Vous êtes sur la page 1sur 140

Abstract

This session provides an overview of the Cisco TrustSec solution for Enterprise network
segmentation and Role-Based Access Control. SGA allows for simplified network
segmentation based on User Identity/Role and allows for secure access and consistent
security policies across Wired/Wireless networks.
We will cover SGA solution on the Catalyst, Nexus Switching and Routing
(ASR1K/CSR/ISR) platforms, including converged wired/wireless with a focus on the
deployment use cases in a campus, data center & branch networks. The session covers
an architectural overview of SGA and benefits of TrustSec role based policies, elements of
Cisco TrustSec such as user identification with 802.1x, device identification, role
classification using Security Group Tagging (SGT) and enforcement using Security Group
Access Control List (SGACL).
This session is for Network Architects, Pre-Sales Engineers and Technical Decision
Makers. Previous knowledge or experience is recommended in campus design, Internet
edge design, routing protocol design, and Layer 2 and Layer 3 switching.

Things have changed and are changing

Dialup Internet is history


today. We moved on to
faster means to connect to
Internet

From days to week it took


for provisioning physical
servers, it takes minutes to
provision VMs

How do you get to create


logical segments on the fly?

Enterprise Network Segmentation


with Cisco TrustSec
Hariprasad Holla
Technical Marketing Engineer, Cisco

BRKCRS-2981

hari_holla

Agenda
1

Network Segmentation
The past present and future of network segmentation

TrustSec Deep-dive

Deploying TrustSec

Use cases & Deployment scenarios

Key takeaways

For Your
Reference

WHAT is Cisco TrustSec


Cisco ISE

HOW to deploy TrustSec

WHY segment the TrustSec way?

WHEN to deploy TrustSec: Now!

Authenticated
User

Cisco ISE & TrustSec Sessions: Building Blocks


BRKSEC-3699
Designing ISE for
Scale & High
Availability
(Mon 1:00pm)

CCSSEC-2002
Cisco IT Identity
Services Engine (ISE)
Deployment and
Best Practices
(Thurs 12:30pm).

BRKSEC-3697
Advanced ISE
Services, Tips and
Tricks
(Tues 1:00pm)
(Wed 1:00pm)

BRKSEC-2045 Mobile Devices and


BYOD Security Deployment and Best
Practices
(Tues 3:30pm)
(Wed 3:30pm)

BRKSEC-2695 - Building an Enterprise Access Control Architecture using ISE and TrustSec
(Mon 10:00 am + Thur 8:00 am)

BRKCRS-2891 Enterprise Network


Segmentation with
Cisco TrustSec
(Mon 8:00am)

BRKSEC-2203
Deploying TrustSec
Security Group
Tagging
(Wed 3:30pm)

BRKSEC-3690
Advanced Security
Group Tags: The
Detailed Walk Through
(Thur 10:00am)

BRKSEC-2026 Network as a Sensor


and Enforcer
(Mon 1:00pm)

Network Segmentation
Deploying
TrustSec

Network
Segmentation

Start

TrustSec
Deep-dive

Key
Take-aways

Use-cases &
Scenarios

Segmentation at Cisco Live


Get appropriate passes

It all starts
with
registration

Enforcers
refer the
policy
Enforcers grant access to
places you are authorized for

http://www.ciscolive.com/us/registration-packages/

Factors governing segmentation


POS
Network

Line of business BU segmentation

Medical Device
Other
Network

Doctor

Payment Card Industry

Staff

Hospital Network

As networks evolve, granular segmentation is desired


INTERNET

Bring-Your-Own-Device

Mergers and Acquisitions

Multi-Tenancy

Network Segmentation is a must to contain threats!


Good network and role segmentation will do wonders for
containing an incident.

Effective network segmentation reduces the extent to


which an adversary can move across the network
Network segmentation is one of the most effective controls
an agency can implement to mitigate the second stage of a
network intrusion, propagation or lateral movement

Segregate networks, limit allowed protocols usage and


limit users excessive privileges.

Traditional Segmentation

Fundamentally VLAN based

Every segment is a separate


VLAN / Subnet / VRF

Segment to segment
communication governed by
IP routes and IP based
policies
Classify assets in to VLAN,
transport context in L2 (VLAN
tag) / L3 (IP address / VRF),
Enforce based on IP-ACLs

Enforcement
IP based policies.
ACLs, Firewall
rules

Propagation
Carry segment
context over
the network
through VLAN
tags / IP
address / VRF
Classify
Static /
Dynamic VLAN
assignments

VLAN
10

VLAN
20

VRF-20

VRF-10

Campus LAN

Subnet
10.10.X.X

VLAN-10

Subnet
10.20.X.X

VLAN-20

access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list

102
102
102
102
102
102
102
102
102
102

deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993


deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878
permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467

Traditional Segmentation

ACL

Aggregation Layer
VLAN

Addressing

Redundancy

ACL rules grow with more segments

Quarantine

DHCP Scope

Routing

Static ACL

Access Layer

Voice

Data

Suppliers

Guest

Simple
More Policies
Segmentation
using more
with VLANs
2 VLANs
Steps replicated across floors, buildings and sites

TrustSec Overview

Security Group based Policy

HR Group : SGT-05
ENG Group : SGT-06

AD

ISE

IP
SG
SGT
Address Name #

10.0.0.1 HR
10.0.0.1

SRC \ DST

HR-Servers (11)

ENG-Servers (12)

Group-HR (5)

Group-ENG (6)

HR-Servers (11)

ENG-Servers (12)

10.0.1.1
HR Servers

Switch/WLC
(Inline SGT)
S: 10.0.0.1
SGT=5
D: 10.0.1.1

SGT=11

S: 10.0.0.1
D: 10.0.1.1

Employee1
(HR Group)
S: 10.0.0.2
D: 10.0.1.1

Switch

Employee2
(ENG Group)
10.0.0.2

IP
SG
SGT
Address Name #

Classify

S: 10.0.0.2
D: 10.0.1.1

Firewall

SXP
IP:10.0.0.2 = SGT:6

Switch/WLC
(No SGT)

10.0.0.2 ENG

DC SW
SGT=12

S: 10.0.0.2
SGT=6
D:
10.0.1.1
S: 10.0.0.2
D: 10.0.1.1

S: 10.0.0.1
D: 10.0.1.1

ENG Servers
10.0.1.2

IP
SG
SGT
Address Name #

10.0.0.2 ENG

Transport

Enforce

User to Data Center Access Control with TrustSec


Regardless of topology
or location, policy
(Security Group Tag)
stays with users,
devices and servers

Data Center

Data Center
Firewall

Campus Core

Access Layer
Employee Tag
Supplier Tag

Guest Tag
Quarantine Tag

Voice

Building 3
WLAN Data VLAN

Voice

Employee Suppliers

Guest Quarantine

Main Building
Data VLAN

Campus Segmentation with TrustSec


Enforcement is based
on the Security Group
Tag, can control
communication in
same VLAN

Data Center

Data Center
Firewall

Campus Core

Access Layer
Employee Tag
Supplier Tag
Guest Tag
Quarantine Tag

Voice

Building 3
Data VLAN (200)

Voice

Employee Employee Guest Quarantine

Main Building
Data VLAN (100)

TrustSec Deep-dive
(WHAT is TrustSec)
Deploying
TrustSec

Network
Segmentation

Start

TrustSec
Deep-dive

Key
Take-aways

Use-cases &
Scenarios

TrustSec and ISE


Cisco Identity Services Engine (ISE)

NDAC

The Cisco TrustSec Network Device Admission


Control (NDAC) feature creates an independent
layer of trust between Cisco TrustSec devices to
prohibit rogue devices from being allowed on the
network.

SGACL: Security Group ACL

Define policy matrix on ISE that


will be pushed down to the
enforcement points in the
network via secure channel

SGACL /
Name table

SGT and
SGT Names

Sources

Destinations

Centrally define business


relevant Security Group names.
SGT numbers are autogenerated corresponding to SGT
names
Employee

PCI Clients

PCI Servers
Prod. Servers

Rogue
Device(s)

802.1X

Dynamic SGT
Assignment

Static SGT Assignments

ISE authenticates
Wired/Wireless/VPN
clients and assigns
Security Group Tags
(SGT)

TrustSec Functions
5

Employee

Voice

Partner

Classification
Assigning SGTs
Static Assignments
Dynamic Assignments

A
Propagation
Inline SGT
SXP
WAN Options

Enforcement
Security Group ACL
SG Firewall
SG Zone Based FW

Classification

Assigning Security Group Tags


Dynamic Assignments

For Mobile Devices

Static Assignments

For Servers and Topologies


VLAN to SGT

VLAN-10

Employee_SGT

10.1.1.0/24
MAB

(VLAN-10 = LAN-A_SGT)

Subnet to SGT
(10.1.1.0/24 = SiteA_SGT)

Phone_SGT
0/1
0/2

Guest_SGT

Port to SGT, L2/L3


0/1 = DEV_SGT, 0/2 = PROD_SGT

Virtual Port Profile to SGT


1.1.1.1

IP to SGT
1.1.1.1=PROD, 1.1.1.2=PCI
1.1.1.2

Classification

L3 Interface to SGT Mappings


Route Prefix Monitoring on a specific Layer 3 Port mapping to a SGT
Can apply to Layer 3 interfaces regardless of the underlying physical interface:
Routed port, SVI (VLAN interface) , Tunnel interface
cts role-based sgt-map interface GigabitEthernet 3/0/1 sgt 8
cts role-based sgt-map interface GigabitEthernet 3/0/2 sgt 9

Joint
Ventures

Business
Partners

Route Updates
17.1.1.0/24
g3/0/1

VSS-1#show cts role-based sgt-map all


Active IP-SGT Bindings Information
IP Address
SGT
Source
========================================
11.1.1.2
2
INTERNAL
12.1.1.2
2
INTERNAL
13.1.1.2
2
INTERNAL
17.1.1.0/24
8
L3IF
43.1.1.0/24
9
L3IF
49.1.1.0/24
9
L3IF
DC Access

g3/0/2

Route Updates
43.1.1.0/24
49.1.1.0/24

Hypervisor SW

SGT Classification Binding Source Priority (IOS)


The current priority enforcement order, from lowest (1) to highest (7), is as follows:
1. VLANBindings learned from snooped ARP packets on a VLAN that has VLAN-SGT
mapping configured.
2. CLI Address bindings configured using the IP-SGT form of the cts role-based sgt-map
global configuration command.
3. Layer 3 Interface(L3IF) Bindings added due to FIB forwarding entries that have paths
through one or more interfaces with consistent L3IF-SGT mapping or Identity Port
Mapping on routed ports.
4. SXPBindings learned from SXP peers.
5. IP_ARPBindings learned when tagged ARP packets are received on a CTS capable
link.
6. LOCALBindings of authenticated hosts which are learned via EPM and device tracking.
This type of binding also include individual hosts that are learned via ARP snooping on L2
[I]PM configured ports.
7. INTERNALBindings between locally configured IP addresses and the device own SGT.

Classification

Access Layer Classification Summary


Dynamic

Static

C2960-S

C3750X

**C3850/WL
C 5760

C4500

C6x00

ISR/ASR1000

WLC

802.1X

MAB

Web Auth

VLAN/SGT

X*

X*

Subnet/SGT

Layer 3
Interface
Mapping

** limits on number of SGTs (255) * - limits on the number of VLANs

Classification

Nexus 1000V: SGT Assignment in Port Profile


Port Profile
Container of network
properties
Applied to different
interfaces
Server Admin may assign
Port Profiles to new VMs
VMs inherit network
properties of the portprofile including SGT
SGT stays with the VM
even if moved

TrustSec Functions
5

Employee

Voice

Partner

Classification
Assigning SGTs
Static Assignments
Dynamic Assignments

A
Propagation
Inline SGT
SXP
WAN Options

Enforcement
Security Group ACL
SG Firewall
SG Zone Based FW

Propagation

Inline tagging (SGT in data plane)


Capable switches process SGT at
line-rate

Cisco Meta Data

MACsec Frame

Destination MAC

CMD EtherType

Destination MAC

Source MAC

Version

Source MAC

802.1Q

Length

CMD

Optional MACsec protection

SGT Option Type


ETHTYPE
SGT Value

No impact to QoS, IP
MTU/Fragmentation

PAYLOAD

Other CMD Option

802.1AE Header
802.1Q
CMD
ETHTYPE

PAYLOAD

CRC

L2 Frame Impact: ~40 bytes

Recommend L2 MTU~1600 bytes

Ethernet Frame

AES-GCM 128bit
Encryption

SGT embedded within Cisco Meta


Data (CMD) in Layer 2 frame

ETHTYPE:0x8909

N.B. Assume incapable devices will


drop frames with unknown Ethertype

802.1AE Header
CRC

ETHTYPE:0x88E5

Propagation

SGT link Authentication and Authorization


Mode

MACSEC

MACSEC Pairwise
Master Key (PMK)

MACSEC Pairwise
Transient Key (PTK)

Encryption Cipher
Selection
(no-encap, null, GCM,
GMAC)

Trust/Propagation
Policy for Tags

cts dot1x

Dynamic

Dynamic

Negotiated

Dynamic from
ISE/configured

cts manual
with encryption

Static

Dynamic

Static

Static

cts manual no
encryption

N/A

N/A

N/A

Static

CTS Manual is strongly recommended configuration for SGT propagation


cts dot1x takes link down with AAA down. Tight coupling of link state and AAA state

CTS Critical Authentication recently introduced on 3K/4K/6K only


Some platforms (ISRG2, ASR1K, N5K, ASA, N1KV, etc.) only support cts manual/no encryption

Propagation
Source-Group Tag
eXchange Protocol (SXP)

SGT Exchange Protocol (SXP)

IETF Draft
http://tinyurl.com/sxp-draft

SXP very simple to enable


SGT propagation without hardware dependencies
Propagation from access edge to enforcement device

Control plane protocol that conveys the IP-SGT


map of authenticated hosts to enforcement point

Listener

SXP uses TCP as the transport layer


(Port No. 64999)
Two roles: Speaker (initiator) and Listener
(receiver)

(SXP Aggregation)

Speaker
Switch

Switch

Use MD5 for authentication and integrity check


Support Single Hop SXP & Multi-Hop SXP
(aggregation)
Switch

Router

Propagation

SXP Versions
Version 1, This is the initial SXP version supports IPv4 binding propagation.
Version 2, includes support for IPv6 binding propagation and version negotiation.
(Older switch and router IOS prior March 2013, WLC)
Version 3, adds support for Subnet/SGT bindings propagation and expansion.
(6K only). If speaking to a lower version listener will expand the subnet
Version 4, Loop Detection and Prevention, Capability Exchange, built-in Keep
Alive mechanism. (New switch and router IOS After March 13)

Propagation

SXP Connection Types


Single-Hop SXP

SXP
Listener

Speaker

Non-TrustSec Domain
SGT Capable HW

SXP Enabled Switch/WLC

SXP

Multi-Hop SXP
Speaker

SXP
Listener

SXP
Enabled SW

SXP Enabled SW/WLC

Speaker

SXP
SXP Enabled SW/WLC

Speaker

Listener

SGT Capable HW

Propagation

Inline SGT and SXP in action


SXP

Inline SGT Tagging


CMD Field

ASIC

ASIC

IP Address

SGT

10.1.100.98

50

ASIC

L2 Ethernet Frame
SRC: 10.1.100.98

Optionally Encrypted

Campus Access

Distribution

Core

DC Core

EOR

DC Access

Enterprise
Backbone
SXP

SRC: 10.1.100.98
Hypervisor SW

WLC

Inline Tagging: If Device supports SGT in its ASIC

SXP: If there are devices are not SGT-capable

FW

IP Address

SGT

SRC

10.1.100.98

50

Local

SXP IP-SGT Binding Table

Propagation

SGT Transport over L3 networks


SGACL
Enterprise
Network

CTS Link

OTP

Finance

Guest Server
Posture
Profiler

ISE

Catalyst Switch

WLC

Nexus 5000/2000
Enterprise LAN
BYOD

Internet

SXP
DMVPN

Catalyst 6500

Catalyst Switch

Nexus 7000
Catalyst Switch

Admin

GETVPN

Ent. MPLS

HR

Multiple options for SGT transport over non CTS Layer 3 networks
DMVPN for Internet based VPNS
GETVPN for security private MPLS clouds
Over The Top (OTP) for private enterprise networks (1HCY15)

Data Center

TrustSec Functions
5

Employee

Voice

Partner

Classification
Assigning SGTs
Static Assignments
Dynamic Assignments

A
Propagation
Inline SGT
SXP
WAN Options

Enforcement
Security Group ACL
SG Firewall
SG Zone Based FW

Enforcement

Policy Enforcement - Security Group ACL (SGACL)


Destination Classification
Web_Dir: SGT 20
CRM: SGT 30
User authenticated
Classified as Marketing (5)

Cat3750X

Cat6500

Cat6500

Nexus 7000

Nexus 5500

Nexus 2248

Enterprise
Backbone

5
SRC: 10.1.10.220

FIB Lookup
Destination MAC/Port SGT 20

Web_Dir
DST: 10.1.100.52
SGT: 20

SRC:10.1.10.220
DST: 10.1.100.52
SGT: 5

Nexus 2248
WLC5508

SRC\DST

Web_Dir
(20)

CRM (30)

Marketing
(5)

SGACLA

SGACL-B

BYOD (7)

Deny

Deny

CRM
DST: 10.1.200.100
SGT: 30

Enforcement

SGACL Enforcement Policy

Source

Destination

Policy Representing
Source = Empoloye_SGT
Destination=CreditCard_Server
Policy = Deny IP

Enforcement

Centralized SGACL Management in ISE

Enforcement

Security Group Access Control List (SGACL)

SGACL is an access
control list to filter
traffic based on
security group

Source Security Group


(SGT) and Destination
Security Group (DGT)
in ACL syntax are
substituted with
classification result

No IP address in
syntax

IP version agnostic

Permit_Mail_Traffic
permit tcp dst
permit tcp dst
permit tcp dst
permit tcp dst
permit tcp dst
permit tcp dst
permit tcp dst
deny all log

eq
eq
eq
eq
eq
eq
eq

110
143
25
465
585
993
995

Enforcement

Applying SGACL policies in ISE (Tree view)

Enforcement

Policy Enforcement on Firewalls: ASA SG-FW


SGT Defined in the ISE or locally
defined on ASA

Trigger IPS/CX based on


SGT

More on ASA TrustSec:


BRKSEC-3690
Advanced Security
Group Tags: The
Detailed Walk Through
(Thur 10:00am)

Use Destination SGT received


from Switches connected to
destination

Use Network Object (Host, Range,


Network (subnet), or FQDN)

TrustSec Platform Support


Tagging

Propagation

Catalyst 2960-S/-C/-Plus/-X/-XR

Catalyst 2960-S/-C/-Plus/-X/-XR

SXP

Catalyst 3560-E/-C/-X
Catalyst 3750-E/-X
Catalyst 3850, 3650
WLC 5760
Catalyst 4500E (Sup6E/7E)
Catalyst 4500E (8E)
Catalyst 6500E (Sup720/2T), 6880X
Wireless LAN Controller
2500/5500/WiSM2
Nexus 7000
Nexus 6000
Nexus 5600
Nexus 5500

Catalyst 3560-E/-C/, 3750-E

SXP
SXP

SGT

Catalyst 3560-X, 3750-X

SXP

SGT

Catalyst 3650, 3850

SXP

SGT

Catalyst 4500E (Sup 7E), 4500X

SXP

SGT

Catalyst 4500E (Sup 8E)

Catalyst 6500E (Sup720)

SXP
SGT

ISR G2 Router, CGR2000


IE2000/3000, CGS2000

SXP

SGT

WLC 5760

SXP

SGT

Nexus 1000v

SXP

SGT

Nexus 5500/22xx FEX

SXP

SGT

Nexus 5600/6000

SXP

SGT

Nexus 7000/22xx FEX

SXP

SGT

GETVPN

DMVPN

ISRG2, CGR2000

SXP

SGT

GETVPN

DMVPN

ASR1000,

SGT

SGACL

Catalyst 3560-X
Catalyst 3750-X
Catalyst 3850, 3650
WLC 5760
Catalyst 4500E (Sup7E)
Catalyst 4500E (Sup8E)
Catalyst 6500E (Sup2T) / 6880X
Nexus 7000

SGACL

SGACL

Nexus 6000
Nexus 5600
Nexus 5500
Nexus 1000v

SGACL

SGFW

CSR1000V, ISR 4400

ASA5500X, ASAv (VPN RAS)


SXP

SGACL

Catalyst 6500E (Sup 2T) / 6880X


WLC 2500, 5500, WiSM2

SXP

Nexus 1000v (Port Profile)

SGACL

Catalyst 4500E (Sup6E)

SXP

SXP

Enforcement

ASA5500(X), ASAv

All ISRG2 Inline SGT (except C800): Today

SGFW

SGFW

ISR G2 Router, CGR2000


ASR 1000 Router, ISR 4400,
CSR1000V
ASA 5500/5500X Firewall
ASAv Firewall

Deploying TrustSec
(HOW to deploy TrustSec)
Deploying
TrustSec

Network
Segmentation

Start

TrustSec
Deep-dive

Key
Take-aways

Use-cases &
Scenarios

Defining TrustSec Policy


Define Source and Destination Groups

Discover Assets, User Groups and Applications


Email
Web

Internet

Term
App1

Chat

Find

Cloud App

Mgmt
DB

File
Nam
e

Dir.

Cloud App

Cloud App

App2
SSO

Define relationship between the Groups

Cloud App

SGT Policy Matrix Example

Write it down on
a spreadsheet!

Classify your network


User/Device SGT
assignments
Wired
Wireless
Remote Access VPN

IP-SGT

MAB
Web
Auth
ISE

Profiling

Data Center Server


Assignments

NX-OS/ VLAN-SGT
UCS Dir/
Hypervisors

Port-SGT

802.1X

RA-VPN

SG
T

SG
T
SG
T

SG
T

IOS/Routing

Port
Profile

SG
T

Prefix
Learning
(L3IF-SGT)

Subnet-SGT
VLAN-SGT

Business Partners & 3rd party connections

Enabling TrustSec in Enterprise Network


Branch Office-1

Branch Office-2

WAN

Datacenter

Campus Core

Internet Edge

Internet

Campus Access

Preparing Cisco ISE


Branch Office-1

Branch Office-2

WAN

Datacenter

Campus Core

Internet Edge

Internet

Campus Access

Enabling SGT/SGACL

Following is a high-level overview of SGT/SGACL configuration on Cat6K Sup2T


when used with ISE1.x

Configure ISE 1.x to the point where you can perform 802.1X authentication (bootstrap, certificate,
AD integration, basic authentication & authorization rules)

Configure Device SGT (Policy > Policy Elements > Results > Trustsec > Security Group)

All SGTs should have access to Device_SGT by policy (ARP needs to work )

SGT Configuration for ISE

Under Policy > Trustsec > Network Device Authorization, assign Device SGT created in step (2)
to default condition

Optionally under Admin > System > Settings > Protocols > EAP-FAST > EAP-FAST Settings, change A-ID
description to something meaningful, so that you can recognize which ISE you are receiving PAC file on the switch
CLI.

Configuration Cat6K Sup2T as Seed Device

Under Admin > Network Resources > Network Devices, create AAA client entry for
Cat6500 Sup2T
After the first device (called the seed device) authenticates with
the authentication server to begin the Cisco TrustSec domain,
each new device added to the domain is authenticated by its
peer devices already within the domain.

Configuration an SGT Device

Configure RADIUS
secret. Also Advanced
Trustsec Settings,
check Use Device ID
for Trustsec, then type
device password. This
ID and Password needs
to be exactly same as
you define on network
device CLI

Extra Steps to setup Private Server List

Update seed device (closest device to ISE) with list of multiple servers it can fall back
to in case first PDP becomes unavailable. You can set such list under Admin >
Network Resources > Trustsec AAA Servers. This data is available via CTS
Environment Data (show cts environment-data)

Preparing ISE for SGACL Enforcement

In order to provision SGACL policy automatically to Sup2T, ISE needs to be


configured for SGT/SGACL and associated policies
Under Policy > Trustsec > Egress Policy, create Mapping for policy

2
1

Select Permission

Preparing ISE for SGACL Enforcement


In same screen, add Security Group ACL Mapping. Create additional Security Group ACL if
needed

Create new SGACL if needed

Known Limitation: Cat6K Sup2T supports multiple SGACLs in the policy. Nexus 7K only supports single
SGACL therefore best practice is to select one SGACL and add explicit deny or permit in the SGACL
itself, not in Final Catch Rule

Egress Policy: Source Tree View

3 Views Source Tree, Destination Tree, Matrix

Source View

Filter Applied
Only SGT/DGT with SGACL shown
as default in source/destination tree
view

Egress Policy: Matrix View

TrustSec on IOS Switches


Branch Office-1

Branch Office-2

WAN

Datacenter

Campus Core

Internet Edge

Internet

Campus Access

Monitor Mode

Egress Enforcement
Security Group ACL
PCI Server
Campus
Network

Users,
Endpoints

Monitor Mode
authentication port-control auto
authentication open
dot1x pae authenticator

Production Server

Catalyst Switches/WLC
(3K/4K/6K)

N7K

AUTH=OK
SGT= PCI User (10)

SRC \ DST

Development Server
PCI Server (111)

Dev Server (222)

Dev User(8)

Deny all

Permit all

PCI User (10)

Permit all

Permit all

Unknown (0)

Deny all

Deny all

1. Users connect to network, Monitor mode allows traffic regardless of authentication


2. Authentication can be performed passively resulting in SGT assignments
3. Traffic traverses network to Data Center enforcement points
4. Enforcement may be enabled gradually per destination Security Group

Configuring an IOS Switch for SGT

Following CLI is required to turn on NDAC (to authenticate device to ISE and
receive policies including SGACL from ISE)

Enabling AAA

Switch#config t
Enter configuration commands, one per line.
Switch(config)#aaa new-model

End with CNTL/Z.

Defining RADIUS server with PAC keyword

Switch(config)#radius-server host <ISE_PDP_IP> pac key <RADIUS_SHARED_SECRET>

Define authorization list name for SGA policy download

Switch(config)#cts authorization list <AUTHZ_List_Name>

Use default AAA group for 802.1X and defined authz list for authorization

Switch(config)#aaa authentication dot1x default group radius


Switch(config)#aaa authorization network <AUTHZ_List_Name> group radius

Configuring an IOS switch for SGT(cont.)

Configure RADIUS server to use VSA in authentication request

Switch(config)#radius-server vsa send authentication

Enable 802.1X in system level

Switch(config)#dot1x system-auth-control

Define device credential (EAP-FAST I-ID), which must match ones in ISE AAA client configuration

Switch#cts credential id <DEVICE_ID> password <DEVICE_PASSWORD>

Note: remember that device credential under IOS is configured in Enable mode, not in
config mode. This is different CLI command level between IOS and NX-OS, where you
need to configure device credential in config mode

Verification - PAC
Use show cts pac to verify whether PAC is provisioned or not. Key points are that A-ID matches to
one that is found in environment data with IP address. Also check to see your I-ID is the one you
setup in Device ID, and A-ID-Info matches one you configured on ISE (EAP-FAST configuration)
TS2-6K-DIST#show cts pacs
AID: 04FB30FE056125FE90A340C732ED9530
PAC-Info:
PAC-type = Cisco Trustsec
AID: 04FB30FE056125FE90A340C732ED9530
I-ID: TS2-6K-DIST
A-ID-Info: ISE PAP
Credential Lifetime: 00:54:33 UTC Dec 21 2011
PAC-Opaque:
000200B0000300010004001004FB30FE056125FE90A340C732ED95300006009400030100980BC43B8BDAB7ECC3B12C04D2D3CA6E
000000134E7A69FD00093A80AD1F972E0C67757D29DBF9E8452EDC3E0A46858429C8E4714315533061DAD4FB2F31346FE4408579
D4F55B3813ADA9876F04ACC1656DE2F476ED3CBC96A0DB937403AC3B0CAB64EEC15A1BD6E351A005A8DE6E6F894DEE619F4EFFF0
31BC7E7BD9C8B230885093FF789BAECB152E3617986D3E0B
Refresh timer is set for 12w0d

IOS SXP Configuration


C3750#show cts role-based sgt-map all details
Active IP-SGT Bindings Information

3750
cts sxp enable
cts sxp connection peer 10.1.44.1 source
10.1.11.44 password default mode local
! SXP Peering to Cat6K
6K
cts sxp enable
cts sxp default password cisco123
!
cts sxp connection peer 10.1.11.44 source
10.1.44.1 password default mode local listener
hold-time 0 0
! ^^ Peering to Cat3K
cts sxp connection peer 10.1.44.44 source
10.1.44.1 password default mode local listener
hold-time 0 0
! ^^ SXP Peering to WLC

IP Address
Security Group
Source
======================================================================
10.10.11.1
2:device_sgt
INTERNAL
10.10.11.100
3:Full_Access
LOCAL
C6K2T-CORE-1#show cts sxp connections brief
SXP
: Enabled
Highest Version Supported: 4
Default Password : Set
Default Source IP: Not Set
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is not running
----------------------------------------------------------------------------Peer_IP
Source_IP
Conn Status
Duration
----------------------------------------------------------------------------10.1.11.44
10.1.44.1
On
11:28:14:59 (dd:hr:mm:sec)
10.1.44.44
10.1.44.1
On
22:56:04:33 (dd:hr:mm:sec)
Total num of SXP Connections = 2
C6K2T-CORE-1#show cts role-based sgt-map all details
Active IP-SGT Bindings Information

IP Address
Security Group
Source
======================================================================
10.1.40.10
5:PCI_Servers
CLI
10.1.44.1
2:Device_sgt
INTERNAL
--- snip --10.0.200.203
4:GUEST
SXP
10.10.11.100
3:Full_Access
SXP

Activating SGACL Enforcement on IOS switch

After setting up SGT/SGACL on ISE, you can now enable SGACL Enforcement
on IOS switch
Defining IP to SGT mapping for servers
Switch(config)#cts role-based sgt-map 10.1.40.10 sgt 5
Switch(config)#cts role-based sgt-map 10.1.40.20 sgt 6
Switch(config)#cts role-based sgt-map 10.1.40.30 sgt 7
Enabling SGACL Enforcement Globally and for VLAN
Switch(config)#cts role-based enforcement
Switch(config)#cts role-based enforcement vlan-list 40

Downloading Policy on IOS switch

After enabling SGACL enforcement, policies need to be downloaded to IOS, the


egress enforcement point
Refresh Environment Data using cts refresh environment-data
Switch#cts refresh environment-data
Environment data download in progress

Refresh Policy using cts refresh policy


Switch#cts refresh policy
Policy refresh in progress

Downloading Policy on IOS Switch


Verify Environment Data
TS2-6K-DIST#show cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 2-00
Server List Info:
Installed list: CTSServerList1-0004, 3 server(s):
*Server: 10.1.100.3, port 1812, A-ID 04FB30FE056125FE90A340C732ED9530
Status = ALIVE
auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs
*Server: 10.1.100.4, port 1812, A-ID 04FB30FE056125FE90A340C732ED9530
Status = ALIVE
auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs
*Server: 10.1.100.6, port 1812, A-ID 04FB30FE056125FE90A340C732ED9530
Status = ALIVE
auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs
Multicast Group SGT Table:
Security Group Name Table:
0001-22 :
7-98 : 80 -> FIN_SRV
6-98 : 80 -> HR_DB
5-98 : 80 -> HR_ADMIN_SRV
4-98 : 80 -> FIN_ADMIN
3-98 : 80 -> HR_CONTRACTOR
2-98 : 80 -> Device_SGT
unicast-unknown-98 : 80 -> Unknown
Any : 80 -> ANY
Transport type = CTS_TRANSPORT_IP_UDP
Environment Data Lifetime = 86400 secs
Last update time = 22:50:57 UTC Mon Sep 26 2011
Env-data expires in
0:23:59:49 (dd:hr:mm:sec)
Env-data refreshes in 0:23:59:49 (dd:hr:mm:sec)
Cache data applied
= NONE
State Machine is running

Security Group Name Table:


0001-22 :
7-98 : 80 -> FIN_SRV
6-98 : 80 -> HR_DB
5-98 : 80 -> HR_ADMIN_SRV
4-98 : 80 -> FIN_ADMIN
3-98 : 80 -> HR_CONTRACTOR
2-98 : 80 -> Device_SGT
unicast-unknown-98 : 80 -> Unknown
Any : 80 -> ANY

Downloading Policy on IOS Switch


Verify SGACL Content
TS2-6K-DIST#show cts rbacl
CTS RBACL Policy
================
name
= Deny IP-00
IP protocol version = IPV4, IPV6
refcnt = 6
flag
= 0xC1000000
stale = FALSE
RBACL ACEs:
deny ip
name
= ALLOW_HTTP-10
IP protocol version = IPV4
refcnt = 2
flag
= 0x41000000
stale = FALSE
RBACL ACEs:
permit tcp dst eq 80
deny ip
name
= Permit IP-00
IP protocol version = IPV4, IPV6
refcnt = 6
flag
= 0xC1000000
stale = FALSE
RBACL ACEs:
permit ip
name
= ALLOW_HTTP_SQL-10
IP protocol version = IPV4
refcnt = 2
flag
= 0x41000000
stale = FALSE
RBACL ACEs:
permit tcp dst eq 443
permit tcp dst eq 80
permit tcp dst eq 1433
deny ip

show cts rbacl is only available when cts


role-based enforcement is enabled
Different from NX-OS syntax, which is show
cts role-based access-list
<ACL_NAME>-XX: XX stands for
generation ID, and this should match one on
ISE. Gen-ID is only incremented when ACL
content is updated. No Gen-ID changes
upon name change.

Downloading SGACL Policy on IOS Switch


Verify SGACL Content
TS2-6K-DIST#show cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 3 to
Deny IP-00
IPv4 Role-based permissions from group 4 to
ALLOW_HTTP_HTTPS-20
IPv4 Role-based permissions from group 3 to
ALLOW_HTTP_SQL-10
Permit IP-00
IPv4 Role-based permissions from group 4 to
Deny IP-00
IPv4 Role-based permissions from group 3 to
Deny IP-00
IPv4 Role-based permissions from group 4 to
Permit IP-00

group 5:
group 5:
group 6:

group 6:
group 7:
group 7:

SGACL Mapping Policy should


match to one on ISE

Verifying SGACL Drops


Use show cts role-based counter to show traffic drop by SGACL
TS2-6K-DIST#show cts role-based
Role-based IPv4 counters
From
To
SW-Denied
*
*
0
3
5
53499
4
5
0
3
6
0
4
6
3773
3
7
0
4
7
0

counters
HW-Denied
0
53471
0
0
3773
0
0

SW-Permitted
48002
0
0
0
0
0
0

HW_Permitted
369314
0
3777
53350
0
From *
0
0

to * means Default Rule

show command displays the content statistics of RBACL enforcement.


Separate counters are displayed for HW and SW switched packets. The user
can specify the source SGT using the from clause and the destination SGT
using the to clause.
Mostly SGACL is done in HW. Only if the packet needs to be punted to SW
(e.g. TCAM is full, marked to be logged) , SW counter increments

SGACL Policy Push


Destination
Source

Server_A
(111 / 006F )

Server_B
(222 / 00DE )

User_Group_A
(10 / 000A )

Permit_All

SGACL_C
SGACL_A

User_Group_B
(11 / 000B )

Deny_All

SGACL_B

cts role-based permissions \


from 10 to 222
permit tcp dst eq 443
deny
iptcp dst eq 80
permit
deny ip

Default refresh period = 86,400 seconds or 1 day


aaa server radius dynamic-author
client <ISE_IP> server-key *****
Destination
Source

Server_A
(111 / 006F )

Server_B
(222 / 00DE )

User_Group_A
(10 / 000A )

Permit_All

SGACL_C
SGACL_A

User_Group_B
(11 / 000B )

Deny_All

SGACL_B

cts role-based permissions \


from 10 to 222
permit tcp dst eq 443
permit
deny
iptcp dst eq 80
deny ip

The Push button initiates an environment CoA notification

Policy Update

SGACL Policy CoA (Change of Authorization) to push


policy change from ISE to appropriate devices

Currently supported on Cat6500/Sup2T, Cat4500,


Cat3K-X

Campus
Network

WAN

CoA

ISE

SGACL Monitoring Best effort syslog


C6K2T-CORE-1#show cts role-based permissions
IPv4 Role-based permissions from group 8:EMPLOYEE_FULL to group 8:EMPLOYEE_FULL:
Malware_Prevention-11
C6K2T-CORE-1#sho ip access-list
Role-based IP access list Deny IP-00 (downloaded)
10 deny ip
Role-based IP access list Malware_Prevention-11 (downloaded)
10 deny icmp log-input (51 matches)
20 deny udp dst range 1 100 log-input
30 deny tcp dst range 1 100 log-input
40 deny udp dst eq domain log-input

*May 24 04:50:06.090: %SEC-6-IPACCESSLOGDP: list Malware_Prevention-11 denied icmp 10.10.18.101


(GigabitEthernet1/1 ) -> 10.10.11.100 (8/0), 119 packets

TrustSec on Cisco Wireless


Branch Office-1

Branch Office-2

WAN

Datacenter

Campus Core

Internet Edge

Internet

Campus Access

TrustSec on Wireless
Platform

SGT Classification
& Mapping

SXP Support
(role / version)

Inline SGT
Tagging

SGT
Enforcement

Minimum Version
(License)

Cisco 5500 Series and 2500 Series; Cisco


Wireless Services Module 2 (WiSM2);
and Cisco Wireless LAN Controller
Module for Integrated Services Routers
G2 (WLCM2)

802.1X
MAB
WEB AUTH

Speaker *
(version 2)

No

No

Cisco AirOS 7.4.121

Cisco Wireless LAN Controller 8510,


8540, and 5520

802.1X
MAB
WEB AUTH

Speaker *
(version 2)

No

No

Cisco AirOS 8.1

Cisco Wireless LAN Controller 7500 and


vWLC

No

No

No

No

No

Cisco 5760 Wireless LAN Controller

802.1X
MAB
WEB AUTH
IP-to-SGT
VLAN-to-SGT
Port-to-SGT
Subnet-to-SGT

Speaker,
Listener
(version 4)

SGT over
Ethernet

SGACL

03.06.00E
(IP Base K9)

* FlexConnect Central Switching Mode and Centralized mode


support SXP (AirOS8.0). Local Switch Mode does not support SXP

TrustSec on Wireless (IOS)


IOS Wireless Controllers

Switch / FW

Inline SGT

5760

Cisco ISE
Assign

OR

Sources

SGT

Destinations

CTS-5760#show auth sessions interface Ca0 details


Interface: Capwap0
IIF-ID: 0xE8FD8000000008
MAC Address: 0050.5601.0001
IPv6 Address: Unknown
IPv4 Address: 10.0.201.7
User-Name: employee1@cts.lab
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0a0a65015157f38b0000000c
Acct Session ID: Unknown
Handle: 0x31000002
Current Policy: (No Policy)
Server Policies (priority 100)
SGT Value: 5

Enforce on WLC or pass on SGT via inline tagging for


external enforcement. Config same as IOS Switches

Method status list:


Method
dot1x

State
Authc Success

TrustSec on Wireless (AirOS)


AirOS Wireless Controllers*

Switch / FW

SXP (IP-SGT)

5508

Cisco ISE
Assign

Destinations

Sources

SGT

No SG based enforcement locally on the controller. IPSGT sent over SXP to enforcers / Aggregators
* Not supported on 7500 & vWLC

TrustSec on Wireless (AirOS)


AirOS Wireless Controllers*

Switch / FW

SXP (IP-SGT)

5508

Cisco ISE
Assign

Destinations

Sources

SGT

No SG based enforcement locally on the controller. IPSGT sent over SXP to enforcers / Aggregators
* Not supported on 7500 & vWLC

TrustSec in Data Center


Branch Office-1

Branch Office-2

WAN

Datacenter

Campus Core

Internet Edge

Internet

Campus Access

TrustSec in Data Center


Platform

SGT Classification
& Mapping

SXP Support
(role / version)

Inline SGT
Tagging

SGT
Enforcement

Minimum Version
(License)

Cisco Nexus 7000 line cards and chassis


(All line cards except F1 series module)

IP-to-SGT
VLAN-to-SGT
Port-to-SGT
PortProfile-to-SGT
(Known limitation:
vPC/Fabric Path
are not supported
with some TrustSec
Features)

Speaker
Listener
(version 1)

SGT over
Ethernet,
SGT over
MACsec
(MACsec
supported on
all line cards
except F1,
F2, and F3
40/100G line
cards)

SGACL

Cisco NX-OS 6.2(8)

Cisco Nexus 5600/6000 Series

Port-to-SGT

Speaker
(version 1)

SGT over
Ethernet

SGACL

Cisco NX-OS
7.0(1)N1(1)

Cisco Nexus 5548P, 5548UP, and


5596UP
(Note: No support for 5010 or 5020)

IP-to-SGT
Port-to-SGT

Speaker
(version 1)

SGT over
Ethernet

SGACL

Cisco NX-OS
6.0(2)N2(5)

Cisco Nexus 1000V for VMware vSphere


(N1Kv for Hyper-V and KVM are not
supported)

Port-Profile to SGT

Speaker
(version 1)

SGT over
Ethernet

SGACL

Cisco NX-OS
5.2(1)SV3(1.1)

DC Traffic Segmentation with SGT

Servers are assigned SGTs via


static port profile/port/IP-SGT Map
Servers attempt to communicate
east-west
Traffic hits the egress enforcement
point
Only permitted traffic path (source
SGT to destination SGT) is allowed
Traffic Enforcement can be
distributed across 5K, 6K and 7K

Core Network

Data Center
Nexus 7000s
VMs/Baremetal

Nexus 55XXs
Nexus 6XXXs

Security Server
(444)

SGACL: PCILOB1-ACL

PCI DB (111)

LOB1 DB (222)

LOB2 DB (333)

ISE

SRC \ DST

PCI DB(111)

LOB1 DB (222)

LOB2 DB
(333)

Security Server
(444)

PCI DB (111)

Permit all

PCI-LOB1-ACL

PCI-LOB2-ACL

Deny All

LOB1 DB
(222)

PCI-LOB1ACL

Permit All

Deny All

Deny All

LOB2 DB
(333)

PCI-LOB2ACL

Deny All

Permit All

Deny All

Security
Server (444)

Deny All

Deny All

Deny All

Deny All

Configure Nexus 7K: (Bootstrap)

Step 1: Configure Communications between Nexus and ISE


N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#

feature cts
feature dot1x
cts device-id N7K-DST1 password trustsec
radius-server 10.39.1.120 key trustsec pac
aaa group server ISE
server 10.39.1.120
aaa authentication dot1x default group ISE
aaa authorization cts default group ISE
aaa accounting dot1x default group ISE

Step 2: Verify PAC is downloaded


N7K-DST1# show cts pacs
PAC Info :
==============================
PAC Type
: TrustSec
AID
: a6f054a3856a15221714bba63e968867
I-ID
: N7K-DST1
AID Info
: ise
Credential Lifetime : Sun Aug 3 16:56:29 2014
PAC Opaque
:
000200a80003000100040010a6f054a3856a15221714bba63e9688670006008c000301005f22d715cffe37591f629bae3bcc3c9e0000001353641
81a00093a80bf65b034bb89456288e2863a540d797ab17d1593b354e4aa3b74835df48ed45fad79c744083420c96ceef74ea3e51490566967d9c8
dcfb191d2e8448a4de98b5578f83b526fb4d586ecc2510eefe1d90dee1746998fb1b77291aac4848ac2d4d5d3694e9d0e5fadbdaae5a7f

Step 3: Enable Role based counter and enforcement


N7K-DST1(config)# cts role-based counters enable
N7K-DST1(config)# cts role-based enforcement

Configure Nexus 5K/6K: (Bootstrap)


Step 1: Configure Communications between Nexus and ISE
N55KA(config)#
N55KA(config)#
N55KA(config)#
N55KA(config)#
N55KA(config)#
N55KA(config)#
N55KA(config)#
N55KA(config)#
N55KA(config)#
N55KA(config)#

feature cts
feature dot1x
cts device-id N55KA password trustsec
radius-server 10.39.1.120 key trustsec pac
aaa group server ISE
server 10.39.1.120
use-vrf management
aaa authentication dot1x default group ISE
aaa authorization cts default group ISE
aaa accounting dot1x default group ISE

Step 2: Verify PAC is downloaded


N55KA# show cts pacs
PAC Info :
==============================
PAC Type
: TrustSec
AID
: a6f054a3856a15221714bba63e968867
I-ID
: N55KA
AID Info
: ise
Credential Lifetime : Fri Jul 11 04:25:45 2014
PAC Opaque
: 000200b00003000100040010a6f054a3856a15221714bba63e96886700060094000301000c629fc10ec7608000296933
d0b283e1000000135348689a00093a809914bbf46a3d8d8c81eab9e4819bde120047a2f28ca7181760c9b65015c3a851f5a9c99b6541d40b8d991114
9d045c1f7262b3a72e3b99b661733f92f71dcad42673a67549a5608611af2b1c0b18438a514178e98c7ed72f088d7b8db9cdbfba76b11c209f401ba8
c522f5fe5900e264a8ab02fd

Step 3: Enable Role based counter and enforcement


N55KA(config)# cts role-based counters enable
N55KA(config)# vlan 118
N55KA(config)# cts role-based enforcement

Nexus for Native tagging Up/Down Stream:


We MUST enable the physical ports to trust the neighboring device to send native
tagged packets
When enabling TrustSec on a switch the default behavior is to drop packets sent to it
with a native tag.
This is similar to QoS where we trust dscp on trunk links
BEST PRACTICE: On All platforms it is best practice to manually shut/no shut the port
after applying cts manual commands
This guarantees that the control plane has fully programmed the port level PHY/ASIC
N7K-DST1(config)# int e1/30
N7K-DST1(config)# cts manual
N7K-DST1(config-if-cts-manual)# policy static sgt 0x0002 trusted
N7K-DST1(config-if)# shutdown
N7K-DST1(config-if)# no shutdown

Configure ISE SGACL Policy Matrix


Best Practice: NXOS can only
handle 1 SGACL. Put implicit
deny/permit in the SGACL

Configure Nexus to Statically assign Tags:


Static IP-SGT - There is an option to manage this in ISE via IP/SGT or DNS/SGT mappings
N7K-DST1(config)# cts role-based sgt-map 10.39.1.223 17

Static SGT on Physical Port facing the server


N7K-DST1(config)# int e1/30
N7K-DST1(config-if)# cts manual
N7K-DST1(config-if-cts-manual)# policy static sgt 0X3
N7K-DST1(config-if-cts-manual)# no propagate-sgt

NOTE: If you forget this


command your server will not be
able to access the network!!

Port-Profile: NOTE: Port-Profile on N7K will only work on NON-FEX ports. 5K/6K dont have support yet. N1KV supported
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#

port-profile type ethernet PCI-DB


cts manual
policy static sgt 0x17
no propagate-sgt
switchport
switchport access vlan 100

VLAN to SGT
N7K-DST1(config)# (config)# vlan 100
N7K-DST1(config-vlan)# cts role-based sgt 17

Verify Configuration
Verify environmental data

N7K-DST1# show cts role-based access-list


rbacl:Deny IP
deny ip
rbacl:Permit IP
permit ip
rbacl:PCI_Web_Server
rbacl:shaun_deny
N7K-DST1# show cts role-based counters
RBACL policy counters enabled
Counters last cleared: 04/16/2014 at 06:28:11 PM

Verify SGACLs downloaded and look at counters:

sgt:unknown dgt:19
[41677]
rbacl:Deny IP
deny ip [41677]
sgt:unknown dgt:24
[13269]
rbacl:Deny IP
deny ip [13269]
sgt:4 dgt:3
[0]
rbacl:Deny IP
deny ip [0]
sgt:6 dgt:12
[0]
rbacl:Deny IP
deny ip [0]
sgt:7 dgt:3
[53769]
rbacl:Deny IP
deny ip [53769]

East West Traffic Control


N55KA(config)# cts role-based counters enable
N55KA(config)# vlan 118
N55KA(config-vlan)# cts role-based enforcement

Nexus 5K/6K

N55KA(config-vlan)# int e102/1/1


N55KA(config-vlan)# switchport
N55KA(config-vlan)# switchport access vlan 118
N55KA(config-vlan)# cts manual
N55KA(config-if-cts-manual)# policy static sgt 0x111
N55KA(config-if-cts-manual)# no propagate-sgt

PCI_DB
(10.30.1.10)

LOB1_DB
(10.40.1.10)

N55KA(config-vlan)# int e102/1/2


N55KA(config-vlan)# switchport
N55KA(config-vlan)# switchport access vlan 118
N55KA(config-vlan)# cts manual
N55KA(config-if-cts-manual)# policy static sgt 0x222
N55KA(config-if-cts-manual)# no propagate-sgt
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#

feature cts
cts role-based
cts role-based
cts role-based
cts role-based

counters enable
sgt-map 10.30.1.10 111
sgt-map 10.40.1.10 222
enforcement

Nexus 7K

SGT Caching

SRC:10.65.1.9
DST: 10.1.100.52
SGT: 8

Service Chaining
Possible 3rd party devices for Server
Load Balancing (SLB), Intrusion
Prevention Services (IPS), etc.

SGT Caching on C6500/N7K


Caches IP-SGT mappings from data plane
Sends IP-SGT mappings to ASA in SXP

Security Group Firewalling


Firewall rule automation
using ASA SG-Firewall functions

DC Access Layer
IP Address

SGT

10.65.1.9

8 (Employee_Full)

SGT Tagged Traffic

Untagged Traffic

Physical Servers

Physical Servers
SGACL enabled Device
SG Firewall enabled Device

SXP

N7K SGT Caching Config


N7K-DST1(config)# cts role-based sgt-caching ?
<CR>
with-enforcement SGT caching with RBACL enforcement
N7K-DST1(config)# cts role-based sgt-caching with-enforcement
SGT caching with enforcement will implicitly display syslogs for all the ACEs in RBACLs.
Continue(yes/no) [no] yes
N7K-DST1# show cts role-based sgt-caching
-------------------------------- -------Caching Modes
Status
-------------------------------- -------SGT caching
Disabled
SGT caching with enforcement
Enabled
N7K-DST2# sho cts role-based sgt-map cached
IP ADDRESS
SGT
10.1.50.1
1000(Production_Servers)
10.1.51.2
2(Device_SGT)
10.1.56.2
2(Device_SGT)
10.1.100.1
1000(Production_Servers)
10.1.100.82
1000(Production_Servers)

VRF/VLAN
vrf:1
vrf:1
vrf:1
vrf:1
vrf:1

SGT CONFIGURATION
Cached
Cached
Cached
Cached
Cached

N7K SGT Caching Notes

SGT Caching enabled with and without enforcement

Without enforcement its just converting from data plane to control plane
at a mid point in the network
Typically Deployed at an aggregation layer where there is no
enforcement

With enforcement is for when the N7K is the enforcement point and
needs to convert from data plane to control plane.

Service chains to 3rd party devices that do not support SGT


Convert form native tagging to SXP for pre 9.3(1) ASA

Typically when the N7K is acting as a aggregated routing/service layer in the DC

N7K will ask ISE for relevant policies of all its SGTs when it
receives an IP/SGT update

Everytime time it receives an update..


Yes that is a lot of information filling ISE logs

SGT Caching Configuration Catalyst 6500


(Global CLI Commands)

Enabling CTS SGT Caching globally in independent mode

Enabling CTS SGT Caching on vlans in independent mode

cts role-based sgt-caching with-enforcement

Enabling RBACL enforcement globally

cts role-based sgt-caching vlan-list <[all | vlan_id]>

Enabling CTS SGT Caching globally in dependent mode

cts role-based sgt-caching

cts role-based enforcement

Enabling RBACL enforcement on vlans

cts role-based enforcement vlan-list <[all | vlan_id]>

SGT Caching Show Commands Catalyst 6500

To display the SGT-IPv4 bindings

To display the SGT-IPv6 bindings

show cts role-based sgt-map all ipv6


show cts role-based sgt-map vrf <vrf_name> all ipv6

To display RBACL entires programmed in ACL TCAM

show cts role-based sgt-map all ipv4


show cts role-based sgt-map vrf <vrf_name> all ipv4

show platform hardware acl entry rbacl all

To display the ACL result of RBACL entries programmed in ACL TCAM

show platform hardware acl tcam result <acl_entry_result>

SGT Caching Debug Commands Catalyst 6500

[no] debug fm rbacl caching events

Detailed debugs:

[no] debug rbm bindings

[no] debug rbm api

[no] debug fm rbacl caching packets

[no] debug fm rbacl all

Note: no logging console is recommended before enabling these detailed


debugging commands as they could potentially flood the console

TrustSec on Edge
Branch Office-1

Branch Office-2

WAN

Datacenter

Campus Core

Internet Edge

Internet

Campus Access

TrustSec on Edge

(1)

Platform

SGT Classification
& Mapping

SXP Support
(role /
version)

Inline SGT Tagging

SGT
Enforcement

Minimum Version
(License)

Cisco 890

IP-to-SGT
Subnet-to-SGT
L3IF-to-SGT

Speaker
Listener
(version 4)

SGT over GETVPN,


IPsec VPN, DMVPN

SGFW

Cisco IOS 15.4(3)M


(ISR SEC/K9)

Cisco 1900, 2900, 3900 Series

IP-to-SGT
Subnet-to-SGT
L3IF-to-SGT

Speaker
Listener
(version 4)

SGT over Ethernet,


SGT over GETVPN,
IPsec VPN, DMVPN

SGFW

Cisco IOS 15.4(3)M


(ISR SEC/K9)

Cisco ISR 4451-X

IP-to-SGT
Subnet-to-SGT
L3IF-to-SGT

Speaker
Listener
(version 4)

SGT over Ethernet,


SGT over GETVPN,
IPsec VPN, DMVPN

SGFW

Cisco IOS-XE 3.13


(0)S
(ISR SEC/K9)

Cisco ISRG2 Series SM-X Layer


2/3 EtherSwitch Module

802.1X
MAB
WEB AUTH
IP-to-SGT
VLAN-to-SGT

Speaker
Listener
(version 4)

SGT over Ethernet,


SGT over MACsec

SGACL

Cisco IOS 15.2(2)E


(ISR SEC/K9)

Cloud Services Router 1000V


Series

IP-to-SGT
Subnet-to-SGT
L3IF-to-SGT

Speaker
Listener
(version 4)

SGT over IPsec


VPN, DMVPN

SGFW

Cisco IOS XE 3.11.0S


(ISR SEC/K9)

TrustSec on Edge

(2)

Platform

SGT Classification &


Mapping

SXP Support
(role/version)

Inline SGT
Tagging

SGT
Enforcement

Minimum Version
(License)

Cisco ASR 1000 Series Router Processor


1 or 2 (RP1/RP2); ASR 1001, 1002, 1004,
1006, and 1013 Routers with Embedded
Services Processor (10, 20, or 40 Gbps)
and SPA Interface Processor (10/40)

IP-to-SGT
Subnet-to-SGT
L3IF-to-SGT

Speaker
Listener
(version 4)

SGT over
Ethernet, SGT
over GETVPN,
IPsec VPN,
DMVPN

SGFW

IOS XE 3.13.0S
(ASR1000 SECFW)

Cisco ASR1001-X and 1002-X

IP-to-SGT
Subnet-to-SGT
L3IF-to-SGT

Speaker
Listener
(version 4)

SGT over
Ethernet, SGT
over GETVPN,
IPsec VPN,
DMVPN

SGFW

IOS XE 3.13. 0S
(ASR1000 SECFW)

Cisco ASA 5505, 5510, 5520, 5540, 5550,


5580

Speaker
Listener
(version 2)

SGFW

ASA 9.0.1,
ASDM 7.1.6

Cisco ASAv

Remote Access VPN (IPSec,


SSL-VPN) - Clientless is not
supported for classification

Speaker
Listener
(version 2)

SGT over
Ethernet

SGFW

ASA 9.3.1, ASDM


7.0.1

Cisco ASA 5512-X, 5515-X, 5525-X, 5545X 5555-X, 5585-X

Remote Access VPN (IPSec,


SSL-VPN) - Clientless is not
suported for classification

Speaker
Listener
(version 2)

SGT over
Ethernet

SGFW

ASA 9.3.1,
ASDM 7.1.6

Branch Segmentation/Inline Tagging Across WAN


Branch B
Cat3750-X

Inline tagging across WAN

ISRG2

SGT over
GET-VPN,
DM-VPN or
IPsec VPN

IPsec, DM-VPN, GET-VPN

Inline tagging on built-in ISRG2 &


ASR 1000 Ethernet interfaces (all
except 800 series ISR)

HQ

ISRG2
e.g. 2951/3945

ASR1000
Router

Inline SGT

Branch A
Can also use SGT-aware Zone-based Firewall in branch & DC WAN edge for reasons like PCI
compliance
SGT is used only as a source criteria only in ISR G2 Zone-Based Firewall

Data Center

Branch Segmentation/SXP WAN


Bidirectional SXP with
Loop Detection available
now:
ISRG2 15.4(1)S
ASR1000/ISR4k/CSR
E 3.11

N7K

IP Address

SGT

10.1.10.1

Contractor - 10

10.1.10.4

Employee - 30

10.1.254.1

Contractor - 10

10.1.254.4

Employee - 30

Cat6K

ASR1K

ASR1K

Listener-1

Allows ASR1000 to be an
IP/SGT relay from remote
to remote
SXP is a full replication
model each remote
router will learn all IP/SGT
bindings

Cat6K

Listener-2
SXPv4

WAN

SXPv4

Speaker-1
IP Address

SGT

10.1.10.1

Contractor - 10

10.1.10.4

Employee - 30

10.1.254.1

Contractor - 10

10.1.254.4

Employee - 30

Speaker-300

...
IP Address

SGT

10.1.10.1
10.1.254.1

Contractor - 10

10.1.10.4
10.1.254.4

Employee - 30

10.1.254.1

Contractor - 10

10.1.254.4

Employee - 30

Bidirectional SXP WAN scaling


From previous slide - SXP is a full replication model each remote
router will learn all IP/SGT bindings with this approach
http://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book/cts-bi-sxp.html

IPSec and Inline Tagging


cts role-based sgt-map 9.9.9.1 sgt 5000
cts role-based sgt-map 11.11.11.1 sgt 65533
CTS infrastructure CLI , to configure static IP to SGT bindings
!
crypto ikev2 proposal p1
encryption 3des
integrity md5
group 2
!
IKEv2 is used to negotiate and inform
crypto ikev2 policy policy1
IPsec about the SGT capability. Once
proposal p1 !
crypto ikev2 keyring key
the peers acknowledge the SGT
peer v4
tagging capability, an SGT tag number
address 0.0.0.0 0.0.0.0
pre-shared-key cisco
(a 16-bit) is added as the SGT Cisco
!
Meta Data (CMD) payload into IPsec
crypto ikev2 profile prof3
match identity remote address 0.0.0.0
and sent to the receiving peer.
authentication local pre-share
authentication remote pre-share
keyring key
CTS infra CLI used to configure IP->SGT mapping
!
crypto ikev2 cts sgt
SGT capability negotiation for IPSec inline tagging functionality
!
crypto ipsec transform-set trans esp-3des esp-sha-hmac
! ...........

GETVPN and Inline Tagging


GETVPN Key Server can enable SGT tagging on a per-SA basis
crypto gdoi group GDOI
identity number 12345
server local
sa ipsec 2
no tag
match address ipv4 ACL_GETVPN_NO_SGT
sa ipsec 1
Enabling SGT tagging on the Key Server
tag cts sgt
match address ipv4 ACL_GETVPN_SGT

If the Key Server is configured for tagging, Group Members must be registering
using GETVPN software version 1.0.5 or higher to be accepted.
Router# show crypto gdoi feature cts-sgt
Group Name: GETVPN
Key Server ID
Version
Feature Supported
10.0.5.2
1.0.5
Yes
10.0.6.2
1.0.5
Yes
Group Member ID
Version
Feature Supported
10.0.1.2
1.0.2
No
10.0.2.5
1.0.3
No
10.0.3.1
1.0.5
Yes
10.0.3.2
1.0.5
Yes

SGT DMVPN Inline Tagging Config


ipsec-1900b#
cts role-based sgt-map 9.9.9.1 sgt 5000
CTS infra CLI used to configure IP->SGT mapping
cts role-based sgt-map 11.11.11.1 sgt 65533
!
crypto ikev2 proposal p1
encryption 3des
integrity md5
group 2
!
crypto ikev2 policy policy1
proposal p1
!
crypto ikev2 keyring key
peer v4
address 0.0.0.0 0.0.0.0
pre-shared-key cisco
!
crypto ikev2 profile prof3
match identity remote address 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring key
!
Enables Trustsec on DMVPN. This command is valid for GRE and tunnel
cts sgt inline
interface mode only
!
crypto ipsec transform-set trans esp-3des esp-sha-hmac
! (.continued in next slide)

SGT DMVPN Show commands


ipsec-1900b# show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- ----1 1.1.1.99
10.1.1.99
UP 00:00:01
SC
ipsec-1900b# show ip nhrp nhs detail
Legend: E=Expecting replies, R=Responding, W=Waiting
Tunnel0:
10.1.1.99 RE NBMA Address: 1.1.1.99 priority = 0 cluster = 0 req-sent 44
TrustSec Enabled
Shows peer capability and Trustsec
negotiation

req-failed 0

repl-recv 43 (00:01:37 ago)

SGT-Aware Zone based Firewall


class-map type inspect match-any partner-services
match protocol http
match protocol icmp
match protocol ssh
class-map type inspect match-any partner-sgts
match security-group source tag 2001
match security-group source tag 2002
match security-group source tag 2003
class-map type inspect match-all partner-class
match class-map partner-services
match class-map partner-sgts
class-map type inspect match-any guest-services
match protocol http
class-map type inspect match-any guest-sgts
match security-group source tag 5555
class-map type inspect match-all guest-class
match class-map guest-services
match class-map guest-sgts
class-map type inspect match-any emp-services
match protocol http
match protocol ftp
match protocol icmp
match protocol ssh
class-map type inspect match-any emp-sgts
match security-group source tag 1001
match security-group source tag 1002
match security-group source tag 1003
class-map type inspect match-all emp-class
match class-map emp-services
match class-map emp-sgts

policy-map type inspect branch-policy


class type inspect emp-class
inspect
class type inspect partner-class
inspect
class type inspect guest-class
inspect
class class-default
drop
!
zone security lan
zone security ho
zone-pair security lan-ho source lan destination ho
service-policy type inspect branch-policy
!
interface GigabitEthernet0/1
description ***branch lan network***
ip address 10.20.0.1 255.255.255.0
zone-member security lan
!
!
interface GigabitEthernet0/2
description ***connection to head-office***
ip address 172.20.0.1 255.255.255.0
zone-member security ho

SGT is a source criteria only in ISR FW,


Source or Destination in ASR 1000

TrustSec and Netflow


Branch Office-1

Branch Office-2

WAN

Datacenter

Campus Core

Internet Edge

Internet

Campus Access

How do I know if I am tagging? SGT and


Flexible NetFlow (FNF)
flow record cts-v4
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match flow cts source group-tag
match flow cts destination group-tag
collect counter bytes
collect counter packets

flow exporter EXP1


destination 10.2.44.15
source GigabitEthernet3/1
flow monitor cts-mon
record cts-v4
exporter EXP1

Interface vlan 10
ip flow monitor cts-mon input
ip flow monitor cts-mon output

Interface vlan 20
ip flow monitor cts-mon input
ip flow monitor cts-mon output
Interface vlan 30
ip flow monitor cts-mon input
ip flow monitor cts-mon output
Interface vlan 40
ip flow monitor cts-mon input
ip flow monitor cts-mon output

cts role-based ip flow mon cts-mon dropped

*Optional will create flows for only Role-based ACL drops


Cat6K/Sup2T

Monitoring SGT/FNF Flow Cache Example


SJC01#show flow mon cts-mon cache
Cache type:
Cache size:
Current entries:
High Watermark:
Flows added:
Flows aged:
- Active timeout
( 1800 secs)
- Inactive timeout
(
15 secs)
- Event aged
- Watermark aged
- Emergency aged

Normal
4096
1438
1632
33831
32393
0
32393
0
0
0

IPV4 SOURCE ADDRESS:


IPV4 DESTINATION ADDRESS:
TRNS SOURCE PORT:
TRNS DESTINATION PORT:
FLOW DIRECTION:
FLOW CTS SOURCE GROUP TAG:
FLOW CTS DESTINATION GROUP TAG:
IP PROTOCOL:
counter bytes:
counter packets:

192.168.30.209
192.168.200.156
60952
80
Output
30
200
6
56
1

IPV4 SOURCE ADDRESS:


IPV4 DESTINATION ADDRESS:
TRNS SOURCE PORT:
TRNS DESTINATION PORT:
FLOW DIRECTION:
FLOW CTS SOURCE GROUP TAG:
FLOW CTS DESTINATION GROUP TAG:
IP PROTOCOL:
counter bytes:
counter packets:

192.168.20.140
192.168.200.104
8233
80
Output
20
200
6
56
1

Monitoring SGT Traffic with Netflow


Plixer collector displays SGT information

http://www.plixer.com/blog/netflow/cisco-trustsec-netflow-support/

Live Action Netflow with SGT Support

Lancope Custom Events

Generate a security event when a


flow condition based on the SGT
value is seen

Lancope Flow Query

Use the SGT value to find (and


classify) network traffic

Lancope Flow Query Configured

Find all traffic tagged with SGT 8

Lancope Conversational Flow Record


Who

When

What

Where

Security
Group

How

Who

Conversational Flow Record: Zoom in on Details

Security
Group

Use Cases &


Deployment Scenarios
(WHY TrustSec)
Deploying
TrustSec

Network
Segmentation

Start

TrustSec
Deep-dive

Key
Take-aways

Use-cases &
Scenarios

TrustSec Common Deployment Scenarios

User to Data Center


Access Control
Context-based access
Compliance requirements
PCI, HIPAA, export
controlled information
Merger & acquisition
integration, divestments

Data Center
Segmentation
Zoning & Micro-segmentation
Production vs Development
Server segmentation
Compliance requirements, PCI,
HIPAA
Firewall rule automation

Campus and Branch


Segmentation
Line of business segregation
PCI, HIPAA and other
compliance regulations
Malware propagation
control/quarantine

TrustSec Common Deployment Scenarios


Branch Office-1

Branch Office-2

WAN

Datacenter

Campus Core

Internet Edge

User to Data Center Segmentation


Internet
Server to Server Segmentation
Campus Access
User to User Segmentation

Branch to DC Segmentation

Global company segmentation scenario


(Without TrustSec)

Business 1
Business 2
Guest

B1
User can authenticate to
network, but cant be
authorized due to unavailability of the VLAN locally

Business 79
Business 80
Guest

Global Company with 400+ Sites


Each Site hosts 1-5 Segments
(Mostly Unique)
Every segment defined with Static
VLANs today
Company wants to deploy NAC

Global company segmentation scenario


(With TrustSec)

Site VLAN
Guest VLAN

B1
User authenticates successfully,
gets local IP address & BU-SGT
assigned, has consistent
access from remote site.

Site VLAN
Guest VLAN

No matter what IP the user gets,


access control is governed by the
SGTs.
Consistent access is granted from
home and remote sites.

University IPv6 Scenario

IPv6

University has IPv6 endpoints

Wanted to enabled identity based access

Wanted Low-Impact Mode

Limited access before (or failed) authentication


Full access post successful authentication

Certain access switches did not support peruser IPv6 ACLs

Source-Group Tag
eXchange Protocol (SXP)

IETF Draft

SGT Exchange Protocol (SXP)

http://tinyurl.com/sxp-draft

Control plane protocol that conveys the IP-SGT


map of authenticated hosts to enforcement point
SXP uses TCP as the transport layer
(Port No. 64999)
Support Single Hop SXP & Multi-Hop SXP
(aggregation)
Two roles: Speaker (initiator) and Listener
(receiver)

IPv4

15.2(2)E/
3.6.0E

Listener

IPv6 Support for


SGT/SGACL

(SXP Aggregation)

Speaker

Switch

Switch

IPv6

Switch

SXPv4 support bidirectional mode


From 15.2(2)E / 03.06.00E IPv6-to-SGT bindings
can be transported over IPv4 SXP sessions.

Router

Before Authentication

IPv6 and TrustSec


E.g. Low-Impact mode

Cisco ISE
Infra Server
(DHCP, DNS, AD)

SGT=3

Access Switch
15.2(2)E
Speaker
172.20.252.102

2001:DB8:254::10

C6500
SXP
Listener

Campus LAN

172.20.252.100

Student1
2001:DB8:100:0:7CB0:3B1D:2F77:16A6
2001:DB8:100:0:9112:EB74:784F:E88B

CTS-C6500#show cts role-based sgt-map all ipv6


Active IP-SGT Bindings Information
IP Address
SGT
Source
================================================================
2001:DB8:100::1
2
INTERNAL
2001:DB8:252::100
2
INTERNAL
2001:DB8:254::10
9
CLI
2001:DB8:254::12
7
CLI

To Infra Server
To Lab Server

Lab Server
2001:DB8:254::12

After Authentication

IPv6 and TrustSec


E.g. Low-Impact mode

Cisco ISE
Infra Server
(DHCP, DNS, AD)

SGT=3

Access Switch
15.2(2)E
Speaker
172.20.252.102

2001:DB8:254::10

C6500
SXP
Listener

Campus LAN

172.20.252.100

Student1
2001:DB8:100:0:7CB0:3B1D:2F77:16A6
2001:DB8:100:0:9112:EB74:784F:E88B

To Infra Server
To Lab Server

CTS-C6500#show cts role-based sgt-map all ipv6


Active IP-SGT Bindings Information
IP Address
SGT
Source
================================================================
2001:DB8:100::1
2
INTERNAL
2001:DB8:252::100
2001:DB8:100:0:7CB0:3B1D:2F77:16A6
3
2
INTERNAL
SXP
2001:DB8:254::10
2001:DB8:100:0:9112:EB74:784F:E88B
9
3
CLI
SXP
2001:DB8:254::12
2001:DB8:252::100
7
2
CLI
INTERNAL
2001:DB8:254::10
9
CLI
2001:DB8:254::12
7
CLI

Lab Server
2001:DB8:254::12

US Consumer Electronics Manufacturer


Large Campus Wireless Deployment
Data Center

Large Electronics Device Manufacturing


Company deploying Secure Wi-Fi

ACL needs to scale more than 64 lines of ACL


(>1,500)

TrustSec solution within C6k chassis


WiSM2 aggregates AP traffic

Branch Office
Campus D
10.4.150.0/24 = SGT 7

10.5.1.0/24 = SGT 22

Campus C
10.39.22.0/24 = SGT 6

Corporate
Network

Internet

10.0.0.0/8 = SGT 100

Policy enforcement Sup2T based on SGT


SXP

Destination SGT values defined by IP &


Subnet

16.34.22.0/24 = SGT 10

Cat6500VSS
System

Sup2T
WiSM2
WiSM2

Sup2T
WiSM2
WiSM2

SXP

ISE

VSS
CAPWAP Tunnel

Reduced IOS static ACL managing policy


using Egress Matrix

e.g. about 500 lines of ACL allowing HTTPS is now


supported by single line of SGACL
permit tcp dst eq 443

Access Points

Non-Compliant
Mobile Device
SGT 2: Limited Access

Compliant
Corporate Asset
SGT 3: Full Access

SGT=4
SGT=5

SGT=3

Policy Enforcement TCAM Scaling

Enterprise
Backbone

SGACL
Enforcement

Web_Server
(SGT=7)

SGACL
Enforcement

Time_Stamp_Server
(SGT=10)

Network devices download policies


only when they have a device connected
only for connected systems
Egress filtering and dynamic download scales the TCAM of
switches

Key Takeaways
(WHEN to-do TrustSec? NOW!)
Deploying
TrustSec

Network
Segmentation

Start

TrustSec
Deep-dive

Key
Take-aways

Use-cases &
Scenarios

access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list

102
102
102
102
102
102
102
102
102

deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848


deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878
permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467

Cisco TrustSec

Policy-Defined Segmentation based on business policy

Traditional Security Policy

Security Control Automation


Improved Efficiency
Simplified Access Management

Segmentation
Policy

Switch

Router

DC FW

DC Switch

Flexible and Scalable Policy Enforcement

Gartner on TrustSec
logical source and destination security groups are
more flexible, are easier to maintain and reduce
runtime overhead in the networks switching fabric.
There is much to like about Ciscos ambitious and
innovative initiative.
Cisco has made great strides in integrating support for
the TrustSec framework across its product lines
Flexibility to Segregate Resources Without Physical
Segmentation or Managing VLANs
Reduction in ACL Maintenance, Complexity and
Overhead
http://blogs.cisco.com/security/gartners-perspective-on-ciscotrustsec

TrustSec for PCI Compliance


PCI Audit Partner

http://www.cisco.com/c/dam/en/us/solutions/collateral/borderless-networks/trustsec/trustsec_pci_validation.pdf

PCI Compliance - Scope Reduction

PCI Scope Reduction Branch and Data Center


PCI Server

Legend:

DATA CENTRE

Server

Data Center
Network

Segmentation enforcement
PCI scope
WAN

BRANCH

Register

Workstation

TrustSec is :
Flexible

TrustSec enables you to segment networks without


disturbing the network topology

Efficient

Policy management gets simpler when written and


implemented in business relevant language

Ubiquitous

TrustSec offers consistent access control across


wired, wireless and VPN networks.

Ready

More customers adopt TrustSec, TrustSec is the


next MPLS! Its ready.

Make a choice!

caranddriver.com

bcarwallpapers.com

About 100 years after a crank was required to start a car,


modern batteries can now start many cars using just a button.
Traditional Segmentation
Methods

Segmenting using TrustSec

Participate in the My Favorite Speaker Contest


Promote Your Favorite Speaker and You Could Be a Winner

Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)

Send a tweet and include


Your favorite speakers Twitter handle <Speakerenter your Twitter handle here>
Two hashtags: #CLUS #MyFavoriteSpeaker

You can submit an entry for more than one of your favorite speakers

Dont forget to follow @CiscoLive and @CiscoPress

View the official rules at http://bit.ly/CLUSwin

Complete Your Online Session Evaluation

Give us your feedback to be


entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.

Complete your session surveys


though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Dont forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online

Continue Your Education

Demos in the Cisco campus

Walk-in Self-Paced Labs

Table Topics

Meet the Engineer 1:1 meetings

Related sessions

Thank you

Security Cisco Education Offerings


Course
Implementing Cisco IOS Network Security (IINS)
Implementing Cisco Edge Network Security Solutions
(SENSS)

Description
Focuses on the design, implementation, and monitoring of a comprehensive
security policy, using Cisco IOS security features

Cisco Certification
CCNA Security

Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco
Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls

Implementing Cisco Threat Control Solutions (SITCS)

Implementing Cisco Secure Access Solutions (SISAS)


Implementing Cisco Secure Mobility Solutions
(SIMOS)

Deploy Ciscos Next Generation Firewall (NGFW) as well as Web Security, Email
Security and Cloud Web Security
Deploy Ciscos Identity Services Engine and 802.1X secure network access
Protect data traversing a public or shared infrastructure such as the Internet by
implementing and maintaining Cisco VPN solutions

Securing Cisco Networks with Threat Detection and


Analysis (SCYBER)

Designed for professional security analysts, the course covers essential areas of
competency including event monitoring, security event/alarm/traffic analysis, and
incident response

Network Security Product and Solutions Training

For official product training on Ciscos latest security products, including Adaptive
Security Appliances, NGIPS, Advanced Malware Protection, Identity Services
Engine, Email and Web Security Appliances see
www.cisco.com/go/securitytraining

For more details, please visit: http://learningnetwork.cisco.com


Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com

Cisco Cybersecurity Specialist

R&S Related Cisco Education Offerings


Course

Description

Cisco Certification

CCIE R&S Advanced Workshops (CIERS-1 &


CIERS-2) plus
Self Assessments, Workbooks & Labs

Expert level trainings including: instructor led workshops, self


assessments, practice labs and CCIE Lab Builder to prepare candidates
for the CCIE R&S practical exam.

CCIE Routing & Switching

Implementing Cisco IP Routing v2.0


Implementing Cisco IP Switched
Networks V2.0
Troubleshooting and Maintaining
Cisco IP Networks v2.0

Professional level instructor led trainings to prepare candidates for the


CCNP R&S exams (ROUTE, SWITCH and TSHOOT). Also available in
self study eLearning formats with Cisco Learning Labs.

CCNP Routing & Switching

Interconnecting Cisco Networking Devices:


Part 2 (or combined)

Configure, implement and troubleshoot local and wide-area IPv4 and IPv6
networks. Also available in self study eLearning format with Cisco Learning
Lab.

CCNA Routing & Switching

Interconnecting Cisco Networking Devices:


Part 1

Installation, configuration, and basic support of a branch network. Also


available in self study eLearning format with Cisco Learning Lab.

CCENT Routing & Switching

For more details, please visit: http://learningnetwork.cisco.com


Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com

Wireless Cisco Education Offerings


Course

Description

Conducting Cisco Unified Wireless Site Survey


Implementing Cisco Unified Wireless Voice
Networks
Implementing Cisco Unified Wireless Mobility
Services
Implementing Cisco Unified Wireless Security
Services

Professional level instructor led trainings to prepare candidates to conduct


site surveys, implement, configure and support APs and controllers in
converged Enterprise networks. Focused on 802.11 and related
technologies to deploy voice networks, mobility services, and wireless
security.

CCNP Wireless

Implementing Cisco Unified Wireless Network


Essential

Prepares candidates to design, install, configure, monitor and conduct


basic troubleshooting tasks of a Cisco WLAN in Enterprise installations.

CCNA Wireless

For more details, please visit: http://learningnetwork.cisco.com


Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com

Cisco Certification

Data Center / Virtualization Cisco Education Offerings


Course

Description

Cisco Certification

Cisco Data Center CCIE Unified Fabric


Workshop (DCXUF);
Cisco Data Center CCIE Unified Computing
Workshop (DCXUC)

Prepare for your CCIE Data Center practical exam with hands on lab
exercises running on a dedicated comprehensive topology

CCIE Data Center

Implementing Cisco Data Center Unified Fabric


(DCUFI);
Implementing Cisco Data Center Unified
Computing (DCUCI)

Obtain the skills to deploy complex virtualized Data Center Fabric and
Computing environments with Nexus and Cisco UCS.

CCNP Data Center

Introducing Cisco Data Center Networking


(DCICN); Introducing Cisco Data Center
Technologies (DCICT)

Learn basic data center technologies and how to build a data center
infrastructure.

CCNA Data Center

Product Training Portfolio: DCAC9k, DCINX9k,


DCMDS, DCUCS, DCNX1K, DCNX5K, DCNX7K

Get a deep understanding of the Cisco data center product line including
the Cisco Nexus9K in ACI and NexusOS modes

For more details, please visit: http://learningnetwork.cisco.com


Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com