SlideShare a Scribd company logo

Deploying Secure Converged Wired, Wireless Campus

Rassul Ismailov, profile picture
Rassul Ismailov

This document provides an overview of Cisco TrustSec and its role-based access control capabilities for securing converged wired and wireless campus networks. It discusses how TrustSec provides user and device identification, security group tagging for segmentation, and security group access control lists for unified policy enforcement across the network. The document outlines the TrustSec components, including 802.1X authentication, device identification, role-based access controls using security group tags and access lists, and encryption of traffic using MACsec. It also provides examples of how TrustSec can be deployed in campus network architectures.

1 of 83
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
Deploying Secure Converged Wired, Wireless Campus
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Deploying Secure Converged Wired, Wireless Campus Rolando Salinas BRKCRS-2199
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Abstract • This session provides an overview of the Cisco TrustSec Security Group Access (SGA) solution for Role-Based Access Control with focus on Campus Network. SGA allows for simplified network segmentation based on User Identity/Role and allows for secure access and consistent security policies across Wired/Wireless networks. SGA helps define BYOD policies through security policies based on User/Role/Device/Location. • The session covers SGA on the Catalyst Switching platforms, including converged wired/wireless. The session covers an architectural overview of SGA and benefits of a converged wired/wireless network, elements of Cisco TrustSec such as user identification with 802.1x, device identification, role classification using Security Group Tagging (SGT) and enforcement using Security Group Access Control List (SGACL). We also discuss various SGA deployment use cases in a campus network. This session is for Network Architects, Pre-Sales Engineers and Technical Decision Makers. 3
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public got TrustSec? Why should you care about TrustSec • BYOD, IPv6 and Internet of Things require different approach to manageability • Unified Security Policy across Wired and Wireless 4
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Agenda • TrustSec Overview • Campus Deployment Use Cases • Migration Path • Wireless Integration • How to Deploy 5
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Session Objectives TrustSec is ready to be deployed in campus networks today. At the end of the session, the participants should be able to: Understand Components of TrustSec Solution Differentiate Campus Deployment Models Learn about Best Practices, Migration Paths and Caveats Not Covered  Basic IEEE 802.1X concepts  Branch Scenario  ASA Firewall 6
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public TrustSec: An Overview
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Campus Network Network Security Challenges Security Challenges • User Identification • Device Identification • Segmentation • Unified Policy • Central Policy Management • Network Infrastructure Protection • Scalable for future growth IT 3.1.1.1 Finance 2.1.1.1 Doctor 1.1.1.1 Access Distribution Core Data Center Identity Service Engine Directory Service WLC Patient DB 10.1.1.1 8
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Segmentation The Challenge of Traditional Security Enforcement Access Distribution Core Data Center Identity Service Engine Directory Service WLC permit tcp 3.1.1.1 100.1.1.1 eq https permit tcp 3.1.1.1 100.1.1.1 eq 8081 deny ip 3.1.1.1 200.1.1.2 permit tcp 2.1.1.1 150.1.1.1 eq https permit tcp 2.1.1.1 150.1.1.1 eq 8081 permit tcp 2.1.1.1 150.1.1.1 eq 445 deny ip 2.1.1.1 150.1.1.1 permit tcp 2.1.1.1 200.1.1.2 eq https deny ip 2.1.1.1 200.1.1.2 permit tcp 3.1.1.1 100.1.1.1 eq https permit tcp 3.1.1.1 100.1.1.1 eq 8081 deny ip 3.1.1.1 200.1.1.2 permit tcp 2.1.1.1 150.1.1.1 eq https permit tcp 2.1.1.1 150.1.1.1 eq 8081 permit tcp 2.1.1.1 150.1.1.1 eq 445 deny ip 2.1.1.1 150.1.1.1 permit tcp 2.1.1.1 200.1.1.2 eq https deny ip 2.1.1.1 200.1.1.2 permit tcp 1.1.1.1 100.1.1.1 eq https permit tcp 1.1.1.1 100.1.1.1 eq 8081 permit tcp 1.1.1.1 100.1.1.1 eq 445 deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 100.1.1.2 eq https deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 150.1.1.2 eq https deny ip 1.1.1.1 150.1.1.2 permit tcp 1.1.1.1 200.1.1.1 eq https deny ip 1.1.1.1 200.1.1.1 permit tcp 1.1.1.1 100.1.1.1 eq https permit tcp 1.1.1.1 100.1.1.1 eq 8081 permit tcp 1.1.1.1 100.1.1.1 eq 445 deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 100.1.1.2 eq https deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 150.1.1.2 eq https deny ip 1.1.1.1 150.1.1.2 permit tcp 1.1.1.1 200.1.1.1 eq https deny ip 1.1.1.1 200.1.1.1 permit tcp any 200.1.1.1 eq https permit tcp any 200.1.1.1 eq 8081 deny ip all permit tcp any 150.1.1.1 eq https permit tcp any 150.1.1.1 eq 8081 permit tcp any 150.1.1.1 eq 445 deny ip all permit tcp any 100.1.1.1 eq https deny ip all Access Control with IP Access Control Lists • Topology-based • Manual configurations • Error prone • Unscalable • Difficult to maintain VLAN 10IT 3.1.1.1 VLAN 20Finance 2.1.1.1 VLAN 30Doctor 1.1.1.1 9
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Comprehensive End-to-End Security Cisco TrustSec Segmentation (Compliance) Topology Independent Segmentation with Secure Group Access (SGA) Context-Aware Control Role-Based Access Control with Security Group Tagging (SGT) Identify, Profile Devices with Device Sensor 802.1X Authentication What Where HowWho IDENTITY When Protect Network Infrastructure MACsec Encryption Network Device Admission Control (NDAC) 10
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Authentication Features Context-Aware Control User Authentication: 802.1X Cisco Catalyst Switch Network Device IP Phones Authorized Users GuestsTablets 802.1X MAB WebAuth Monitor Mode • Unobstructed access • No impact on productivity • Gain visibility 11
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Identify Devices and set Device-based policies with Device Sensor Context-Aware Control Device Sensor CDP LLDP DHCP MAC 1 Device-Aware Identity- Aware Corp PC Doctor Personal Laptop Doctor IP Phone N/A Identity Service Engine Device Sensor 12
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Segmentation Security Group Access Access Distribution Data Center Directory Service Identity Service Engine WLC IT 3.1.1.1 Finance 2.1.1.1 Doctor 1.1.1.1 Email Server Financial Servers Patient Records Doctors IMAP No Access File Share IT Allow All SQL SQL Finance IMAP Web No Access Access Control with Secure Group Access • Context-based Classification • Role-based Policies • Topology-independent • Network wide enforcement • Scalable • Easy to administer • One Policy What Where HowWho IDENTITY When 13
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cisco TrustSec Domain SGT SGT SGT SGT SGT VLAN 110 VLAN 120 VLAN 130 Protect Network Infrastructure Network Device Admission Control (NDAC) Identity Service Engine Switch1 Switch2 Switch3 Switch4 Switch3 Switch4 Switch1 Switch2 Switch5 Platform Release Cat3Kx 15.0(2)SE Cat4K 3.3.0SG Cat6K 15.0(1)SY 14
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cisco TrustSec Domain SGT SGT SGT SGT SGT VLAN 110 VLAN 120 VLAN 130 Protect Network Infrastructure MAC Security (MACSec) Identity Service Engine SGT SGT Everything is sent in clear therefore you can see everything on wire Platform Release Cat3Kx 15.0(2)SE Cat4K 3.3.0SG Cat6K 15.0(1)SY 15
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cisco TrustSec Domain SGT SGT SGT SGT SGT VLAN 110 VLAN 120 VLAN 130 Identity Service Engine MACSec Enabled &^*RTW#(*J^*&*sd#J$%UJ&(&^*RTW#(*J^*&*sd#J$ Platform Release Cat3Kx 15.0(2)SE Cat4K 3.3.0SG Cat6K 15.0(1)SY Protect Network Infrastructure MAC Security (MACSec) 16
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public How Cisco TrustSec Works
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cisco TrustSec Domain SGT SGT SGT SGT SGT cts role-based permissions from 10 to 111 permit tcp dst eq 443 permit tcp dst eq 80 deny ip SGACL Enforcement cts role-based sgt-map VLAN-list 10 sgt 10 cts role-based sgt-map 192.168.10.0/24 sgt 10 Map VLANs or IP Subnets to SGT Values Segmentation Security Group Tagging (SGT) and SGACL Identity Service Engine SG Tag Imposed to Incoming Traffic Can Forward Existing SGT Traffic or Map SGTs Manually Device- Aware 1 1 Identity- Aware Security Group Doctor DoctorCorp PC Doctor Personal PC Doctor IP Phone NA Voice 18
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Role Identification (SGT Assignment) Campus/Mobile endpoints • via Manual IP-to-SGT binding on TrustSec device • via IP-to-Port Mapping Data Center / Servers • via 802.1X Authentication • via MAC Authentication Bypass • via Web Authentication Bypass • Or Static IP-to-SGT binding on SW Full integration with Cisco Identity Solution Just like VLAN Assignment or dACL, we assign SGT in authorization process 19
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cisco TrustSec Domain How SGT Assignment Works Identity Service Engine SRC DST Server A (20) User A (6) SGACL-A802.1X 192.168.1.1 10.1.1.102 = SGT 6 Dynamic SGT Assignment 10.1.1.102 cts role-based permissions from 6 to 20 permit tcp dst eq 443 deny ip SGACL Download cts role-based sgt-map 192.168.1.1 sgt 20 IP-to-SGT Assignment RADIUS ACCESS-ACCEPT SGT=6 20
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cisco TrustSec Domain How SGACL Enforcement Works Identity Service Engine SRC DST Server A (20) User A (6) SGACL-A 192.168.1.1 10.1.1.102 cts role-based permissions from 6 to 20 permit tcp dst eq 443 deny ip SGACL Download cts role-based sgt-map 192.168.1.1 sgt 20 IP-to-SGT Assignment 10.1.1.102 = SGT 6 Dynamic SGT Assignment HTTPS SGT=6 FTP SGT=6 21
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public RADIUS Access-Request Frame Format User Authentication Request 22
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public RADIUS Access-Accept Frame Format User Authentication With Downloadable ACL 23
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public RADIUS Access-Accept Frame Format User Authentication With SGT Assignment 24
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public RADIUS Access-Request Frame Format Device Authentication Request Switch sends request to authenticate itself 25
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public RADIUS Access-Request Frame Format Device Authentication & SGACL requests Subsequent requests include SGTs found in the switch 26
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public RADIUS Access-Accept Frame Format Device Authentication Switch authenticated 27
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public SGACLs matching destination downloaded SGACLs downloaded RADIUS Access-Accept Frame Format Device Authentication, SGACL & SGACL Matrix Download 28
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public SGA Deployment Use Cases
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public DataCenterCoreDistAccess SGA Deployment Use Cases Campus Reference Design Nexus 7010 N5K ISE 1.1SQL ServerWEB ServerFile Server Directory Service Cat3750-X Cat4500 Cat6500 Cat6500 Cat6500 Cat6500 User A User B  Access, Distribution & Core  Data Center  802.1X based SGT Assignment  Statically configured SGT Assignment  Migration Scenarios Deployment Modes 31
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Campus LAN Deployment Nexus 7010 N5K ISE 1.1SQL ServerWEB Server 2.1.1.1 File Server 1.1.1.1 Directory Service Cat3750/X Campus Access Data Center Cat3750/X Campus users accessing resources in Data Center Use Case Cat6500 Cat6500 Cat6500 Cat6500 User A User B Requirement  User A should be able to access File Server & Web Server  User B should be denied access to File Server 32
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Campus LAN Deployment How is it done today without SGA Nexus 7010 N5K ISE 1.1SQL Server Directory Service Cat3750/X Campus Access Data Center Assigned/Downloaded VLAN, ACL via 802.1X, MAB Cat3750/XCampus users accessing resources in Data Center  User VLAN statically defined or assigned during 802.1X or MAB Authentication  ACL statically defined or downloaded during Authentication Use Case Cat6500 Cat6500 Cat6500 Cat6500 User A User B VLAN 10 VLAN 20 File Server 1.1.1.1 WEB Server 2.1.1.1 Access Layer Enforced Downloaded or Statically Defined ACL ! Permit tcp any 1.1.1.1 eq 20 Permit tcp any 2.1.1.1 eq http Permit tcp any 2.1.1.1 eq https Deny ip any any Statically Defined VLAN or Assignment from RADIUS ! Vlan 10, 20 33
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Campus LAN Deployment How is it done with SGA Nexus 7010 N5K ISE 1.1SQL ServerWEB ServerFile Server Directory Service Cat3750/X Campus Access Data Center SGT Assignment via 802.1X, MAB, Web Auth SGACL Enforcement Cat3750/X SRC DST File Server (111) Web Server (222) User A (10) Permit all SGACL-B User B (20) Deny all SGACL-C 111 222 2010 Campus users accessing resources in Data Center  User traffic SGTagged at access via 802.1X, MAB, or Web Authentication  Server SGT assigned via static mapping  SGTag propagated thru access, distribution to data center  SGACL enforcement at data center egress switch Use Case Cat6500 Cat6500 Cat6500 Cat6500 User A User B Data Center Enforcement Platform Release Cat3Kx 15.0(2)SE Cat4K Indus* Cat6K 15.0(1)SY Access Layer Tagging
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Access Layer Enforcement Nexus 7010 N5K ISE 1.1SQL ServerWEB ServerFile Server Directory Service Cat3750-X Campus Access Data Center SGT Assignment via 802.1X, MAB, Web Auth SGACL Enforcement SRC DST User A (10) User B (20) Guest (30) User A (10) Permit all Deny all Deny all User B (20) Deny all Permit all Deny all Guest (30) Deny all Deny all Permit all 111 222 3020 Segmentation between users/resources in campus  User traffic SGTagged at access via 802.1X, MAB, or Web Authentication  Resource SGTagged via 802.1X, MAB, or static mapping  SGACL enforcement at egress access switch Use Case Cat6500 Cat6500 Cat6500 Cat6500 User B Guest 10 User A Cat3750-X Platform Release Cat3Kx 15.0(2)SE Cat4K Indus* Cat6K 15.0(1)SY Access Layer Tagging Access Layer Enforcement
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Campus Migration Path
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Challenges Migrating to a TrustSec Network • End device authentication ‒ Different authentication mechanisms for device types ‒ Multiple devices per per port • Network device authentication ‒ Prevent malicious or accidental changes in the network • Partial support of TrustSec features in network devices ‒ Many features require new or specific hardware 37
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Nexus® 7000 SGA with Monitor Mode Zero Enforcement ISE 1. User connects to network 2. Monitor mode allows traffic from endpoint before authentication 3. Authentication is performed and results are logged by ISE 4. Traffic traverses to Data Center and hits SGACL at egress enforcement point 5. All traffics are permitted with SGACL. No impact to the user traffic Egress Enforcement  Security Group ACL Campus Network Catalyst® Switches (3K/4K) Monitor Mode SRC DST HR Server (111) ACME Server (222) ACME-User(8) Permit all Permit all HR-User (10) Permit all Permit all Unknown (0) Permit all Permit all authentication port-control auto authentication open dot1x pae authenticator HR Server ACME Server ACME ServerAUTH=OK SGT=8 Users, Endpoints SGT SGT Catalyst® 6K Catalyst® 6K 38
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Nexus® 7000 SGA with Monitor Mode SGACL Enforcement ISE 1. User connects to network 2. Monitor mode allows traffic from endpoint before authentication 3. Authentication is performed and results are logged by ISE 4. Traffic traverses to Data Center and hits SGACL at egress enforcement point 5. Only permitted traffic path (source SGT to destination SGT) is allowed Egress Enforcement  Security Group ACL Campus Network Catalyst® Switches (3K/4K) Monitor Mode SRC DST HR Server (111) ACME Server (222) ACME-User(8) Deny all Permit all HR-User (10) Permit all Permit all Unknown (0) Deny all Deny all authentication port-control auto authentication open dot1x pae authenticator HR Server ACME Server ACME ServerAUTH=OK SGT=8 Users, Endpoints SGT SGT Catalyst® 6K Catalyst® 6K 39
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public TrustSec Domain VLAN-to-SGT Mapping Nexus 7010 N5K ISE 1.1SQL ServerPublic PortalFile Server Directory Service Cat3750-X Campus Access Data Center SGACL Enforcement SRC(SGT) / DST(DGT) File Server (111) Public Portal (222) Partners (20) Guest (30) Emp (10) Permit all Permit Web SGACL-A Deny all Prtnr (20) Permit Web Permit Web Deny all Deny all Guest (30) Deny all Permit Web Deny all SGACL-B Migration path – VLAN-to-SGT mapping  Source SGT assigned via VLAN-to-SGT mapping  Server SGT assigned via static mapping  SGACL enforcement at access switch & data center egress switch  IP Device Tracking must be enabled Use Case Cat6500 Cat6500 Cat6500 Cat6500 SGT Assignment via VLAN-to-SGT mapping 111 222 302010 Cat3750-X Guest Employees Partners Data Center Enforcement VLAN 10 VLAN 20 VLAN 30 Access Layer Enforcement Access Layer Tagging Platform Release Cat3Kx 15.0(2)SE Cat4K Indus* Cat6K 15.0(1)SY 40
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public TrustSec Domain VLAN-to-SGT Mapping Company Mergers Nexus 7010 N5K ISE 1.1SQL ServerPublic PortalFile Server Directory Service Campus Access Data Center SGACL Enforcement Cat6500 Cat6500 Cat6500 Cat6500 111 222 SGT Assignment via VLAN-to-SGT mapping 2010 Cat3750-X GuestEmployees Data Center Enforcement Access Layer Tagging Company A 30 211 Nexus 7010 Public PortalFile Server Cat3750-X Campus Access Data Center Cat6500 Cat6500 Cat6500 Cat6500 Cat3750-X GuestEmployees VLAN 40VLAN 30 Company B VLAN 10 VLAN 20 SRC(SGT) / DST(DGT) File Server (111) Public Portal (222) Guest (20) Emp (10) Permit all Permit Web Deny all Guest (20) Deny all Permit Web SGACL-B SRC(SGT) / DST(DGT) File Server (111) Public Portal (222) Guest (30) File Server (211) Emp(10) Permit all Permit Web Deny all SGACL_E Guest(20) Deny all Permit Web SGACL-B Permit Web Emp_B(30) Deny all Deny all Deny all Permit all Platform Release Cat3Kx 15.0(2)SE Cat4K Indus* Cat6K 15.0(1)SY 41
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public TrustSec Domain Subnet-to-SGT Mapping Nexus 7010 N5K ISE 1.1SQL ServerPublic PortalFile Server Directory Service Cat3750 Campus Access Data Center SGACL Enforcement Cat6500 Cat6500 Cat6500 Cat6500 Cat4500 GuestEmployees Partners 1.1.1.0 2.1.1.0 3.1.1.0 Migration path – Subnet-to-SGT mapping  Source SGT assigned via Subnet-to-SGT mapping  Subnet bindings are static, no learning of active hosts  Prefixes can be exported directly with SXPv3  Server SGT assigned via static mapping  SGACL enforcement at Dist switch & data center egress switch Use Case SRC(SGT) / DST(DGT) File Server (111) Public Portal (222) Partners (20) Guest (30) Emp (10) Permit all Permit Web SGACL-A Deny all Prtnr (20) Permit Web Permit Web Deny all Deny all Guest (30) Deny all Permit Web Deny all SGACL-B 111 222 SGT Assignment via Subnet-to-SGT mapping 1.1.1.0 10= 2.1.1.0 20= 3.1.1.0 30= Platform Release Cat4K Indus* Cat6K 15.0(1)SY 42
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Platform Release Cat3Kx 15.0(2)SE Cat4K Indus* Cat6K 15.0(1)SY TrustSec Domain IP-to-SGT Mapping Nexus 7010 N5K ISE 1.1SQL ServerPublic PortalFile Server Directory Service Cat3750-X Campus Access Data Center SGACL Enforcement Cat6500 Cat6500 Cat6500 Cat6500 Employees Partners VLAN 20 IP-to-SGT mapping  Source SGT assigned via IP-to-SGT mapping  IP Device Tracking must be enabled  Typically used for statically assigned IP devices  Server SGT assigned via static mapping  SGACL enforcement at access switch & data center egress switch Use Case SRC(SGT) / DST(DGT) File Server (111) Public Portal (222) Partners (20) Guest (30) IPSVC (31) Printer (32) Emp (10) Permit all Permit Web SGACL-A Deny all Permit all Permit all Prtnr (20) Permit Web Permit Web Deny all Deny all Deny all Permit all Guest (30) Deny all Permit Web Deny all SGACL-B Deny all Permit all Cat3750-X VLAN 10 10.1.1.1 10.1.1.2 111 222 SGT Assignment via IP-to-SGT mapping 10.1.1.1 10 = 10.1.1.2 20 = 31 32 31 32 43
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public TrustSec Domain Port-to-SGT Mapping Nexus 7010 N5K ISE 1.1SQL ServerPublic PortalFile Servers Directory Service Cat3750-X Data Center SGACL Enforcement Cat6500 Cat6500 Cat6500 Cat6500 Port-to-SGT mapping  Source SGT assigned via Port-to-SGT mapping  Typically used when connected to untrusted switches  Server SGT assigned via static mapping  SGACL enforcement at data center switch Use Case SRC(SGT) / DST(DGT) File Server (111) File Server (112) File Server (113) Public Portal (222) Prtnr1 (10) Permit all Deny all Deny all Permit Web Prtnr2 (20) Deny all Permit all Deny all Permit Web Prtnr3 (30) Deny all Deny all Permit all Permit Web Partner 2Partner 1 Partner 3 G1/2 111 222 SGT Assignment via Port-to-SGT mapping Int G1/1 = Int G1/2 = 10 20 Int G1/3 30= 112 113Platform Release Cat3Kx 15.0(2)SE Cat4K Indus* Cat6K 15.0(1)SY 44
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public What If Scenarios
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public What if my Access Switch isn’t capable of SGTagging Catalyst® 2960S802.1X Users, Endpoints IT Portal (SGT 4) 10.1.100.10 Cat6500 Sup2T Distribution/Core ISE 1.1N7K If the switch supports SXP, switch can send IP-to-SGT binding table to SGT capable device (e.g. Catalyst 6500 with Sup2T) Active Directory IP Address SGT Source 10.1.10.102 5 LOCAL 10.1.10.110 14 LOCAL 10.1.99.100 12 LOCAL SXP Speaker Locally Learned Listener 46
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public VLAN100 Doctor (SGT 7) IT Admin (SGT 5) MAB LWA Agent-less Device Campus Network SGT=7 SGT Enforcement SGTagging based on SXP Catalyst® 2960S802.1X Users, Endpoints IT Portal (SGT 4) 10.1.100.10 Cat6500 Sup2T Distribution/Core ISE 1.1 When SGT capable device receives packet, it looks up SGT value in table, insert SGT tag to frame when it exits egress port Active Directory IP Address SGT Source 10.1.10.102 5 SXP 10.1.10.110 14 SXP 10.1.99.100 12 SXP Untagged Frame Tagged Frame SRC=10.1.10.102 IP-to-SGT Binding Table SGT=5 N7K SXP © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public 47
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public VLAN100 Doctor (SGT 7) IT Admin (SGT 5) MAB LWA Agent-less Device Campus Network Untagged Frame Tagged Frame SGT=7 What if my Dist/Core Switch isn’t capable of SGTagging Catalyst® 2960S802.1X Users, Endpoints IT Portal (SGT 4) 10.1.100.10 Cat6500 Sup720 Distribution/Core ISE 1.1 N7K If the switch supports SXP, switch can send IP-to-SGT binding table to SGT capable device (e.g. Nexus 7K) Active Directory IP Address SGT Source 10.1.10.102 5 LOCAL 10.1.10.110 14 LOCAL 10.1.99.100 12 LOCAL SXP Locally Learned Speaker Listener © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public 48
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public What if I received multiple SGT Assignment SGT Assignment Priorities INTERNAL—Bindings between locally configured IP addresses and the device own SGT LOCAL—Bindings of authenticated hosts which are learned via IPM and device tracking. This type of binding also include individual hosts that are learned via ARP snooping on L2 [I]PM configured ports. IP_ARP—Bindings learned when tagged ARP packets are received on a CTS capable link. SXP—Bindings learned from SXP peers. The current priority enforcement order, from highest to lowest: Layer 3 Interface—(L3IF) Bindings added due to FIB forwarding entries that have paths through one or more interfaces with consistent L3IF-SGT mapping or Identity Port Mapping on routed ports. CLI— Address bindings configured using the IP-SGT form of the cts role-based sgt-map global configuration command. (Hosts and subnets) VLAN—Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping configured. New 49
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public SGT Transport over non-TrustSec Domain Cisco TrustSecDomain Cisco TrustSecDomain IP Network or WAN IP HeaderSGT Payload SGT PayloadIP Header ESP IPHeaderSGTPayloadSGTPayloadIPHeaderESP Non- TrustSec Domain Original Packet Use Case Connecting TrustSec Domains – L3 SGT Transport Challenge  Partial TrustSec infrastructure support Solution  Encap/Decap traffic in IP ESP header between sites  SGT is carried in the ESP Payload  No Payload Encryption SGT L3 Transport Platform Release Cat6K (Sup2T) 15.0(1)SY ESP overhead (42-45 bytes) impacts IP MTU/Fragmentation ESP – Encapsulating Security Payload
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Sup2T SGT L3 Transport Orig IP Header ESP CMD Original Payload ESP TL ip access-list extended l3-cts-policy permit ip any 171.71.0.0/16 permit ip any 171.72.0.0/16 permit ip any 171.73.0.0/16 ! cts policy layer3 ipv4 traffic l3-cts-policy  Configure policy with explicit list of addresses in CTS domain to determine which packets need L3 CTS processing  Packets sent with “transport mode” ESP to carry SGT without encryption or data authentication  Simple H/W operations: encap/decap of ESP with NULL transform Policy for allowed Traffic ip access-list extended l3-cts-exception permit ip any 171.74.0.0/16 permit ip any 171.75.0.0/16 permit ip any 171.76.0.0/16 ! cts policy layer3 ipv4 exception l3-cts-policy Policy to for exception traffic Router(config)# interface TenGigabitEthernet 6/1 Router(config-if)# cts layer3 ipv4 trustsec forwarding Configure L3 Transport on the interface 51
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public TrustSec: Best Practices
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Catalyst® Switches (3K/4K/6K) SGA and Monitor Mode Users, Endpoints Nexus® 7000 ISE 1.1 Campus Network Ingress Enforcement  VLAN Assignment  Downloadable ACL TrustSec™ Domain Monitor Mode Egress Enforcement  Security Group ACL 53
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cisco TrustSec Domain SGT SGT SGT SGT SGT VLAN 110 VLAN 120 VLAN 130 MACSec and SGA Identity Service Engine MACSec Enabled 54
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cisco TrustSec Domain SGT SGT SGT SGT SGT VLAN 110 VLAN 120 VLAN 130 SGA and RADIUS COA Why Radius COA Identity Service Engine SRC DST Server A (111) Server B (222) User A (10) Permit all SGACL-A User B (20) Deny all SGACL-B SRC DST Server A (111) Server B (222) User A (10) Permit all SGACL-C User B (20) Deny all SGACL-B cts role-based permissions from 10 to 222 permit tcp dst eq 443 permit tcp dst eq 80 deny ip SGACL Enforcement cts role-based permissions from 10 to 222 permit tcp dst eq 443 deny ip SGACL Enforcement 55
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cisco TrustSec Domain SGT SGT SGT SGT SGT VLAN 110 VLAN 120 VLAN 130 SGA and RADIUS COA With Radius COA Identity Service Engine SRC DST Server A (111) Server B (222) User A (10) Permit all SGACL-A User B (20) Deny all SGACL-B SRC DST Server A (111) Server B (222) User A (10) Permit all SGACL-C User B (20) Deny all SGACL-B cts role-based permissions from 10 to 222 permit tcp dst eq 443 permit tcp dst eq 80 deny ip SGACL Enforcement cts role-based permissions from 10 to 222 permit tcp dst eq 443 deny ip SGACL Enforcement 56
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public How to Deploy SGA
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public How To Deploy NDAC NDAC – Seed Device Switch Configurations Configuration Commands: aaa new-model radius server ise address ipv4 <ip address> auth-port 1812 acct-port 1813 pac key <password> aaa authentication dot1x default group radius aaa authorization network cts group radius aaa session-id common cts authorization list cts dot1x system-auth-control ! Interface t5/1 switchport mode trunk cts dot1x ! <exec mode> cts credentials id <userid> password <password> Seed device includes RADIUS info 58
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public How To Deploy NDAC NDAC – Non-Seed Device Switch Configurations Configuration Commands: aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa session-id common dot1x system-auth-control ! Interface t5/1 switchport mode trunk cts dot1x ! <exec mode> cts credentials id <userid> password <password>  Non-Seed device need not include RADIUS info  Dynamically learns RADIUS info from Seed Device 59
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Configuring Network Device Admission Control (NDAC) on ISE Administration > Network Resources > Network Devices 60
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public MAB LWA Agent-less Device VLAN100 Active Directory Campus Network SXP VLAN200 Untagged Frame Tagged Frame SGT=7 SGT Enforcement SGT Assignment for Roles Catalyst® 3750-X802.1X, MAB, LWA Users, Endpoints Dynamic SGT Assignment For Endpoint Public Portal (SGT 8) Internal Portal (SGT 9) Patient Record DB (SGT 10) 10.1.200.100 10.1.200.20010.1.200.10 IT Portal (SGT 4) 10.1.100.10 Catalyst 6K Core Nexus® 7000 Distribution ISE 1.1 Static SGT Assignment For Servers Catalyst® 4948 Doctor (SGT 7) IT Admin (SGT 6) 61
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public VLAN to SGT Mapping VLAN to SGT mapping uses IP Device Tracking mechanism to dynamically create IP to SGT bindings per VLAN Once bindings are created IP device tracking uses periodic ARP Probe messages to keep IP to SGT bindings active ip device tracking ! cts role-based sgt-map vlan-list 10 sgt 10 cts role-based sgt-map vlan-list 20 sgt 20 cts role-based sgt-map vlan-list 30 sgt 30 cts role-based sgt-map vlan-list 40 sgt 40 cts role-based sgt-map vlan-list 200 sgt 200 SJC01#show cts role-based sgt-map summary IP-SGT Active Bindings Summary ============================================ Total number of VLAN bindings = 1012 Total number of CLI bindings = 1 Total number of active bindings = 1013 VLAN 10 62
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public IP Subnet to SGT Mapping Layer 3 interface mapping to SGT (L3IF) is supported on the following L3 logical or physical interfaces: Routed port SVI (VLAN interface) L3 subinterface of L2 port Tunnel interface• Dynamically adds Destination Group Tag (DGT) to the FIB entries matching the SGT-MAP configured prefixes SJC01#show platform hardware cef 192.168.10.10 detail Codes: M - mask entry, V - value entry, A - adjacency index, NR- no_route bit LS - load sharing count, RI - router_ip bit, DF: default bit CP - copy_to_cpu bit, AS: dest_AS_number, DGTv - dgt_valid bit DGT: dgt/others value Format:IPV4 (valid class vpn prefix) M(682 ): 1 F 3FFF 255.255.255.255 V(682 ): 1 0 0 192.168.10.10 (A:147497, LS:0, NR:0, RI:0, DF:0 CP:0 DGTv:1, DGT:10) SJC01# cts role-based sgt-map 192.168.10.0/24 sgt 10 cts role-based sgt-map 192.168.20.0/24 sgt 20 cts role-based sgt-map 192.168.30.0/24 sgt 30 cts role-based sgt-map 192.168.40.0/24 sgt 40 cts role-based sgt-map 192.168.200.0/24 sgt 200 SGT-MAP CLI Example 63
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Sup2T SGT L3 Transport Orig IP Header ESP CMD Original Payload ESP TL ip access-list extended l3-cts-policy permit ip any 171.71.0.0/16 permit ip any 171.72.0.0/16 permit ip any 171.73.0.0/16 ! cts policy layer3 ipv4 traffic l3-cts-policy  Configure policy with explicit list of addresses in CTS domain to determine which packets need L3 CTS processing  Packets sent with “transport mode” ESP to carry SGT without encryption or data authentication  Simple H/W operations: encap/decap of ESP with NULL transform Policy for allowed Traffic ip access-list extended l3-cts-exception permit ip any 171.74.0.0/16 permit ip any 171.75.0.0/16 permit ip any 171.76.0.0/16 ! cts policy layer3 ipv4 exception l3-cts-policy Policy for exception traffic Router(config)# interface TenGigabitEthernet 6/1 Router(config-if)# cts layer3 ipv4 trustsec forwarding Configure L3 Transport on the interface 64
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Monitoring SGT Mapping SJC01#show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ============================================ 192.168.10.0/24 10 CLI 192.168.20.0/24 20 CLI 192.168.30.0/24 30 CLI 192.168.40.0/24 40 CLI 192.168.200.0/24 200 CLI IP-SGT Active Bindings Summary ============================================ Total number of CLI bindings = 5 Total number of active bindings = 5 SJC01# SJC01#show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ============================================ 192.168.10.2 10 VLAN 192.168.10.3 10 VLAN 192.168.10.4 10 VLAN 192.168.10.5 10 VLAN 192.168.10.6 10 VLAN 192.168.10.7 10 VLAN 192.168.10.8 10 VLAN 192.168.10.9 10 VLAN 192.168.10.10 10 VLAN 192.168.10.11 10 VLAN …… 65
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Monitoring SGACL Packet Drops with CLI SJC01#show cts role-based permissions IPv4 Role-based permissions from group 10 to group 200 (configured): rbac1 IPv4 Role-based permissions from group 20 to group 200 (configured): rbac1 IPv4 Role-based permissions from group 30 to group 200 (configured): rbac1 IPv4 Role-based permissions from group 40 to group 200 (configured): rbac1 SJC01# SJC01#show ip access-lists rbac1 Role-based IP access list rbac1 10 deny tcp dst eq www (104366 matches) 20 deny tcp dst eq ftp (36402 matches) 30 deny tcp dst eq ftp-data (232 matches) SJC01# 66
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Monitoring SGACL Packet Drops with Flexible Netflow flow record cts-v4 match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow direction match flow cts source group-tag match flow cts destination group-tag collect counter bytes collect counter packets flow exporter EXP1 destination 10.2.44.15 source GigabitEthernet3/1 flow monitor cts-mon record cts-v4 exporter EXP1 Interface vlan 10 ip flow monitor cts-mon input ip flow monitor cts-mon output Interface vlan 20 ip flow monitor cts-mon input ip flow monitor cts-mon output Interface vlan 30 ip flow monitor cts-mon input ip flow monitor cts-mon output Interface vlan 40 ip flow monitor cts-mon input ip flow monitor cts-mon output cts role-based ip flow mon cts-mon dropped *Optional – will create flows for only Role-based ACL drops 67
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Monitoring SGACL Packet Drops with Flexible Netflow SJC01#show flow mon cts-mon cache Cache type: Normal Cache size: 4096 Current entries: 1438 High Watermark: 1632 Flows added: 33831 Flows aged: 32393 - Active timeout ( 1800 secs) 0 - Inactive timeout ( 15 secs) 32393 - Event aged 0 - Watermark aged 0 - Emergency aged 0 IPV4 SOURCE ADDRESS: 192.168.30.209 IPV4 DESTINATION ADDRESS: 192.168.200.156 TRNS SOURCE PORT: 60952 TRNS DESTINATION PORT: 80 FLOW DIRECTION: Output FLOW CTS SOURCE GROUP TAG: 30 FLOW CTS DESTINATION GROUP TAG: 200 IP PROTOCOL: 6 counter bytes: 56 counter packets: 1 IPV4 SOURCE ADDRESS: 192.168.20.140 IPV4 DESTINATION ADDRESS: 192.168.200.104 TRNS SOURCE PORT: 8233 TRNS DESTINATION PORT: 80 FLOW DIRECTION: Output FLOW CTS SOURCE GROUP TAG: 20 FLOW CTS DESTINATION GROUP TAG: 200 IP PROTOCOL: 6 counter bytes: 56 counter packets: 1 68
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Monitoring SGT Traffic with Netflow http://www.plixer.com/blog/netflow/cisco-trustsec-netflow-support/ Plixer collector displays SGT information 69
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public How To Create SGA Policy Doctor (SGT 7) IT Admin (SGT 6) IT Portal (SGT 4) Public Portal (SGT 8) Internal Portal (SGT 9) Patient Record DB (SGT 10) Destination SGT Source SGT Web Web No Access Web File Share Web SSH RDP File Share Web SSH RDP File Share Full Access SSH RDP File Share permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 deny ip IT Maintenance ACL 70
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Configuring Security Group ACLs on ISE 71
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Security Group based Access Control How Enforcement Works IT Portal (SGT 4) Active DirectoryCatalyst® 3750-X Users, Endpoints Campus Network Catalyst 6K Core Nexus® 7000 Distribution ACS v5.1802.1X Public Portal (SGT 8) Internal Portal (SGT 9) Patient Record DB (SGT 10) VLAN100 VLAN200 Untagged Frame Tagged Frame SGT=7 10.1.200.100 10.1.200.20010.1.200.10 10.1.100.10 Web CTS7K-DC# show cts role-based counters sgt 5 RBACL policy counters enabled Counters last cleared: 04/20/2010 at 11:20:58 PM sgt:5 dgt:4 [1555] rbacl:Permit IP permit ip [1555] sgt:5 dgt:8 [1483] rbacl:Permit IP permit ip [1483] sgt:5 dgt:9 [1541] rbacl:Permit IP permit ip [1541] sgt:5 dgt:10 [1804] rbacl:IT_Maintenance_ACL permit tcp dst eq 20 log [0] permit tcp dst eq 21 log [3] permit tcp dst eq 22 log [3] permit tcp dst eq 445 log [0] permit tcp dst eq 135 log [0] permit tcp dst eq 136 log [0] permit tcp dst eq 137 log [0] permit tcp dst eq 138 log [0] permit tcp dst eq 139 log [0] permit tcp dst eq 3389 log [251] permit icmp log [1547] deny ip [0] Access-3K#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 11:CTS_Devices to group 11:CTS_Devices: Permit_IP-30 IPv4 Role-based permissions from group 2:MS_Users to group 3:SB_Users: deny_ip IPv4 Role-based permissions from group 10 to group 103 (configured): permit_web Access-3K# Access-3K#show cts environment-data CTS Environment Data ==================== <snip> Security Group Name Table: 0001-30 : 0-7f:Unknown 2-7f:MS_Users 3-7f:SB_Users 4-7f:IT_Portal 5-7f:MS_Servers 6-7f:IT_Admin 7-7f:Guest 9-7f:Internal_Portal 11-7f:CTS_Devices
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Key Takeaways
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Key Takeaways  SGA provides easy way to manage and enforce policy in your networks  Various mapping features enable SGA to be enabled without 802.1X  Monitor Mode can be used with SGA for easy SGA deployment with Identity  SGA can be deployed end-to-end today in Campus Networks 74
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public References Cisco TrustSec http://www.cisco.com/go/trustsec Cisco Catalyst 6500 Series Switches http://www.cisco.com/go/6500 Cisco Catalyst 4500 Series Switches http://www.cisco.com/go/4500 Cisco Catalyst 3750X Series Switches http://www.cisco.com/go/3750x Cisco TechWise TV – Fundamentals of TrustSec http://youtu.be/78-GV7Pz18I 75
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Call to Action • Visit the Cisco Campus at the World of Solutions to experience Cisco innovations in action • Get hands-on experience attending one of the Walk-in Labs • Schedule face to face meeting with one of Cisco’s engineers at the Meet the Engineer center • Discuss your project’s challenges at the Technical Solutions Clinics 76
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public 77
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public References
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public SGA Feature Support Matrix Components Hardware Available Features Release Nexus 7000 series Switch All Nexus 7K cards & chassis F-series don’t support MACSec SGT, SGACL, 802.1AE + SAP, NDAC, SXP v1, IPM,SGT 5.2.4 Catalyst 6500E Switch (Sup 2T) WS-X6908-10G-2T & WS-X6908-10G-2TXL for MACSec SGT, SGACL, 802.1AE + SAP, NDAC, SXPv2 15.0(1)SY1 Catalyst 6500E Switch (Supervisor 32, 720) SXP v2 12.2(33)SXJ2 Catalyst 4500E switches Sup 7E, Sup7L-E (WS-X4712-SFP+E, WS-X4748-UPOE+E, WS-X4748- RJ45V+E, WS-X4748-RJ45-E for MACSec) SXP v2, NDAC, 802.1AE + MKA (downlinks) or SAP (uplinks) IOS-XE 3.3.0SG or 15.1.1(SG) Catalyst 4500E Switches Supervisor 6-E or 6L-E SXPv2 IOS-XE 3.2.2SG or 15.0(1)SG2 Catalyst 3560-X / 3750-X Switches C3KX-SM-10G (MACSec 10GE uplink) SGT, SGACL, NDAC, SXPv2, 802.1AE + MKA or SAP 15.0(2)SE1 Catalyst 3560(E) / 3750(E) Switches 3560E, 3750E SXPv2 15.0(1)SE2 Cisco ASA 5505,5510,5520,5540,5550,5580,5585-X, ASA-SM and Saleen Platforms (5512-X, 5515-X, 5525-X, 5545-X, 5555-X) SXPv2, SGFW 9.0 Cisco ASR 1000 PR1/PR2, 1001, 1002, 1004, 1006, 1013,ESP10/20/40, SIP10/40 SXPv2, SGFW XE3.5 or 15.2(1)S Cisco ISR 88x, 89x, 19xx, 29xx, 39xx SXPv2, SGFW 15.2(2)T Wireless LAN Controller 5500,2500,WISM2, WLCM2 SXPv2 (Speaker Only) 7.2MR1 Nexus 5K N5548P, N5548P and N5596UP. No support for N5010 or N5020 SXP (Speaker Only), SGT, SGACL 5.1(3)N1(1) 80
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cat3K Caveats and Platform Limitations 1. Port-VLAN pair mapping for SGT. 2. Maximum of 8 VLANs per port to be enforced with SGACL. 3. Subnet to SGT Mapping is not supported. 4. Multicast SGACL and IPv6 SGACL are not supported. Scalability Numbers Max number of SGT supported: 1K Max number of SGACL supported: 2K Mixed Stack Scenarios Configuration of SGT/SGACL will take effect only when all the switches in the stack are 3750-X. Configuration of SGT/SGACL is allowed but the config will be effective when all the switches are 3750-X. 81
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public 82 Cat3K Feature Support for SGTagging
© 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public 83 Cat3K Feature Support for SGACL Enforcement
Deploying Secure Converged Wired, Wireless Campus

More Related Content

PDF
Cisco Study: State of Web Security
Cisco Canada
 
PPTX
Ccna sv2 instructor_ppt_ch5
SalmenHAJJI1
 
PDF
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Canada
 
PPTX
[Cisco Connect 2018 - Vietnam] Yedu hn-introducing cisco dna assurance-yedu f...
Nur Shiqim Chok
 
PDF
Cisco Connect Toronto 2018 sixty to zero
Cisco Canada
 
PPTX
012 2 ccna sv2-instructor_ppt_ch9
Babaa Naya
 
PPTX
Ccna sv2 instructor_ppt_ch1
SalmenHAJJI1
 
PPTX
TechWiseTV Workshop: Cisco TrustSec
Robb Boyd
 
Cisco Study: State of Web Security
Cisco Canada
 
Ccna sv2 instructor_ppt_ch5
SalmenHAJJI1
 
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Canada
 
[Cisco Connect 2018 - Vietnam] Yedu hn-introducing cisco dna assurance-yedu f...
Nur Shiqim Chok
 
Cisco Connect Toronto 2018 sixty to zero
Cisco Canada
 
012 2 ccna sv2-instructor_ppt_ch9
Babaa Naya
 
Ccna sv2 instructor_ppt_ch1
SalmenHAJJI1
 
TechWiseTV Workshop: Cisco TrustSec
Robb Boyd
 

What's hot (20)

PDF
Deployment of cisco_iron_portweb_security_appliance
Alfredo Boiero Sanders
 
PPTX
Ccna sv2 instructor_ppt_ch3
SalmenHAJJI1
 
PDF
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Canada
 
PPSX
ISE_Pub
Will Hatcher
 
PDF
Leverage the Network
Cisco Canada
 
PDF
TechWiseTV Workshop: Programmable ASICs
Robb Boyd
 
PPTX
Ccna sv2 instructor_ppt_ch4
SalmenHAJJI1
 
PDF
Brkcrt 1160 c3-rev2
Solomon Abavire Kobina,
 
PDF
Cisco Connect Toronto 2017 - UCS and Hyperflex update
Cisco Canada
 
PPTX
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
Robb Boyd
 
PDF
Cisco Trustsec & Security Group Tagging
Cisco Canada
 
PPTX
Secure Data Center Solution with FP 9300 - BDM
Bill McGee
 
DOC
CV Steve Shawcross
steve shaw-cross
 
PDF
TechWiseTV Workshop: Cisco Stealthwatch and ISE
Robb Boyd
 
PDF
Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...
Cisco Canada
 
PPTX
Ise 1 2-bdm-v4
Danny Liu
 
PPTX
Ccna security v2 instructor_ppt_ch11
SalmenHAJJI1
 
PDF
Cisco Connect Toronto 2017 - Simplifying Cloud Adoption
Cisco Canada
 
PPTX
Ccna sv2 instructor_ppt_ch8
Babaa Naya
 
PPTX
Ccna sv2 instructor_ppt_ch2
SalmenHAJJI1
 
Deployment of cisco_iron_portweb_security_appliance
Alfredo Boiero Sanders
 
Ccna sv2 instructor_ppt_ch3
SalmenHAJJI1
 
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Canada
 
ISE_Pub
Will Hatcher
 
Leverage the Network
Cisco Canada
 
TechWiseTV Workshop: Programmable ASICs
Robb Boyd
 
Ccna sv2 instructor_ppt_ch4
SalmenHAJJI1
 
Brkcrt 1160 c3-rev2
Solomon Abavire Kobina,
 
Cisco Connect Toronto 2017 - UCS and Hyperflex update
Cisco Canada
 
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
Robb Boyd
 
Cisco Trustsec & Security Group Tagging
Cisco Canada
 
Secure Data Center Solution with FP 9300 - BDM
Bill McGee
 
CV Steve Shawcross
steve shaw-cross
 
TechWiseTV Workshop: Cisco Stealthwatch and ISE
Robb Boyd
 
Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...
Cisco Canada
 
Ise 1 2-bdm-v4
Danny Liu
 
Ccna security v2 instructor_ppt_ch11
SalmenHAJJI1
 
Cisco Connect Toronto 2017 - Simplifying Cloud Adoption
Cisco Canada
 
Ccna sv2 instructor_ppt_ch8
Babaa Naya
 
Ccna sv2 instructor_ppt_ch2
SalmenHAJJI1
 
Ad

Similar to Deploying Secure Converged Wired, Wireless Campus (20)

PDF
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Cisco Security
 
PDF
Brksec 2048-demystifying aci-security
Cisco
 
PDF
Simplifying the secure data center
Cisco Canada
 
PPT
Chapter 6 overview
ali raza
 
PDF
Presentation cisco data center security deep dive
xKinAnx
 
PDF
如何用建構校園網絡迎接e-Learning時代v2.10
eLearning Consortium 電子學習聯盟
 
PPTX
#CiscoLiveLA 2017 Presentacion de Jerome Henry
ITSitio.com
 
PPTX
Ccna routing and_switching_chapter-1-2-3_mme
United International University
 
PDF
CCNP Security-Secure
mohannadalhanahnah
 
PDF
Cisco ISE Performance, Scalability and Best Practices.pdf
superdpz
 
PDF
BRKSEC-2021 Firewall Architectures in the Data Centre and Internet Edge.pdf
AntonioIsipJr1
 
PPTX
ISE_2.1_BDM_v3a.pptx
Yaser330700
 
PDF
Enterprise Architecture, Deployment and Positioning
Cisco Russia
 
PPTX
Cisco Virtualized Network Services
Soumen Chatterjee
 
PPTX
[Cisco Connect 2018 - Vietnam] Cisco connect 2018 sanjay - cisco sda v1.0-h...
Nur Shiqim Chok
 
PDF
CCNASecurity v2 Overview Presentation .pdf
AngelBaspineiroValve
 
PDF
BRKSEC-2494.pdf
JacksonGonzalez14
 
PDF
Cisco.350-701.v2021-12-14.q124.pdf
RoysLoudes
 
PDF
Ch2 - Securing Network Devices - CCNA Security.pdf
OhmRon
 
PDF
Chapter 6-Securing the Local Area Network.pdf
OhmRon
 
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Cisco Security
 
Brksec 2048-demystifying aci-security
Cisco
 
Simplifying the secure data center
Cisco Canada
 
Chapter 6 overview
ali raza
 
Presentation cisco data center security deep dive
xKinAnx
 
如何用建構校園網絡迎接e-Learning時代v2.10
eLearning Consortium 電子學習聯盟
 
#CiscoLiveLA 2017 Presentacion de Jerome Henry
ITSitio.com
 
Ccna routing and_switching_chapter-1-2-3_mme
United International University
 
CCNP Security-Secure
mohannadalhanahnah
 
Cisco ISE Performance, Scalability and Best Practices.pdf
superdpz
 
BRKSEC-2021 Firewall Architectures in the Data Centre and Internet Edge.pdf
AntonioIsipJr1
 
ISE_2.1_BDM_v3a.pptx
Yaser330700
 
Enterprise Architecture, Deployment and Positioning
Cisco Russia
 
Cisco Virtualized Network Services
Soumen Chatterjee
 
[Cisco Connect 2018 - Vietnam] Cisco connect 2018 sanjay - cisco sda v1.0-h...
Nur Shiqim Chok
 
CCNASecurity v2 Overview Presentation .pdf
AngelBaspineiroValve
 
BRKSEC-2494.pdf
JacksonGonzalez14
 
Cisco.350-701.v2021-12-14.q124.pdf
RoysLoudes
 
Ch2 - Securing Network Devices - CCNA Security.pdf
OhmRon
 
Chapter 6-Securing the Local Area Network.pdf
OhmRon
 
Ad

Deploying Secure Converged Wired, Wireless Campus

  • 2. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Deploying Secure Converged Wired, Wireless Campus Rolando Salinas BRKCRS-2199
  • 3. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Abstract • This session provides an overview of the Cisco TrustSec Security Group Access (SGA) solution for Role-Based Access Control with focus on Campus Network. SGA allows for simplified network segmentation based on User Identity/Role and allows for secure access and consistent security policies across Wired/Wireless networks. SGA helps define BYOD policies through security policies based on User/Role/Device/Location. • The session covers SGA on the Catalyst Switching platforms, including converged wired/wireless. The session covers an architectural overview of SGA and benefits of a converged wired/wireless network, elements of Cisco TrustSec such as user identification with 802.1x, device identification, role classification using Security Group Tagging (SGT) and enforcement using Security Group Access Control List (SGACL). We also discuss various SGA deployment use cases in a campus network. This session is for Network Architects, Pre-Sales Engineers and Technical Decision Makers. 3
  • 4. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public got TrustSec? Why should you care about TrustSec • BYOD, IPv6 and Internet of Things require different approach to manageability • Unified Security Policy across Wired and Wireless 4
  • 5. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Agenda • TrustSec Overview • Campus Deployment Use Cases • Migration Path • Wireless Integration • How to Deploy 5
  • 6. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Session Objectives TrustSec is ready to be deployed in campus networks today. At the end of the session, the participants should be able to: Understand Components of TrustSec Solution Differentiate Campus Deployment Models Learn about Best Practices, Migration Paths and Caveats Not Covered  Basic IEEE 802.1X concepts  Branch Scenario  ASA Firewall 6
  • 7. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public TrustSec: An Overview
  • 8. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Campus Network Network Security Challenges Security Challenges • User Identification • Device Identification • Segmentation • Unified Policy • Central Policy Management • Network Infrastructure Protection • Scalable for future growth IT 3.1.1.1 Finance 2.1.1.1 Doctor 1.1.1.1 Access Distribution Core Data Center Identity Service Engine Directory Service WLC Patient DB 10.1.1.1 8
  • 9. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Segmentation The Challenge of Traditional Security Enforcement Access Distribution Core Data Center Identity Service Engine Directory Service WLC permit tcp 3.1.1.1 100.1.1.1 eq https permit tcp 3.1.1.1 100.1.1.1 eq 8081 deny ip 3.1.1.1 200.1.1.2 permit tcp 2.1.1.1 150.1.1.1 eq https permit tcp 2.1.1.1 150.1.1.1 eq 8081 permit tcp 2.1.1.1 150.1.1.1 eq 445 deny ip 2.1.1.1 150.1.1.1 permit tcp 2.1.1.1 200.1.1.2 eq https deny ip 2.1.1.1 200.1.1.2 permit tcp 3.1.1.1 100.1.1.1 eq https permit tcp 3.1.1.1 100.1.1.1 eq 8081 deny ip 3.1.1.1 200.1.1.2 permit tcp 2.1.1.1 150.1.1.1 eq https permit tcp 2.1.1.1 150.1.1.1 eq 8081 permit tcp 2.1.1.1 150.1.1.1 eq 445 deny ip 2.1.1.1 150.1.1.1 permit tcp 2.1.1.1 200.1.1.2 eq https deny ip 2.1.1.1 200.1.1.2 permit tcp 1.1.1.1 100.1.1.1 eq https permit tcp 1.1.1.1 100.1.1.1 eq 8081 permit tcp 1.1.1.1 100.1.1.1 eq 445 deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 100.1.1.2 eq https deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 150.1.1.2 eq https deny ip 1.1.1.1 150.1.1.2 permit tcp 1.1.1.1 200.1.1.1 eq https deny ip 1.1.1.1 200.1.1.1 permit tcp 1.1.1.1 100.1.1.1 eq https permit tcp 1.1.1.1 100.1.1.1 eq 8081 permit tcp 1.1.1.1 100.1.1.1 eq 445 deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 100.1.1.2 eq https deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 150.1.1.2 eq https deny ip 1.1.1.1 150.1.1.2 permit tcp 1.1.1.1 200.1.1.1 eq https deny ip 1.1.1.1 200.1.1.1 permit tcp any 200.1.1.1 eq https permit tcp any 200.1.1.1 eq 8081 deny ip all permit tcp any 150.1.1.1 eq https permit tcp any 150.1.1.1 eq 8081 permit tcp any 150.1.1.1 eq 445 deny ip all permit tcp any 100.1.1.1 eq https deny ip all Access Control with IP Access Control Lists • Topology-based • Manual configurations • Error prone • Unscalable • Difficult to maintain VLAN 10IT 3.1.1.1 VLAN 20Finance 2.1.1.1 VLAN 30Doctor 1.1.1.1 9
  • 10. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Comprehensive End-to-End Security Cisco TrustSec Segmentation (Compliance) Topology Independent Segmentation with Secure Group Access (SGA) Context-Aware Control Role-Based Access Control with Security Group Tagging (SGT) Identify, Profile Devices with Device Sensor 802.1X Authentication What Where HowWho IDENTITY When Protect Network Infrastructure MACsec Encryption Network Device Admission Control (NDAC) 10
  • 11. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Authentication Features Context-Aware Control User Authentication: 802.1X Cisco Catalyst Switch Network Device IP Phones Authorized Users GuestsTablets 802.1X MAB WebAuth Monitor Mode • Unobstructed access • No impact on productivity • Gain visibility 11
  • 12. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Identify Devices and set Device-based policies with Device Sensor Context-Aware Control Device Sensor CDP LLDP DHCP MAC 1 Device-Aware Identity- Aware Corp PC Doctor Personal Laptop Doctor IP Phone N/A Identity Service Engine Device Sensor 12
  • 13. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Segmentation Security Group Access Access Distribution Data Center Directory Service Identity Service Engine WLC IT 3.1.1.1 Finance 2.1.1.1 Doctor 1.1.1.1 Email Server Financial Servers Patient Records Doctors IMAP No Access File Share IT Allow All SQL SQL Finance IMAP Web No Access Access Control with Secure Group Access • Context-based Classification • Role-based Policies • Topology-independent • Network wide enforcement • Scalable • Easy to administer • One Policy What Where HowWho IDENTITY When 13
  • 14. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cisco TrustSec Domain SGT SGT SGT SGT SGT VLAN 110 VLAN 120 VLAN 130 Protect Network Infrastructure Network Device Admission Control (NDAC) Identity Service Engine Switch1 Switch2 Switch3 Switch4 Switch3 Switch4 Switch1 Switch2 Switch5 Platform Release Cat3Kx 15.0(2)SE Cat4K 3.3.0SG Cat6K 15.0(1)SY 14
  • 15. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cisco TrustSec Domain SGT SGT SGT SGT SGT VLAN 110 VLAN 120 VLAN 130 Protect Network Infrastructure MAC Security (MACSec) Identity Service Engine SGT SGT Everything is sent in clear therefore you can see everything on wire Platform Release Cat3Kx 15.0(2)SE Cat4K 3.3.0SG Cat6K 15.0(1)SY 15
  • 16. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cisco TrustSec Domain SGT SGT SGT SGT SGT VLAN 110 VLAN 120 VLAN 130 Identity Service Engine MACSec Enabled &^*RTW#(*J^*&*sd#J$%UJ&(&^*RTW#(*J^*&*sd#J$ Platform Release Cat3Kx 15.0(2)SE Cat4K 3.3.0SG Cat6K 15.0(1)SY Protect Network Infrastructure MAC Security (MACSec) 16
  • 17. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public How Cisco TrustSec Works
  • 18. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cisco TrustSec Domain SGT SGT SGT SGT SGT cts role-based permissions from 10 to 111 permit tcp dst eq 443 permit tcp dst eq 80 deny ip SGACL Enforcement cts role-based sgt-map VLAN-list 10 sgt 10 cts role-based sgt-map 192.168.10.0/24 sgt 10 Map VLANs or IP Subnets to SGT Values Segmentation Security Group Tagging (SGT) and SGACL Identity Service Engine SG Tag Imposed to Incoming Traffic Can Forward Existing SGT Traffic or Map SGTs Manually Device- Aware 1 1 Identity- Aware Security Group Doctor DoctorCorp PC Doctor Personal PC Doctor IP Phone NA Voice 18
  • 19. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Role Identification (SGT Assignment) Campus/Mobile endpoints • via Manual IP-to-SGT binding on TrustSec device • via IP-to-Port Mapping Data Center / Servers • via 802.1X Authentication • via MAC Authentication Bypass • via Web Authentication Bypass • Or Static IP-to-SGT binding on SW Full integration with Cisco Identity Solution Just like VLAN Assignment or dACL, we assign SGT in authorization process 19
  • 20. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cisco TrustSec Domain How SGT Assignment Works Identity Service Engine SRC DST Server A (20) User A (6) SGACL-A802.1X 192.168.1.1 10.1.1.102 = SGT 6 Dynamic SGT Assignment 10.1.1.102 cts role-based permissions from 6 to 20 permit tcp dst eq 443 deny ip SGACL Download cts role-based sgt-map 192.168.1.1 sgt 20 IP-to-SGT Assignment RADIUS ACCESS-ACCEPT SGT=6 20
  • 21. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cisco TrustSec Domain How SGACL Enforcement Works Identity Service Engine SRC DST Server A (20) User A (6) SGACL-A 192.168.1.1 10.1.1.102 cts role-based permissions from 6 to 20 permit tcp dst eq 443 deny ip SGACL Download cts role-based sgt-map 192.168.1.1 sgt 20 IP-to-SGT Assignment 10.1.1.102 = SGT 6 Dynamic SGT Assignment HTTPS SGT=6 FTP SGT=6 21
  • 22. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public RADIUS Access-Request Frame Format User Authentication Request 22
  • 23. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public RADIUS Access-Accept Frame Format User Authentication With Downloadable ACL 23
  • 24. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public RADIUS Access-Accept Frame Format User Authentication With SGT Assignment 24
  • 25. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public RADIUS Access-Request Frame Format Device Authentication Request Switch sends request to authenticate itself 25
  • 26. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public RADIUS Access-Request Frame Format Device Authentication & SGACL requests Subsequent requests include SGTs found in the switch 26
  • 27. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public RADIUS Access-Accept Frame Format Device Authentication Switch authenticated 27
  • 28. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public SGACLs matching destination downloaded SGACLs downloaded RADIUS Access-Accept Frame Format Device Authentication, SGACL & SGACL Matrix Download 28
  • 29. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public SGA Deployment Use Cases
  • 30. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public DataCenterCoreDistAccess SGA Deployment Use Cases Campus Reference Design Nexus 7010 N5K ISE 1.1SQL ServerWEB ServerFile Server Directory Service Cat3750-X Cat4500 Cat6500 Cat6500 Cat6500 Cat6500 User A User B  Access, Distribution & Core  Data Center  802.1X based SGT Assignment  Statically configured SGT Assignment  Migration Scenarios Deployment Modes 31
  • 31. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Campus LAN Deployment Nexus 7010 N5K ISE 1.1SQL ServerWEB Server 2.1.1.1 File Server 1.1.1.1 Directory Service Cat3750/X Campus Access Data Center Cat3750/X Campus users accessing resources in Data Center Use Case Cat6500 Cat6500 Cat6500 Cat6500 User A User B Requirement  User A should be able to access File Server & Web Server  User B should be denied access to File Server 32
  • 32. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Campus LAN Deployment How is it done today without SGA Nexus 7010 N5K ISE 1.1SQL Server Directory Service Cat3750/X Campus Access Data Center Assigned/Downloaded VLAN, ACL via 802.1X, MAB Cat3750/XCampus users accessing resources in Data Center  User VLAN statically defined or assigned during 802.1X or MAB Authentication  ACL statically defined or downloaded during Authentication Use Case Cat6500 Cat6500 Cat6500 Cat6500 User A User B VLAN 10 VLAN 20 File Server 1.1.1.1 WEB Server 2.1.1.1 Access Layer Enforced Downloaded or Statically Defined ACL ! Permit tcp any 1.1.1.1 eq 20 Permit tcp any 2.1.1.1 eq http Permit tcp any 2.1.1.1 eq https Deny ip any any Statically Defined VLAN or Assignment from RADIUS ! Vlan 10, 20 33
  • 33. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Campus LAN Deployment How is it done with SGA Nexus 7010 N5K ISE 1.1SQL ServerWEB ServerFile Server Directory Service Cat3750/X Campus Access Data Center SGT Assignment via 802.1X, MAB, Web Auth SGACL Enforcement Cat3750/X SRC DST File Server (111) Web Server (222) User A (10) Permit all SGACL-B User B (20) Deny all SGACL-C 111 222 2010 Campus users accessing resources in Data Center  User traffic SGTagged at access via 802.1X, MAB, or Web Authentication  Server SGT assigned via static mapping  SGTag propagated thru access, distribution to data center  SGACL enforcement at data center egress switch Use Case Cat6500 Cat6500 Cat6500 Cat6500 User A User B Data Center Enforcement Platform Release Cat3Kx 15.0(2)SE Cat4K Indus* Cat6K 15.0(1)SY Access Layer Tagging
  • 34. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Access Layer Enforcement Nexus 7010 N5K ISE 1.1SQL ServerWEB ServerFile Server Directory Service Cat3750-X Campus Access Data Center SGT Assignment via 802.1X, MAB, Web Auth SGACL Enforcement SRC DST User A (10) User B (20) Guest (30) User A (10) Permit all Deny all Deny all User B (20) Deny all Permit all Deny all Guest (30) Deny all Deny all Permit all 111 222 3020 Segmentation between users/resources in campus  User traffic SGTagged at access via 802.1X, MAB, or Web Authentication  Resource SGTagged via 802.1X, MAB, or static mapping  SGACL enforcement at egress access switch Use Case Cat6500 Cat6500 Cat6500 Cat6500 User B Guest 10 User A Cat3750-X Platform Release Cat3Kx 15.0(2)SE Cat4K Indus* Cat6K 15.0(1)SY Access Layer Tagging Access Layer Enforcement
  • 35. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Campus Migration Path
  • 36. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Challenges Migrating to a TrustSec Network • End device authentication ‒ Different authentication mechanisms for device types ‒ Multiple devices per per port • Network device authentication ‒ Prevent malicious or accidental changes in the network • Partial support of TrustSec features in network devices ‒ Many features require new or specific hardware 37
  • 37. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Nexus® 7000 SGA with Monitor Mode Zero Enforcement ISE 1. User connects to network 2. Monitor mode allows traffic from endpoint before authentication 3. Authentication is performed and results are logged by ISE 4. Traffic traverses to Data Center and hits SGACL at egress enforcement point 5. All traffics are permitted with SGACL. No impact to the user traffic Egress Enforcement  Security Group ACL Campus Network Catalyst® Switches (3K/4K) Monitor Mode SRC DST HR Server (111) ACME Server (222) ACME-User(8) Permit all Permit all HR-User (10) Permit all Permit all Unknown (0) Permit all Permit all authentication port-control auto authentication open dot1x pae authenticator HR Server ACME Server ACME ServerAUTH=OK SGT=8 Users, Endpoints SGT SGT Catalyst® 6K Catalyst® 6K 38
  • 38. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Nexus® 7000 SGA with Monitor Mode SGACL Enforcement ISE 1. User connects to network 2. Monitor mode allows traffic from endpoint before authentication 3. Authentication is performed and results are logged by ISE 4. Traffic traverses to Data Center and hits SGACL at egress enforcement point 5. Only permitted traffic path (source SGT to destination SGT) is allowed Egress Enforcement  Security Group ACL Campus Network Catalyst® Switches (3K/4K) Monitor Mode SRC DST HR Server (111) ACME Server (222) ACME-User(8) Deny all Permit all HR-User (10) Permit all Permit all Unknown (0) Deny all Deny all authentication port-control auto authentication open dot1x pae authenticator HR Server ACME Server ACME ServerAUTH=OK SGT=8 Users, Endpoints SGT SGT Catalyst® 6K Catalyst® 6K 39
  • 39. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public TrustSec Domain VLAN-to-SGT Mapping Nexus 7010 N5K ISE 1.1SQL ServerPublic PortalFile Server Directory Service Cat3750-X Campus Access Data Center SGACL Enforcement SRC(SGT) / DST(DGT) File Server (111) Public Portal (222) Partners (20) Guest (30) Emp (10) Permit all Permit Web SGACL-A Deny all Prtnr (20) Permit Web Permit Web Deny all Deny all Guest (30) Deny all Permit Web Deny all SGACL-B Migration path – VLAN-to-SGT mapping  Source SGT assigned via VLAN-to-SGT mapping  Server SGT assigned via static mapping  SGACL enforcement at access switch & data center egress switch  IP Device Tracking must be enabled Use Case Cat6500 Cat6500 Cat6500 Cat6500 SGT Assignment via VLAN-to-SGT mapping 111 222 302010 Cat3750-X Guest Employees Partners Data Center Enforcement VLAN 10 VLAN 20 VLAN 30 Access Layer Enforcement Access Layer Tagging Platform Release Cat3Kx 15.0(2)SE Cat4K Indus* Cat6K 15.0(1)SY 40
  • 40. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public TrustSec Domain VLAN-to-SGT Mapping Company Mergers Nexus 7010 N5K ISE 1.1SQL ServerPublic PortalFile Server Directory Service Campus Access Data Center SGACL Enforcement Cat6500 Cat6500 Cat6500 Cat6500 111 222 SGT Assignment via VLAN-to-SGT mapping 2010 Cat3750-X GuestEmployees Data Center Enforcement Access Layer Tagging Company A 30 211 Nexus 7010 Public PortalFile Server Cat3750-X Campus Access Data Center Cat6500 Cat6500 Cat6500 Cat6500 Cat3750-X GuestEmployees VLAN 40VLAN 30 Company B VLAN 10 VLAN 20 SRC(SGT) / DST(DGT) File Server (111) Public Portal (222) Guest (20) Emp (10) Permit all Permit Web Deny all Guest (20) Deny all Permit Web SGACL-B SRC(SGT) / DST(DGT) File Server (111) Public Portal (222) Guest (30) File Server (211) Emp(10) Permit all Permit Web Deny all SGACL_E Guest(20) Deny all Permit Web SGACL-B Permit Web Emp_B(30) Deny all Deny all Deny all Permit all Platform Release Cat3Kx 15.0(2)SE Cat4K Indus* Cat6K 15.0(1)SY 41
  • 41. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public TrustSec Domain Subnet-to-SGT Mapping Nexus 7010 N5K ISE 1.1SQL ServerPublic PortalFile Server Directory Service Cat3750 Campus Access Data Center SGACL Enforcement Cat6500 Cat6500 Cat6500 Cat6500 Cat4500 GuestEmployees Partners 1.1.1.0 2.1.1.0 3.1.1.0 Migration path – Subnet-to-SGT mapping  Source SGT assigned via Subnet-to-SGT mapping  Subnet bindings are static, no learning of active hosts  Prefixes can be exported directly with SXPv3  Server SGT assigned via static mapping  SGACL enforcement at Dist switch & data center egress switch Use Case SRC(SGT) / DST(DGT) File Server (111) Public Portal (222) Partners (20) Guest (30) Emp (10) Permit all Permit Web SGACL-A Deny all Prtnr (20) Permit Web Permit Web Deny all Deny all Guest (30) Deny all Permit Web Deny all SGACL-B 111 222 SGT Assignment via Subnet-to-SGT mapping 1.1.1.0 10= 2.1.1.0 20= 3.1.1.0 30= Platform Release Cat4K Indus* Cat6K 15.0(1)SY 42
  • 42. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Platform Release Cat3Kx 15.0(2)SE Cat4K Indus* Cat6K 15.0(1)SY TrustSec Domain IP-to-SGT Mapping Nexus 7010 N5K ISE 1.1SQL ServerPublic PortalFile Server Directory Service Cat3750-X Campus Access Data Center SGACL Enforcement Cat6500 Cat6500 Cat6500 Cat6500 Employees Partners VLAN 20 IP-to-SGT mapping  Source SGT assigned via IP-to-SGT mapping  IP Device Tracking must be enabled  Typically used for statically assigned IP devices  Server SGT assigned via static mapping  SGACL enforcement at access switch & data center egress switch Use Case SRC(SGT) / DST(DGT) File Server (111) Public Portal (222) Partners (20) Guest (30) IPSVC (31) Printer (32) Emp (10) Permit all Permit Web SGACL-A Deny all Permit all Permit all Prtnr (20) Permit Web Permit Web Deny all Deny all Deny all Permit all Guest (30) Deny all Permit Web Deny all SGACL-B Deny all Permit all Cat3750-X VLAN 10 10.1.1.1 10.1.1.2 111 222 SGT Assignment via IP-to-SGT mapping 10.1.1.1 10 = 10.1.1.2 20 = 31 32 31 32 43
  • 43. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public TrustSec Domain Port-to-SGT Mapping Nexus 7010 N5K ISE 1.1SQL ServerPublic PortalFile Servers Directory Service Cat3750-X Data Center SGACL Enforcement Cat6500 Cat6500 Cat6500 Cat6500 Port-to-SGT mapping  Source SGT assigned via Port-to-SGT mapping  Typically used when connected to untrusted switches  Server SGT assigned via static mapping  SGACL enforcement at data center switch Use Case SRC(SGT) / DST(DGT) File Server (111) File Server (112) File Server (113) Public Portal (222) Prtnr1 (10) Permit all Deny all Deny all Permit Web Prtnr2 (20) Deny all Permit all Deny all Permit Web Prtnr3 (30) Deny all Deny all Permit all Permit Web Partner 2Partner 1 Partner 3 G1/2 111 222 SGT Assignment via Port-to-SGT mapping Int G1/1 = Int G1/2 = 10 20 Int G1/3 30= 112 113Platform Release Cat3Kx 15.0(2)SE Cat4K Indus* Cat6K 15.0(1)SY 44
  • 44. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public What If Scenarios
  • 45. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public What if my Access Switch isn’t capable of SGTagging Catalyst® 2960S802.1X Users, Endpoints IT Portal (SGT 4) 10.1.100.10 Cat6500 Sup2T Distribution/Core ISE 1.1N7K If the switch supports SXP, switch can send IP-to-SGT binding table to SGT capable device (e.g. Catalyst 6500 with Sup2T) Active Directory IP Address SGT Source 10.1.10.102 5 LOCAL 10.1.10.110 14 LOCAL 10.1.99.100 12 LOCAL SXP Speaker Locally Learned Listener 46
  • 46. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public VLAN100 Doctor (SGT 7) IT Admin (SGT 5) MAB LWA Agent-less Device Campus Network SGT=7 SGT Enforcement SGTagging based on SXP Catalyst® 2960S802.1X Users, Endpoints IT Portal (SGT 4) 10.1.100.10 Cat6500 Sup2T Distribution/Core ISE 1.1 When SGT capable device receives packet, it looks up SGT value in table, insert SGT tag to frame when it exits egress port Active Directory IP Address SGT Source 10.1.10.102 5 SXP 10.1.10.110 14 SXP 10.1.99.100 12 SXP Untagged Frame Tagged Frame SRC=10.1.10.102 IP-to-SGT Binding Table SGT=5 N7K SXP © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public 47
  • 47. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public VLAN100 Doctor (SGT 7) IT Admin (SGT 5) MAB LWA Agent-less Device Campus Network Untagged Frame Tagged Frame SGT=7 What if my Dist/Core Switch isn’t capable of SGTagging Catalyst® 2960S802.1X Users, Endpoints IT Portal (SGT 4) 10.1.100.10 Cat6500 Sup720 Distribution/Core ISE 1.1 N7K If the switch supports SXP, switch can send IP-to-SGT binding table to SGT capable device (e.g. Nexus 7K) Active Directory IP Address SGT Source 10.1.10.102 5 LOCAL 10.1.10.110 14 LOCAL 10.1.99.100 12 LOCAL SXP Locally Learned Speaker Listener © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public 48
  • 48. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public What if I received multiple SGT Assignment SGT Assignment Priorities INTERNAL—Bindings between locally configured IP addresses and the device own SGT LOCAL—Bindings of authenticated hosts which are learned via IPM and device tracking. This type of binding also include individual hosts that are learned via ARP snooping on L2 [I]PM configured ports. IP_ARP—Bindings learned when tagged ARP packets are received on a CTS capable link. SXP—Bindings learned from SXP peers. The current priority enforcement order, from highest to lowest: Layer 3 Interface—(L3IF) Bindings added due to FIB forwarding entries that have paths through one or more interfaces with consistent L3IF-SGT mapping or Identity Port Mapping on routed ports. CLI— Address bindings configured using the IP-SGT form of the cts role-based sgt-map global configuration command. (Hosts and subnets) VLAN—Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping configured. New 49
  • 49. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public SGT Transport over non-TrustSec Domain Cisco TrustSecDomain Cisco TrustSecDomain IP Network or WAN IP HeaderSGT Payload SGT PayloadIP Header ESP IPHeaderSGTPayloadSGTPayloadIPHeaderESP Non- TrustSec Domain Original Packet Use Case Connecting TrustSec Domains – L3 SGT Transport Challenge  Partial TrustSec infrastructure support Solution  Encap/Decap traffic in IP ESP header between sites  SGT is carried in the ESP Payload  No Payload Encryption SGT L3 Transport Platform Release Cat6K (Sup2T) 15.0(1)SY ESP overhead (42-45 bytes) impacts IP MTU/Fragmentation ESP – Encapsulating Security Payload
  • 50. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Sup2T SGT L3 Transport Orig IP Header ESP CMD Original Payload ESP TL ip access-list extended l3-cts-policy permit ip any 171.71.0.0/16 permit ip any 171.72.0.0/16 permit ip any 171.73.0.0/16 ! cts policy layer3 ipv4 traffic l3-cts-policy  Configure policy with explicit list of addresses in CTS domain to determine which packets need L3 CTS processing  Packets sent with “transport mode” ESP to carry SGT without encryption or data authentication  Simple H/W operations: encap/decap of ESP with NULL transform Policy for allowed Traffic ip access-list extended l3-cts-exception permit ip any 171.74.0.0/16 permit ip any 171.75.0.0/16 permit ip any 171.76.0.0/16 ! cts policy layer3 ipv4 exception l3-cts-policy Policy to for exception traffic Router(config)# interface TenGigabitEthernet 6/1 Router(config-if)# cts layer3 ipv4 trustsec forwarding Configure L3 Transport on the interface 51
  • 51. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public TrustSec: Best Practices
  • 52. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Catalyst® Switches (3K/4K/6K) SGA and Monitor Mode Users, Endpoints Nexus® 7000 ISE 1.1 Campus Network Ingress Enforcement  VLAN Assignment  Downloadable ACL TrustSec™ Domain Monitor Mode Egress Enforcement  Security Group ACL 53
  • 53. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cisco TrustSec Domain SGT SGT SGT SGT SGT VLAN 110 VLAN 120 VLAN 130 MACSec and SGA Identity Service Engine MACSec Enabled 54
  • 54. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cisco TrustSec Domain SGT SGT SGT SGT SGT VLAN 110 VLAN 120 VLAN 130 SGA and RADIUS COA Why Radius COA Identity Service Engine SRC DST Server A (111) Server B (222) User A (10) Permit all SGACL-A User B (20) Deny all SGACL-B SRC DST Server A (111) Server B (222) User A (10) Permit all SGACL-C User B (20) Deny all SGACL-B cts role-based permissions from 10 to 222 permit tcp dst eq 443 permit tcp dst eq 80 deny ip SGACL Enforcement cts role-based permissions from 10 to 222 permit tcp dst eq 443 deny ip SGACL Enforcement 55
  • 55. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cisco TrustSec Domain SGT SGT SGT SGT SGT VLAN 110 VLAN 120 VLAN 130 SGA and RADIUS COA With Radius COA Identity Service Engine SRC DST Server A (111) Server B (222) User A (10) Permit all SGACL-A User B (20) Deny all SGACL-B SRC DST Server A (111) Server B (222) User A (10) Permit all SGACL-C User B (20) Deny all SGACL-B cts role-based permissions from 10 to 222 permit tcp dst eq 443 permit tcp dst eq 80 deny ip SGACL Enforcement cts role-based permissions from 10 to 222 permit tcp dst eq 443 deny ip SGACL Enforcement 56
  • 56. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public How to Deploy SGA
  • 57. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public How To Deploy NDAC NDAC – Seed Device Switch Configurations Configuration Commands: aaa new-model radius server ise address ipv4 <ip address> auth-port 1812 acct-port 1813 pac key <password> aaa authentication dot1x default group radius aaa authorization network cts group radius aaa session-id common cts authorization list cts dot1x system-auth-control ! Interface t5/1 switchport mode trunk cts dot1x ! <exec mode> cts credentials id <userid> password <password> Seed device includes RADIUS info 58
  • 58. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public How To Deploy NDAC NDAC – Non-Seed Device Switch Configurations Configuration Commands: aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa session-id common dot1x system-auth-control ! Interface t5/1 switchport mode trunk cts dot1x ! <exec mode> cts credentials id <userid> password <password>  Non-Seed device need not include RADIUS info  Dynamically learns RADIUS info from Seed Device 59
  • 59. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Configuring Network Device Admission Control (NDAC) on ISE Administration > Network Resources > Network Devices 60
  • 60. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public MAB LWA Agent-less Device VLAN100 Active Directory Campus Network SXP VLAN200 Untagged Frame Tagged Frame SGT=7 SGT Enforcement SGT Assignment for Roles Catalyst® 3750-X802.1X, MAB, LWA Users, Endpoints Dynamic SGT Assignment For Endpoint Public Portal (SGT 8) Internal Portal (SGT 9) Patient Record DB (SGT 10) 10.1.200.100 10.1.200.20010.1.200.10 IT Portal (SGT 4) 10.1.100.10 Catalyst 6K Core Nexus® 7000 Distribution ISE 1.1 Static SGT Assignment For Servers Catalyst® 4948 Doctor (SGT 7) IT Admin (SGT 6) 61
  • 61. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public VLAN to SGT Mapping VLAN to SGT mapping uses IP Device Tracking mechanism to dynamically create IP to SGT bindings per VLAN Once bindings are created IP device tracking uses periodic ARP Probe messages to keep IP to SGT bindings active ip device tracking ! cts role-based sgt-map vlan-list 10 sgt 10 cts role-based sgt-map vlan-list 20 sgt 20 cts role-based sgt-map vlan-list 30 sgt 30 cts role-based sgt-map vlan-list 40 sgt 40 cts role-based sgt-map vlan-list 200 sgt 200 SJC01#show cts role-based sgt-map summary IP-SGT Active Bindings Summary ============================================ Total number of VLAN bindings = 1012 Total number of CLI bindings = 1 Total number of active bindings = 1013 VLAN 10 62
  • 62. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public IP Subnet to SGT Mapping Layer 3 interface mapping to SGT (L3IF) is supported on the following L3 logical or physical interfaces: Routed port SVI (VLAN interface) L3 subinterface of L2 port Tunnel interface• Dynamically adds Destination Group Tag (DGT) to the FIB entries matching the SGT-MAP configured prefixes SJC01#show platform hardware cef 192.168.10.10 detail Codes: M - mask entry, V - value entry, A - adjacency index, NR- no_route bit LS - load sharing count, RI - router_ip bit, DF: default bit CP - copy_to_cpu bit, AS: dest_AS_number, DGTv - dgt_valid bit DGT: dgt/others value Format:IPV4 (valid class vpn prefix) M(682 ): 1 F 3FFF 255.255.255.255 V(682 ): 1 0 0 192.168.10.10 (A:147497, LS:0, NR:0, RI:0, DF:0 CP:0 DGTv:1, DGT:10) SJC01# cts role-based sgt-map 192.168.10.0/24 sgt 10 cts role-based sgt-map 192.168.20.0/24 sgt 20 cts role-based sgt-map 192.168.30.0/24 sgt 30 cts role-based sgt-map 192.168.40.0/24 sgt 40 cts role-based sgt-map 192.168.200.0/24 sgt 200 SGT-MAP CLI Example 63
  • 63. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Sup2T SGT L3 Transport Orig IP Header ESP CMD Original Payload ESP TL ip access-list extended l3-cts-policy permit ip any 171.71.0.0/16 permit ip any 171.72.0.0/16 permit ip any 171.73.0.0/16 ! cts policy layer3 ipv4 traffic l3-cts-policy  Configure policy with explicit list of addresses in CTS domain to determine which packets need L3 CTS processing  Packets sent with “transport mode” ESP to carry SGT without encryption or data authentication  Simple H/W operations: encap/decap of ESP with NULL transform Policy for allowed Traffic ip access-list extended l3-cts-exception permit ip any 171.74.0.0/16 permit ip any 171.75.0.0/16 permit ip any 171.76.0.0/16 ! cts policy layer3 ipv4 exception l3-cts-policy Policy for exception traffic Router(config)# interface TenGigabitEthernet 6/1 Router(config-if)# cts layer3 ipv4 trustsec forwarding Configure L3 Transport on the interface 64
  • 64. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Monitoring SGT Mapping SJC01#show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ============================================ 192.168.10.0/24 10 CLI 192.168.20.0/24 20 CLI 192.168.30.0/24 30 CLI 192.168.40.0/24 40 CLI 192.168.200.0/24 200 CLI IP-SGT Active Bindings Summary ============================================ Total number of CLI bindings = 5 Total number of active bindings = 5 SJC01# SJC01#show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ============================================ 192.168.10.2 10 VLAN 192.168.10.3 10 VLAN 192.168.10.4 10 VLAN 192.168.10.5 10 VLAN 192.168.10.6 10 VLAN 192.168.10.7 10 VLAN 192.168.10.8 10 VLAN 192.168.10.9 10 VLAN 192.168.10.10 10 VLAN 192.168.10.11 10 VLAN …… 65
  • 65. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Monitoring SGACL Packet Drops with CLI SJC01#show cts role-based permissions IPv4 Role-based permissions from group 10 to group 200 (configured): rbac1 IPv4 Role-based permissions from group 20 to group 200 (configured): rbac1 IPv4 Role-based permissions from group 30 to group 200 (configured): rbac1 IPv4 Role-based permissions from group 40 to group 200 (configured): rbac1 SJC01# SJC01#show ip access-lists rbac1 Role-based IP access list rbac1 10 deny tcp dst eq www (104366 matches) 20 deny tcp dst eq ftp (36402 matches) 30 deny tcp dst eq ftp-data (232 matches) SJC01# 66
  • 66. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Monitoring SGACL Packet Drops with Flexible Netflow flow record cts-v4 match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow direction match flow cts source group-tag match flow cts destination group-tag collect counter bytes collect counter packets flow exporter EXP1 destination 10.2.44.15 source GigabitEthernet3/1 flow monitor cts-mon record cts-v4 exporter EXP1 Interface vlan 10 ip flow monitor cts-mon input ip flow monitor cts-mon output Interface vlan 20 ip flow monitor cts-mon input ip flow monitor cts-mon output Interface vlan 30 ip flow monitor cts-mon input ip flow monitor cts-mon output Interface vlan 40 ip flow monitor cts-mon input ip flow monitor cts-mon output cts role-based ip flow mon cts-mon dropped *Optional – will create flows for only Role-based ACL drops 67
  • 67. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Monitoring SGACL Packet Drops with Flexible Netflow SJC01#show flow mon cts-mon cache Cache type: Normal Cache size: 4096 Current entries: 1438 High Watermark: 1632 Flows added: 33831 Flows aged: 32393 - Active timeout ( 1800 secs) 0 - Inactive timeout ( 15 secs) 32393 - Event aged 0 - Watermark aged 0 - Emergency aged 0 IPV4 SOURCE ADDRESS: 192.168.30.209 IPV4 DESTINATION ADDRESS: 192.168.200.156 TRNS SOURCE PORT: 60952 TRNS DESTINATION PORT: 80 FLOW DIRECTION: Output FLOW CTS SOURCE GROUP TAG: 30 FLOW CTS DESTINATION GROUP TAG: 200 IP PROTOCOL: 6 counter bytes: 56 counter packets: 1 IPV4 SOURCE ADDRESS: 192.168.20.140 IPV4 DESTINATION ADDRESS: 192.168.200.104 TRNS SOURCE PORT: 8233 TRNS DESTINATION PORT: 80 FLOW DIRECTION: Output FLOW CTS SOURCE GROUP TAG: 20 FLOW CTS DESTINATION GROUP TAG: 200 IP PROTOCOL: 6 counter bytes: 56 counter packets: 1 68
  • 68. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Monitoring SGT Traffic with Netflow http://www.plixer.com/blog/netflow/cisco-trustsec-netflow-support/ Plixer collector displays SGT information 69
  • 69. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public How To Create SGA Policy Doctor (SGT 7) IT Admin (SGT 6) IT Portal (SGT 4) Public Portal (SGT 8) Internal Portal (SGT 9) Patient Record DB (SGT 10) Destination SGT Source SGT Web Web No Access Web File Share Web SSH RDP File Share Web SSH RDP File Share Full Access SSH RDP File Share permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 deny ip IT Maintenance ACL 70
  • 70. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Configuring Security Group ACLs on ISE 71
  • 71. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Security Group based Access Control How Enforcement Works IT Portal (SGT 4) Active DirectoryCatalyst® 3750-X Users, Endpoints Campus Network Catalyst 6K Core Nexus® 7000 Distribution ACS v5.1802.1X Public Portal (SGT 8) Internal Portal (SGT 9) Patient Record DB (SGT 10) VLAN100 VLAN200 Untagged Frame Tagged Frame SGT=7 10.1.200.100 10.1.200.20010.1.200.10 10.1.100.10 Web CTS7K-DC# show cts role-based counters sgt 5 RBACL policy counters enabled Counters last cleared: 04/20/2010 at 11:20:58 PM sgt:5 dgt:4 [1555] rbacl:Permit IP permit ip [1555] sgt:5 dgt:8 [1483] rbacl:Permit IP permit ip [1483] sgt:5 dgt:9 [1541] rbacl:Permit IP permit ip [1541] sgt:5 dgt:10 [1804] rbacl:IT_Maintenance_ACL permit tcp dst eq 20 log [0] permit tcp dst eq 21 log [3] permit tcp dst eq 22 log [3] permit tcp dst eq 445 log [0] permit tcp dst eq 135 log [0] permit tcp dst eq 136 log [0] permit tcp dst eq 137 log [0] permit tcp dst eq 138 log [0] permit tcp dst eq 139 log [0] permit tcp dst eq 3389 log [251] permit icmp log [1547] deny ip [0] Access-3K#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 11:CTS_Devices to group 11:CTS_Devices: Permit_IP-30 IPv4 Role-based permissions from group 2:MS_Users to group 3:SB_Users: deny_ip IPv4 Role-based permissions from group 10 to group 103 (configured): permit_web Access-3K# Access-3K#show cts environment-data CTS Environment Data ==================== <snip> Security Group Name Table: 0001-30 : 0-7f:Unknown 2-7f:MS_Users 3-7f:SB_Users 4-7f:IT_Portal 5-7f:MS_Servers 6-7f:IT_Admin 7-7f:Guest 9-7f:Internal_Portal 11-7f:CTS_Devices
  • 72. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Key Takeaways
  • 73. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Key Takeaways  SGA provides easy way to manage and enforce policy in your networks  Various mapping features enable SGA to be enabled without 802.1X  Monitor Mode can be used with SGA for easy SGA deployment with Identity  SGA can be deployed end-to-end today in Campus Networks 74
  • 74. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public References Cisco TrustSec http://www.cisco.com/go/trustsec Cisco Catalyst 6500 Series Switches http://www.cisco.com/go/6500 Cisco Catalyst 4500 Series Switches http://www.cisco.com/go/4500 Cisco Catalyst 3750X Series Switches http://www.cisco.com/go/3750x Cisco TechWise TV – Fundamentals of TrustSec http://youtu.be/78-GV7Pz18I 75
  • 75. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Call to Action • Visit the Cisco Campus at the World of Solutions to experience Cisco innovations in action • Get hands-on experience attending one of the Walk-in Labs • Schedule face to face meeting with one of Cisco’s engineers at the Meet the Engineer center • Discuss your project’s challenges at the Technical Solutions Clinics 76
  • 76. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public 77
  • 77. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public
  • 78. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public References
  • 79. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public SGA Feature Support Matrix Components Hardware Available Features Release Nexus 7000 series Switch All Nexus 7K cards & chassis F-series don’t support MACSec SGT, SGACL, 802.1AE + SAP, NDAC, SXP v1, IPM,SGT 5.2.4 Catalyst 6500E Switch (Sup 2T) WS-X6908-10G-2T & WS-X6908-10G-2TXL for MACSec SGT, SGACL, 802.1AE + SAP, NDAC, SXPv2 15.0(1)SY1 Catalyst 6500E Switch (Supervisor 32, 720) SXP v2 12.2(33)SXJ2 Catalyst 4500E switches Sup 7E, Sup7L-E (WS-X4712-SFP+E, WS-X4748-UPOE+E, WS-X4748- RJ45V+E, WS-X4748-RJ45-E for MACSec) SXP v2, NDAC, 802.1AE + MKA (downlinks) or SAP (uplinks) IOS-XE 3.3.0SG or 15.1.1(SG) Catalyst 4500E Switches Supervisor 6-E or 6L-E SXPv2 IOS-XE 3.2.2SG or 15.0(1)SG2 Catalyst 3560-X / 3750-X Switches C3KX-SM-10G (MACSec 10GE uplink) SGT, SGACL, NDAC, SXPv2, 802.1AE + MKA or SAP 15.0(2)SE1 Catalyst 3560(E) / 3750(E) Switches 3560E, 3750E SXPv2 15.0(1)SE2 Cisco ASA 5505,5510,5520,5540,5550,5580,5585-X, ASA-SM and Saleen Platforms (5512-X, 5515-X, 5525-X, 5545-X, 5555-X) SXPv2, SGFW 9.0 Cisco ASR 1000 PR1/PR2, 1001, 1002, 1004, 1006, 1013,ESP10/20/40, SIP10/40 SXPv2, SGFW XE3.5 or 15.2(1)S Cisco ISR 88x, 89x, 19xx, 29xx, 39xx SXPv2, SGFW 15.2(2)T Wireless LAN Controller 5500,2500,WISM2, WLCM2 SXPv2 (Speaker Only) 7.2MR1 Nexus 5K N5548P, N5548P and N5596UP. No support for N5010 or N5020 SXP (Speaker Only), SGT, SGACL 5.1(3)N1(1) 80
  • 80. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public Cat3K Caveats and Platform Limitations 1. Port-VLAN pair mapping for SGT. 2. Maximum of 8 VLANs per port to be enforced with SGACL. 3. Subnet to SGT Mapping is not supported. 4. Multicast SGACL and IPv6 SGACL are not supported. Scalability Numbers Max number of SGT supported: 1K Max number of SGACL supported: 2K Mixed Stack Scenarios Configuration of SGT/SGACL will take effect only when all the switches in the stack are 3750-X. Configuration of SGT/SGACL is allowed but the config will be effective when all the switches are 3750-X. 81
  • 81. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public 82 Cat3K Feature Support for SGTagging
  • 82. © 2013 Cisco and/or its affiliates. All rights reserved.BRKCRS-2199 Cisco Public 83 Cat3K Feature Support for SGACL Enforcement