR) 4351 Security/K9 DMVPN, or
for SG FW IPsec VPN
 SGT based
enforcement PBR
SGT Caching
SGT based
QoS

ISRv IP Base/K9 Cisco IOS XE Cisco IOS XE IP to SGT, Speaker, SGT over SGACL,
for classify/ Denali 16.3.2 Denali 16.3.2 Subnet to SGT, Listener Ethernet, Monitor mode

propagate, L3IF to SGT V4 SGT over & Logging
SGACL IPsec VPN,
DMVPN

890, 1900, IP Base/K9 890: Cisco IOS 890: Cisco IP to SGT, Speaker, SGT over SG Firewall
2900, 3900 for classify/ 15.4(1)T1 IOS 15.4(3)M Subnet to SGT, Listener Ethernet (no
Series propagate; L3IF to SGT support on ISR
IOS 15.4(3)M V4 G2-Cisco 800 (890:No services)
 Security/K9 1900/2900/390 1900/2900/39 Series), SGT based
for SG FW 0:Cisco IOS 00: Cisco IOS SGT over PBR
enforcement 15.5(1)20T 15.6(1)T GETVPN, SGT Caching
IOS 15.4(3)M DMVPN, or SGT based
IPsec VPN QoS

System Platform License Solution-Level Minimum Security Group SGT Exchange Inline SGT SGT
Component Validated version for all Tag (SGT) Protocol (SXP) Tagging Enforcement
Version features Classification Support and ______
Version Services

Cisco 4000 Series IP Base/K9 Cisco IOS XE Cisco IOS XE IP to SGT, Speaker, SGT over SG Firewall
Integrated (ISR 4451-X for classify/ 3.15.01S 3.17.0S Subnet to SGT, Listener Ethernet, SGT
Services validated) propagate; L3IF to SGT V4 over SGT based
Router Security/K9 GETVPN, PBR
(ISR)  DMVPN, or
for SG FW SGT Caching
enforcement IPsec VPN
SGT based
QoS
SGT Netflow
v9

SM-X Layer IP Cisco IOS Cisco IOS Dynamic, IP to Speaker, SGT over SGACL
2/3 Services/K9 15.5.2T 15.2(2)E SGT, VLAN to Listener Ethernet; SGT
EtherSwitch SGT V4 over MACsec
Module 

Cisco CSR 1000V IP Base/K9 Cisco IOS XE Cisco IOS XE IP to SGT, Speaker, SGT over SGACL,
Cloud  for classify/ 16.6.3 Denali 16.3.2 Subnet to SGT, Listener Ethernet, Monitor mode
Services propagate, L3IF to SGT V4 SGT over & Logging
Router SGACL; Denali 16.3.2,
Everest 16.4.1 IPsec VPN,
DMVPN

Cloud IP Base/K9 Cisco IOS XE Cisco IOS XE IP to SGT, Speaker, SGT over SG Firewall
Services for classify/ 3.15.01S 3.11.0S Subnet to SGT, Listener Ethernet,
Router propagate; L3IF to SGT V4 SGT over SGT based
1000V Security/K9 IPsec VPN, PBR
Series for enforce- DMVPN
(CSR) SGT Caching
ment
 SGT Netflow
v9

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 12
 Cisco ASR 1004, IP Base/K9 Cisco IOS XE Cisco IOS XE IP to SGT, Speaker, SGT over SGACL,
Aggreg- 1006, 1013, for classify/ 16.5.1b Denali 16.3.2 Subnet to SGT, Listener Ethernet, SGT Monitor mode
ation 1001-X, 1002- propagate, L3IF to SGT V4 over & Logging
Services X,1002-HX, SGACL; Denali 16.3.2, GETVPN,
Router 1006-X, and Everest 16.4.1 DMVPN, or SG Firewall
Security/K9
(ASR) 1009-X for SGFW IPsec VPN
 enforce- SGT based
ment PBR
SGT Caching
SGT based
QoS

ASR 1000 IP Base/K9 Cisco IOS XE Cisco IOS IP to SGT, Speaker, SGT over SG Firewall
Series Router for classify/ 3.15.0S 3.17.0S Subnet to SGT, Listener Ethernet,
Processor 1 or propagate; L3IF to SGT V4 SGT over SGT based
2 (RP1, RP2); Security/K9 GETVPN, PBR (1000
ASR 1001, for enforce- IPsec VPN, or RP2)
1002,1004, ment DMVPN
1006 and SGT based
1013 with ESP QoS
(10,20, 40, SGT Caching
100, 200) and SGT Netflow
SIP (10/40)  v9

ASR 1001- Cisco IOS XE Cisco IOS XE IP to SGT, Speaker, SGT over SG Firewall
X and 3.13.0S 3.17.0S Subnet to SGT, Listener Ethernet,
1002-X IP Base/K9 L3IF to SGT V4 SGT over SGT based
for classify/
 propagate;
GETVPN, PBR
IPsec VPN, SGT based
Security/K9 DMVPN QoS
for enforce-
ment SGT Caching
SGT Netflow
v9

Cisco ISE 3515, Base Cisco ISE 2.4, Cisco ISE 2.2 Dynamic, IP to Speaker, – –
Identity 3595, 3415, 2.3P1, 2.2, 2.1, SGT, Subnet to Listener
Services and 3495 2.0, 1.4 SGT V4
Engine Plus for
Appliance & pxGrid pxGrid
VMware

System Platform License Solution-Level Minimum Security Group SGT Exchange Inline SGT SGT
Component Validated version for all Tag (SGT) Protocol (SXP) Tagging Enforcement
Version features Classification Support and ______
Version Services

Cisco ASA 5580 - Cisco ASA Cisco ASA Speaker, SG Firewall

Adaptive 9.0.1, ASDM 9.0.1, ASDM Listener
Security 7.1.6 7.1.6 v2
Appliance

ASA 5506-X, - Cisco ASA Cisco ASA Remote Access Speaker, SGT over SG Firewall
5506H-X, 9.6.1, ASDM 9.6.1, ASDM VPN (IPsec, Listener Ethernet (IPv4, IPv6)
5506W-X, 7.6.1 7.6.1 SSL-VPN)
V3
5508-X, 5516- SGT based
X PBR

ASA 5525-X, - Cisco ASA Cisco ASA Remote Access Speaker, SGT over SG Firewall
5545-X, 9.6.1, ASDM 9.6.1, ASDM VPN (IPsec, Listener Ethernet (IPv4, IPv6)
5555-X with 7.6.1 7.6.1 SSL-VPN)
V3
FirePower SGT based
Services PBR

ASAv - Cisco ASA Cisco ASA Remote Access Speaker, SGT over SG Firewall
9.3.1 ADSM 9.6.1 ASDM VPN (IPsec, Listener Ethernet
7.1.6 7.6.1 SSL-VPN) V3
SGT based
PBR

Cisco Cisco Firepower Cisco Cisco - pxGrid SGT over SG Firewall

Firepower Firepower Threat Firepower Firepower Ethernet (src SGTs
NGFW 2100 Defense System 6.2.1 System 6.2.1 only)
Base
SGT based
PBR

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 12
 FP 4100 - Cisco FXOS Cisco FXOS Remote Access Speaker, SGT over SG Firewall
2.0.1.37 2.0.1.37 VPN (IPsec, Listener Ethernet
Cisco ASA Cisco ASA SSL-VPN) V3 SGT based
FP 9300
9.6.1 9.6.1 PBR

Cisco Firepower Cisco Firepower Cisco - pxGrid SGT over SG Firewall

Firepower Threat System 6.1.0 Firepower Ethernet (src SGTs
Threat Defense Defense System 6.1.0 only)
Firepower Base
4100 & 9300 SGT based
PBR

FTDv Threat & Cisco Firepower Cisco - pxGrid SGT over SG Firewall
Apps (TA) System 6.2.0.2 Firepower Ethernet (src SGTs
System only)
6.2.0.2
SGT based
PBR

Cisco ISA 3000 - Cisco ASA Cisco ASA Remote Access Speaker, SGT over SG Firewall
Industrial Series 9.6.1 9.6.1 VPN (IPsec, Listener Ethernet (IPv4, IPv6)
Security SSL-VPN) V3
Appliance SGT based
PBR

Table 3. End of Sale Group Based Policy Platform Support Matrix

(https://www.cisco.com/c/en/us/products/eos-eol-listing.html )

EOS Platform License Solution-Level Minimum Security Group SGT Exchange Inline SGT SGT
System Validated version for all Tag (SGT) Protocol (SXP) Tagging Enforcement
Component Version features Classification Support and ______
Version Services

Cisco Catalyst 2960- LAN Base Cisco IOS Cisco IOS Dynamic, IP to Speaker No No
®
Catalyst S and 2960-SF K9 15.0(2)SENote1 15.2(2)E3 SGT, VLAN to V4 Note1
2000 Series 15.2(2)E SGT, Subnet to
Series SGT

Cisco Catalyst 3560- IP Base K9 Cisco IOS Cisco IOS (L2 adjacent Speaker, No No
Catalyst E and 3750-E 15.0(2)SE5 15.0(2)SE5 hosts only) Listener
3000 Series Dynamic, V2
Series IP to SGT,
VLAN to SGT

Catalyst 3560- IP Base K9 Cisco IOS Cisco IOS (L2 adjacent Speaker SGT over SGACL Note16
X and 3750-X 15.2(2)E3 15.2(2)E1 hosts only) V4 Ethernet; SGT (maximum of
Series Dynamic, IP to over MACsec 8 VLANs on a
SGT (prefix must (with C3KX-SM- VLAN-trunk
be 32), VLAN to 10G uplink); link)
SGT, Port to SGT over
SGT (only on VXLAN
switch to switch
links)
Cisco Cisco Catalyst IP Base K9 Cisco IOS Cisco IOS Dynamic, IP to Speaker, No No
Catalyst 4948 Series 15.1(1)SG 15.1(1)SG SGT Listener
4500 V4
Series

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 12
 Cisco Cisco Nexus Base Cisco NX-OS Cisco NX-OS IP to SGT 1, Speaker, SGT over SGACL
Nexus® 7000 F2- License 7.3(0)D1(1), 7.3(0)D1(1) Port Profile to Listener Ethernet;
7000 Series*** NX-OS 6.1 SGT, VLAN to
and later V3 SGT over
Series modules SGT 2,
7.2(0)D1(1) MACsec4
Port to SGT 2
4: M & F2e
Subnet to
SGT 5 (Copper-) all
ports; F2e
1:FabricPath (SFP) - last 8
support ports; All
requires 6.2(10) others- no
or later support

2 VPC/VPC+
support
requires
7.2(0)D1(1) or
later

5 Subnet to SGT
requires
7.3(0)D1(1) or
later

Cisco 5760 IP Base K9 Cisco IOS XE Cisco IOS XE Dynamic, IP to Speaker, SGT over SGACL
Wireless Wireless 3.7.1E 3.3.1SE SGT, VLAN to Listener Ethernet
Controller Controller SGT, Port to V4
Series SGT, Subnet to
SGT
Wireless - Cisco AireOS Cisco AireOS Dynamic Speaker V2 No No
Services 8.3.102.0, 7.6.130.0
Module 2 7.6.130.0
(WiSM2)

Flex 7500 - Cisco AireOS Cisco AireOS Dynamic Speaker V2 No No

Series 8.3.102.0, 8.3
Wireless 7.6.130.0
Controller

EoS Platform License Solution-Level Minimum Security Group SGT Exchange Inline SGT SGT
System Validated version for all Tag (SGT) Protocol (SXP) Tagging Enforcement
Component Version features Classification Support and ______
Version Services

Cisco ASR 1001, IP Base/K9 Cisco IOS XE Cisco IOS IP to SGT, Speaker, SGT over SG Firewall
Aggreg- 1002 for classify/ 3.15.0S 3.17.0S Subnet to SGT, Listener Ethernet,
ation propagate; L3IF to SGT V4 SGT over SGT based
Services Security/K9 GETVPN, PBR (1000
Router for enforce- IPsec VPN, or RP2)
(ASR) ment DMVPN SGT based
QoS
SGT Caching
SGT Netflow
v9
Cisco ISE 3315, Cisco ISE 1.0, – –
Identity 3355, 3395, 1.1, 1.2
Services
Appliance
Engine

Cisco ASA 5510, - Cisco ASA Cisco ASA Speaker, SG Firewall

Adaptive 5520, 5540, 9.0.1, ASDM 9.0.1, ASDM Listener
Security 5550 7.1.6 7.1.6 v2
Appliance

ASA - ASA 9.3.1, Cisco ASA Remote Access Speaker, SGT over SG Firewall
5505Note3, ASDM 7.3.1, 9.3.1, ASDM VPN (IPsec, Listener Ethernet (IPv4, IPv6)
5512, 5515, CSM 4.8 7.3.1, CSM SSL-VPN) V2 (IPv4, IPv6)
5525, 5545, 4.8 SGT based
5555, 5585 PBR

ASA 5512- - Cisco ASA Cisco ASA Remote Access Speaker, SGT over SG Firewall
X, 5515-X, 9.6.1, ASDM 9.6.1, ASDM VPN (IPsec, Listener Ethernet (IPv4, IPv6)
5585-X with 7.6.1 7.6.1 SSL-VPN)
V3
FirePower SGT based
Services PBR

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 12
 Cisco Fire FirePOWER Threat & Cisco Cisco - - SGT over -
POWER 7000 and Apps (TA) FireSIGHT FireSIGHT Ethernet
8000 Series 5.4.0.6, 5.4.1.5, 5.4.0.6,
6.0.1.1, 6.2 5.4.1.5,
6.0.1.1

Notes
1: Catalyst 2960 S/SF Product management recommends 15.0(2)SE which supports SXP v2.
2: Product part numbers of supported line cards for SGT over Ethernet and SGT over MACsec on the Cisco
Catalyst 4500 Supervisor Engine 7-E, 7L-E, 8-E, and 8L-E include the following: WS-X4712-SFP+E, WS-X4712-
SFP-E, WS-X4748-UPOE+E, WS-X4748-RJ45V+E, WS-X4748-RJ45- E, WS-X4724-SFP-E, WS-X4748-SFP-E,
and WS-X4748-12X48U+E.
3: Cisco ASA 5505 does not support releases after 9.2.
4: Cisco Nexus 7000 F1-Series modules do not support Cisco TrustSec.
5: Use of inline tagging with LACP requires future IOS XE Denali or IOS 3.7 release (CSCva22545)
6: For SXP support, AP must run in FlexConnect Mode
7: With IPv6 support, DGT can be IPv4.
8: Prior versions of this document listed Cisco Catalyst 3750-X validated version, IOS 12.2(3)E1, and WLC AireOS
8.1. These releases have been deferred.
9: When inline tagging (SGToE) is enabled with the VIC 12xx and VIC 13xx, packet processing is handled at the
processor level which will attribute to lower network I/O performance. An alternative solution is to use Intel
adaptors.
10: IOS XE Everest 16.6.2 SMU is required for ISE BYOD, Guest, and Posture features. See ISE Compatibility
Matrix: https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-
list.html
11: The IE 4000 and IE 5000 platforms perform similarly to the Catalyst 3560-X and 3750-X platforms in the
reliance on IP Address, MAC Address, and physical port/VLAN of the device, learned via dot1x or MAB or IP
Device Tracking (IPDT). These devices cannot use information learned via SXP for either enforcement or tag
propagation as the device is not directly attached. SXP v4 is supported in Speaker mode only.
12: Catalyst 4500 Series Release 3.9 and later, with the introduction of VRF, an SVI is needed for L3 lookup to
derive SGT for switched traffic, and a SVI is also needed on the VLAN for the derivation of source group for L2
traffic.
13: C9500 as a border node does not currently support transferring the tag from the VXLAN header to the CMD
field for inline tagging. C9500 outside the fabric supports inline tagging
14: The N7K must have an SVI on the VLAN if the mappings reside in the VRF. If N7K is L2 only, create an SVI
without IP to be able to utilize the mappings from the VRF. SVI is not required if entered into the VLAN.
15: Dynamic classification with IEEE 802.1x on Nexus 1000V requires 5.2(1)SV3(4.1). This is validated with
VMware Horizon 7 VDI.
16: Port based platforms cannot do enforcement of policy for remote IP addresses, ie. they can only classify or
enforce for IP addresses present in the IPDT table (hosts that are L2 adjacent).
17: IPv6 SGACL Support added in IOS-XE 16.10.1 and validation in solution validation 6.5 release was carried out
with IOS-XE 16.12.1

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 12
Printed in USA C96-731479-00 v6.4c 1/19

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 12