Skip to content
Network as Code

Matrices

Location in GUI: Work Centers » TrustSec » TrustSec Policy » Matrix

Diagram

Section titled “Diagram”
Diagram

Classes

Section titled “Classes”

trust_sec (ise)

Section titled “trust_sec (ise)”
NameTypeConstraintMandatoryDefault Value
matricesList[matrices]No

matrices (ise.trust_sec)

Section titled “matrices (ise.trust_sec)”
NameTypeConstraintMandatoryDefault Value
nameStringYes
descriptionStringNo
matrix_policy_typeChoiceTRUSTSEC_POLICY, TRAFFIC_STEERING_POLICYNoTRUSTSEC_POLICY
copy_policy_fromStringNo
matrix_entriesList[matrix_entries]No

matrix_entries (ise.trust_sec.matrices)

Section titled “matrix_entries (ise.trust_sec.matrices)”
NameTypeConstraintMandatoryDefault Value
source_sgtStringYes
destination_sgtStringYes
rule_statusChoiceDISABLED, ENABLED, MONITORNo
sgacl_nameStringYes

All ISE versions support a built-in Production matrix. Use the top-level matrix_entries list directly under trust_sec to define entries in it — no matrix_mode or matrices block required.

Cisco ISE 3.4 Patch 2 introduced support for multiple named matrices (MULTIPLE_MATRICES mode). If your ISE is on an earlier version, only the matrix_entries shorthand below applies.

Examples

Section titled “Examples”

Example 1: Basic TrustSec matrix entry configuration allowing all traffic between TrustSec devices using the default Permit IP security group ACL:

ise:
  trust_sec:
    matrix_entries:
      - source_sgt: TrustSec_Devices
        destination_sgt: TrustSec_Devices
        rule_status: ENABLED
        sgacl_name: Permit IP

Example 2: Comprehensive TrustSec deployment with automatic push mode enabled for immediate policy distribution to network devices, featuring custom security groups, granular ACLs for HTTP/HTTPS traffic control, and multiple matrix entries defining segmentation policies between printer and server zones:

ise:
  trust_sec:
    push_mode: AUTO
    security_groups:
      - name: Printers
        description: Printer security group
        value: 101
      - name: Servers
        description: Server security group
        value: 102
    security_group_acls:
      - name: Permit_HTTP_HTTPS
        description: Allow HTTP and HTTPS traffic
        ip_version: IPV4
        acl_content: |
          permit tcp dst eq 80
          permit tcp dst eq 443
    matrix_entries:
      - source_sgt: Printers
        destination_sgt: Servers
        rule_status: ENABLED
        sgacl_name: Permit_HTTP_HTTPS
      - source_sgt: Servers
        destination_sgt: Printers
        rule_status: ENABLED
        sgacl_name: Permit_HTTP_HTTPS

ℹ️ Multiple Matrices mode (ISE 3.4 Patch 2+): The examples above use the matrix_entries shorthand which always maps to the built-in Production matrix and works on all ISE versions. If you need named matrices alongside Production (e.g. PreProd, Staging), use the matrices list format shown below. This requires ISE 3.4 Patch 2 or later. Both formats are fully supported by the module — you do not need to set matrix_mode when using the matrix_entries shorthand.

Example 3: Single matrix mode — all entries placed explicitly in the built-in Production matrix using the matrices list. matrix_mode is set here for clarity but defaults to SINGLE_MATRIX:

ise:
  trust_sec:
    matrix_mode: SINGLE_MATRIX
    matrices:
      - name: Production
        matrix_entries:
          - source_sgt: Employees
            destination_sgt: BYOD
            rule_status: ENABLED
            sgacl_name: Permit IP
          - source_sgt: Guests
            destination_sgt: BYOD
            rule_status: ENABLED
            sgacl_name: Deny IP

Example 4: Multiple matrices mode — separate named matrices for different environments. The Production matrix is always built-in; additional matrices (e.g. PreProd) are created automatically:

ise:
  trust_sec:
    matrix_mode: MULTIPLE_MATRICES
    security_groups:
      - name: Employees_Preprod
        value: 100
      - name: Servers_Preprod
        value: 200
      - name: Guests_Preprod
        value: 300
    matrices:
      - name: Production
        matrix_entries:
          - source_sgt: Employees_Preprod
            destination_sgt: Servers_Preprod
            rule_status: ENABLED
            sgacl_name: Permit IP
          - source_sgt: Guests_Preprod
            destination_sgt: Servers_Preprod
            rule_status: ENABLED
            sgacl_name: Deny IP
      - name: PreProd
        description: Pre-production policy matrix
        matrix_policy_type: TRUSTSEC_POLICY
        matrix_entries:
          - source_sgt: Employees_Preprod
            destination_sgt: Servers_Preprod
            rule_status: MONITOR
            sgacl_name: Permit IP

Example 5: Multiple matrices mode — create a new matrix by copying policy from an existing one, then override selected entries:

ise:
  trust_sec:
    matrix_mode: MULTIPLE_MATRICES
    matrices:
      - name: Production
        matrix_entries:
          - source_sgt: Employees
            destination_sgt: PCI_Servers
            rule_status: ENABLED
            sgacl_name: Permit IP
      - name: PreProd
        description: Copied from Production for pre-prod testing
        copy_policy_from: Production
        matrix_entries:
          - source_sgt: Employees
            destination_sgt: PCI_Servers
            rule_status: MONITOR
            sgacl_name: Permit IP