Choice of Segmentation and Group Based Policies ford2zmdbbm9feqrf.cloudfront.net/2017/usa/pdf/BRKCRS-2893.pdf · Choice of Segmentation and Group Based Policies for ... Technical

Choice of Segmentation and Group Based Policies for Enterprise Networks

Hari Holla

Technical Marketing Engineer, Cisco ISE

BRKCRS-2893

hari_holla /in/hariholla

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to chat with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

Cisco Spark spaces will be available until July 3, 2017.

cs.co/ciscolivebot#BRKCRS-2893


A multi-national retailer’s segmentation problem

Customer Concerns

• Employees, PCI devices, Vendors & Guest in branch needing segmentation.

• Each segment today is a VLAN and / or a SSID.

• Provisioning and decommissioning vendors is a tedious task

Store

Guest

BYOD

Vendor-1

Vendor-2

Vendor-3

…

Vendor-N

Store

PCI

Demo

Vendor-2

Vendor-A

Vendor-B

…

Vendor-N

Internet

WANData Center

WLC ServersISR w/

ZBFW

VRFs

* Additional VLAN/VRFs for Voice,

Print, AP, etc. not shown in the picture

Need dynamic

segmentation

Reduce

operational costs

Keep it secure

Case Study

The segmentation challenge common to many other type of networks: University, Hospitals, Manufacturing, etc.

BRKCRS-2893 4


VLANs for segmentation?

5BRKCRS-2893

VLAN


Segmenting with VLANs

Access Layer

Enterprise

Backbone

Voice

VLAN

Voice

Data

VLAN

Employee

Aggregation Layer

Supplier

Guest

VLAN

BYOD

BYOD

VLAN

Non-Compliant

Quarantine

VLAN

VLAN

Address

DHCP Scope

Redundancy

Routing

Static ACL VACLLimitations of Traditional

Segmentation

• Security Policy based on

Topology

• High cost and complex

maintenance

Applications

access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384

Classification

Static / Dynamic

VLAN assignments

Propagation

Carry segment context

over the network

through VLAN tags /

IP address / VRF

Enforcement

IP based policies.

ACLs, Firewall

rules

BRKCRS-2893 6


The alternative: ‘Software Defined Segmentation’

Controller driven

✓ ✓ ✓ ✓

✓ ✓ X X

X X X X

Employees

Phones

Servers

Quarantine

Topology independent Segment IDs(VLAN / IP agnostic)

Policy definition and enforcement based on segment IDs.

BRKCRS-2893 7

• Segmenting using

• Security Group Tags (SGTs)

• End-Point Groups (EPGs)

• Virtual Networks (VNs)

• Closing thoughts

Agenda

Heads up

For your reference

Hidden Slide (or)

For quick glance if the slide shows up

This is ISE icon,

Cisco Identity Service Engine

Segmentation using

Security Group Tags (SGT)


Cisco TrustSec

EnforcementClassification Propagation

Routers

Cisco ISE

DC Firewall

Production

Servers

Wireless

Remote

Access

Switch

DC Switch Application

Servers

Directory

Employees

8 SGT

7 SGT

Network5 SGT

Employee

App_Serv

Prod_Serv

App_Serv Prod_Serv

Permit All

Permit All Deny All

Permit AllDeny All

Deny All

So

urc

e

Destination

Egress Policy

BRKCRS-2893 11


Consistent access governed by simplified policy

VLAN: Data-1VLAN: Data-2

Switch

Data Center

DC Switch

Application

Servers

ISE

Enterprise

Backbone

Remediation

Switch

Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant

Shared

Services

Employee Tag

Supplier Tag

Non-Compliant Tag

DC switch receives policy

for only what is connected

Regardless of topology or

location, policy (Security

Group Tag) stays with

users, devices, and servers

TrustSec simplifies ACL

management for intra/inter-

VLAN traffic

BRKCRS-2893 12


Same policy to control lateral access

VLAN: Data-1VLAN: Data-2

Switch

Data Center

DC Switch

Application

Servers

ISE

Enterprise

Backbone

Switch

Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant

Shared

Services

Employee Tag

Supplier Tag

Non-Compliant Tag

Segment traffic based on

classified group (SGT), not

based on topology (VLAN,

IP subnet)

Micro-Segmentation / Host

Isolation in LAN and DC

with single policy (segment

devices even in same

VLAN or same security

group)

FOR YOUR REFERENCE

BRKCRS-2893 13


The three common deployment scenarios

• Context--based access control

• Compliance requirements PCI,

HIPAA, export controlled

information

• Merger & acquisition integration,

divestments

• Server zoning & Micro-segmentation

• Production vs. Development Server

segmentation

• Compliance requirements, PCI, HIPAA

• Firewall rule automation

• Line of business segregation

• PCI, HIPAA and other compliance

regulations

• Malware propagation

control/quarantine

User to Data Center Access Control

Data Center Segmentation

Campus and Branch Segmentation

BRKCRS-2893 14

TrustSec Deep Dive


Doing TrustSec

EnforcementClassification Propagation

Routers

Cisco ISE

DC Firewall

Production

Servers

Wireless

Remote

Access

Switch

DC Switch Application

Servers

Directory

Employees

8 SGT

7 SGT

Network5 SGT

Employee

App_Serv

Prod_Serv

App_Serv Prod_Serv

Permit All

Permit All Deny All

Permit AllDeny All

Deny All

So

urc

e

Destination

Egress Policy

BRKCRS-2893 16

TrustSec Enablement

• Cisco ISE configuration

• Network readiness assessment and

• TrustSec feature enablement

The 3 TrustSec functions


ISE is the TrustSec controller

BRKCRS-2893 17


ISE is the TrustSec controller

SGACL / Name table:

TrustSec policy matrix

to be pushed down to

the enforcers via

secure channel

SGT: Centrally define

Security Group Tags

802.1X Dynamic SGT

Assignment

SGT Assignment:

ISE can dynamically

(via authentications /

SXP / pxGrid) or

statically (via CLI)

assign SGTs to assets

SGACL /

Name table

So

urc

es

Destinations

✕ ✓ ✕ ✓ ✓ ✓

✓ ✓ ✕ ✓ ✕ ✕

✕ ✓ ✓ ✕ ✕ ✕

Security Group ACL

NDAC(Network Device

Admission Control)

Rogue

Device(s)

SGT and

SGT Names3: Employee

4: Contractors

8: PCI_Servers

9: App_Servers

Security Group Tags

NDAC for a trusted

domain of ‘Network

Devices’

BRKCRS-2893 18

Dynamic / Static SGT

Assignments


Network Device Admission Control

BRKCRS-2893 19

SGACL / Name table:



the enforcers via

secure channel


Security Group Tags

SGT Assignment:

ISE can dynamically


SXP / pxGrid) or



NDAC for a trusted


Devices’



Device_SGT to facilitate the

communication between

ISE and TrustSec devicesEnvironmental Data

TrustSec Egress Policy

RADIUS EAP FAST Channel

Switch# cts credential id C6800-001 password cisco

Switch authenticates with Cisco ISE for Secure EAP FAST Channel

IOSISE

FOR YOUR REFERENCE

BRKCRS-2893 20

SGACL / Name table:



the enforcers via

secure channel


Security Group Tags

SGT Assignment:

ISE can dynamically


SXP / pxGrid) or



NDAC for a trusted


Devices’



PAC settings – used for

secure channel between

ISE and TrustSec devices

Admin can opt to have custom

SGT numbers. Default is

System generated.

FOR YOUR REFERENCE

BRKCRS-2893 21

SGACL / Name table:



the enforcers via

secure channel


Security Group Tags

SGT Assignment:

ISE can dynamically


SXP / pxGrid) or



NDAC for a trusted


Devices’


Defining Security Group Tags (SGTs)

Define SGTs under ‘Components’ section in TrustSec Work Center (from ISE 2.0)

BRKCRS-2893 22

SGACL / Name table:



the enforcers via

secure channel


Security Group Tags

SGT Assignment:

ISE can dynamically


SXP / pxGrid) or



NDAC for a trusted


Devices’


TrustSec egress policy

A user friendly policy matrix based on ‘Security Group Tags’

BRKCRS-2893 23

SGACL / Name table:



the enforcers via

secure channel


Security Group Tags

SGT Assignment:

ISE can dynamically


SXP / pxGrid) or



NDAC for a trusted


Devices’


SGT assignment for endpoints

Work Centers > TrustSec > Authorization Policy

BRKCRS-2893 24

SGACL / Name table:



the enforcers via

secure channel


Security Group Tags

SGT Assignment:

ISE can dynamically


SXP / pxGrid) or



NDAC for a trusted


Devices’


The ‘3’ TrustSec functions

5 Employee

6 Voice

7 Partner

Classification

(Assigning SGTs)

Static Assignments

Dynamic Assignments

A B

Propagation

Inline methods

SXP

pxGrid

Enforcement

Security Group ACL

SG Firewall

BRKCRS-2893 25


Two ways to assign ’Security Group Tags’

VLAN to SGT

L3 Interface (SVI) to SGT L2 Port to SGT

VM (Port Profile) to SGTSubnet to SGT

WLC Firewall Hypervisor SW

Campus

Access Distribution Core DC Core DC Access

Enterprise

Backbone

Static Classification

MAB

Dynamic Classification

BRKCRS-2893 26

CLASSIFICATION PROPAGATION ENFORCEMENT


SGT assignment to wired endpoint

Cisco ISE Catalyst Switch

Assign

SGT

Switch# show authentication sessions int Gi 0/1 details

Interface: GigabitEthernet1/0/23

IIF-ID: 0x107AB4000000076

MAC Address: 0005.0005.0005

IPv6 Address: 2001:DB8:100:0:3809:A879:5197:16DB

IPv4 Address: 172.20.100.2

User-Name: [email protected]

Status: Authorized

Domain: DATA

Oper host mode: multi-auth

Oper control dir: both

Session timeout: N/A

Common Session ID: 0A01010100000FC50BEC5800

Acct Session ID: 0x00000FBE

Handle: 0xD4000009

Current Policy: POLICY_Gi1/0/23

Server Policies:

SGT Value: 10

Method status list:

Method State

mab Authc Success

G 0/1

BRKCRS-2893 27


© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28BRKCRS-2893

Assigning SGTs to wireless sessions

Cisco ISE WLC

Assign

SGT

Works on AirOS and IOS Wireless

controllers.



VLANs can be mapped to SGTs

Catalyst Switch

Switch(config)#cts role-based sgt-map vlan-list 100 sgt 100

Switch#show cts role-based sgt-map all

Active IPv4-SGT Bindings Information

IP Address SGT Source

============================================

172.20.100.2 10 LOCAL

172.20.254.1 2 INTERNAL

172.20.100.10 100 VLAN

172.20.100.20 100 VLAN

IP-SGT Active Bindings Summary

============================================

Total number of VLAN bindings = 2

Total number of LOCAL bindings = 1

Total number of active bindings = 4

G 0/1

BRKCRS-2893 29

G 0/2

VLAN-100 = SGT-100



Routes learnt on the interface get SGT

Business

Partners

Joint

Ventures

Route Updates

43.1.1.0/24

49.1.1.0/24

Route Updates

17.1.1.0/24

Can apply to Layer 3 interfaces regardless of the underlying physical interface:

Routed port, SVI (VLAN interface) , Tunnel interface, etc.

DC Access

Hypervisor SW

g3/0/1

g3/0/2

IP Address SGT Source========================================11.1.1.2 2 INTERNAL12.1.1.2 2 INTERNAL13.1.1.2 2 INTERNAL17.1.1.0/24 8 L3IF43.1.1.0/24 9 L3IF49.1.1.0/24 9 L3IF

GigabitEthernet 3/0/1 maps to SGT 8

GigabitEthernet 3/0/2 maps to SGT 9

BRKCRS-2893 30



SGT classification binding source priorityThe current priority enforcement order, from lowest (1) to highest (7), is as follows:

1. VLAN—Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT

mapping configured.

2. CLI— Address bindings configured using the IP-SGT form of the cts role-based sgt-map

global configuration command.

3. Layer 3 Interface—(L3IF) Bindings added due to FIB forwarding entries that have paths

through one or more interfaces with consistent L3IF-SGT mapping or Identity Port Mapping

on routed ports.

4. SXP—Bindings learned from SXP peers.

5. IP_ARP—Bindings learned when tagged ARP packets are received on a CTS capable link.

6. LOCAL—Bindings of authenticated hosts which are learned via ISE and device tracking.

This type of binding also include individual hosts that are learned via ARP snooping on L2

[I]PM configured ports.

7. INTERNAL—Bindings between locally configured IP addresses and the device own SGT.

FOR YOUR REFERENCE

BRKCRS-2893 31



In Nexus 1000V, SGTs can be assigned to Port Profile

• Port Profile

– Container of network properties

– Applied to different interfaces

• Server Admin may assign Port Profiles to new VMs

• VMs inherit network properties of the port-profile including SGT

• SGT stays with the VM even if moved

BRKCRS-2893 32


FOR YOUR REFERENCE



5 Employee

6 Voice

7 Partner

Classification

(Assigning SGTs)

Static Assignments

Dynamic Assignments

A B

Propagation

Inline methods

SXP

pxGrid

Enforcement

Security Group ACL

SG Firewall

BRKCRS-2893 33


Two ways to propagate tags

INLINE METHOD

10.1.1.1 10.20.20.1

SW1 R1 SW2

5/Employees 7/WebServers

IP 5 IP 5

Ethernet MACSec LISP/VxLAN

IPSec DMVPN GETVPN

SGT carried inline in the data traffic. Methods include, SGT over:

OUT-OF-BAND METHOD

10.1.1.1 10.20.20.1

SW1 R1 SW2

10.1.1.1 = SGT-5

5/Employees 7/WebServers

IPIP

SXP pxGrid

IP-to-SGT data shared over control protocol. No SGT in the data plane. Methods include, IP-to-SGT exchange over:



Ethernet Inline tagging

CRC

PAYLOAD

ETHTYPE

CMD

802.1Q

Source MAC

Destination MAC

Ethernet Frame

EtherType:0x8909

SGT Value:16bits

CMD EtherType

Version

Length

SGT Option Type

Cisco Meta Data

SGT Value

Other CMD Option

CRC

PAYLOAD

ETHTYPE

CMD

802.1Q

Source MAC

Destination MAC

MACsec Frame

802.1AE Header

802.1AE Header

AE

S-G

CM

128

bit

En

cry

ption

http://tinyurl.com/sgt-draft

IETF

Faster, and most scalable way to

propagate SGT within LAN or DC

SGT embedded within Cisco Meta

Data (CMD) in Layer 2 frame

Capable switches understands and

process SGT in line-rate

Optionally protect CMD with MACsec

(IEEE802.1AE)

No impact to QoS, IP

MTP/Fragmentation

L2 Frame Impact: ~20 bytes

16 bits field ~ 64,000 tag space

Non-capable device drops frame with

unknown Ethertype

EtherType:0x88E5

BRKCRS-2893 35



L3 Inline: Crypto transport for SGT

Cisco Meta Data (CMD) uses protocol 99, and is inserted to

the beginning of the ESP/AH payload.

IP header (Protocol Type = ESP)

SGT in IPSec

IV

ESP Header

Next Header (IP) Len = 3 Version (0x1) Reserved

Len (0x0)

Len (0x1)

Type (1 = SGT)

Type (5 = PST)

SGT Number (16 bits)

GETVPN Psuedo timestamp

Original IP Header

Original IP Payload

Pad

Authentication Tag

Pad Length Next Header

CM

D

crypto ikev2 cts sgt

SGT over IPSec

cts sgt inline

SGT over DMVPN

crypto gdoi group GDOI

identity number 12345

server local

sa ipsec 1

tag cts sgt

match address ipv4 ACL_GETVPN_SGT

SGT over GETVPN

IPSec, DMVPN and GETVPN

BRKCRS-2893 36


FOR YOUR REFERENCE


L3 Inline: Non-crypto SGT propagation over IP

router eigrp my-wan

!

address-family ipv4 unicast \

autonomous-system 100

topology base

cts propagate sgt

exit-af-topology

exit-address-family

Learn more: http://bit.ly/cts-eigrp-otp

3.15S

EIGRP Over The Top - EIGRP on the control plane and Locator ID Separation Protocol (LISP) encapsulation on the data plane to route traffic across the underlying WAN architecture.

CE

CE

CE

PE PE

PE

Internet / WAN

SGT in LISP

Time to Live

Identification

N L E

Pad Pad Length Next Header

Ver IHL Total LengthToS

Flags Fragmentation Offset

Protocol (17) Header Checksum

Source Routing Locator

Destination Routing Locator

Source Port Destination Port (4341)

UDP ChecksumUDP Length

Resrv’d

Locator Status Bits

Reserved Security Group Tag

Time to Live

Identification




Source Endpoint Identifier

Destination Endpoint Identifier

LISP Header

Overall IP MTU Increase: 36 Bytes

SGT (16 bit) insertion in the Nonce field (24 bit)

BRKCRS-2893 37


FOR YOUR REFERENCE

http://bit.ly/cts-eigrp-otp


SGT Exchange Protocol (SXP)

Routers

Firewall

• Propagation method of IP-SGT binding

– Propagate IP-SGT from classification to enforcement point

• Open protocol (IETF-Draft) & ODL Supported

– TCP - Port:64999

• Role: Speaker (initiator) and Listener (receiver)

• Use MD5 for authentication and integrity check

• Support Single Hop SXP & Multi-Hop SXP (aggregation)

• Cisco ISE 2.0 and beyond can be an SXP Speaker and Listener.

(SXP Aggregation)

Speaker Listener

Switches

Switches

5 10.0.1.2

6 10.4.9.5

5 10.0.1.2

6 10.4.9.5

For out-of-band IP-SGT binding propagation

http://tinyurl.com/sxp-draft

IETF

BRKCRS-2893 38



SXP example on AireOS

* Supported on all Wireless Controllers except 7500 & vWLC

Cisco ISE

Switch / FW

5520

Assign

SGT

SXP

So

urc

es

Destinations

✕ ✓ ✕ ✓ ✓ ✓

✓ ✓ ✕ ✓ ✕ ✕

✕ ✓ ✓ ✕ ✕ ✕

No SG based enforcement locally on

the controller. IP-SGT sent over SXP to

enforcers / Aggregators

SXP Listener (Switch / Firewall)

SXP Speaker(Wireless Controller)

BRKCRS-2893 39



SXP support in ISE

ISE Authorization Policy ISE IP to SGT binding table

If AD_Group_Employee,

then SGT: 5/Employees

IP address: 10.20.20.1 is

SGT: 9/WebServers

10.1.1.1 10.20.20.1

802.1X, RADIUS SXP

IP Address SGT Source=================================10.1.1.1 5 LOCAL

IP Address SGT Source=================================10.20.20.1 9 SXP

• Cisco ISE as SXP Speaker and Listener

• Support from ISE 2.0

• Useful for classifying destination SGTs

• Enables 3rd party access devices for TrustSec



SXP Devices



ISE and SXP

10.5.1.222 10.5.1.1

Switch #show cts sxp connections

SXP : Enabled

Highest Version Supported: 4

Default Password : Set

Default Source IP: 10.5.1.1

<Output trimmed>

----------------------------------------------

Peer IP : 10.5.1.222

Source IP : 10.5.1.1

Conn status : On

Conn version : 4

Conn capability : IPv4-IPv6-Subnet

Conn hold time : 120 seconds

Local mode : SXP Listener

<Output trunkated>

Switch# show cts sxp sgt-map brief

SXP Node ID(generated):0x0A050301(10.5.3.1)

IP-SGT Mappings as follows:

IPv4,SGT: <172.20.100.32/27 , 120:Mail_Servers>

IPv4,SGT: <172.20.100.64/27 , 110:Web_Servers>

Total number of IP-SGT Mappings: 2

cts sxp enable

cts sxp default source-ip 10.5.1.1

cts sxp default password cisco

cts sxp connection peer 10.5.1.222 password default mode peerCisco ISE IOS Switch

BRKCRS-2893 42



SXP in action


========================================

172.22.2.2 2 INTERNAL


========================================

172.21.1.1 2 INTERNAL

IP-SGT Binding Table – Nexus SwitchIP-SGT Binding Table – Access Switch

WAN

10.2.2.2

802.1X Employee = SGT-5

Web_Server172.21.1.1 172.22.2.2

105

Cisco ISE 2.0+

5

10

TrustSec Policy

SXP IP-10.2.2.2 = SGT-10

SXP IP-10.1.1.1 = SGT-5

10.2.2.2 10 SXP

10.1.1.1 5 SXP

10.1.1.1 5 LOCAL

2960X N7K

10.1.1.1

Employee

SRC: 10.1.1.1

DST: 10.2.2.2SRC: 10.1.1.1

DST: 10.2.2.2

BRKCRS-2893 43



3rd party access and ISE SXP


========================================

172.22.2.2 2 INTERNAL


========================================

172.21.1.1 2 INTERNAL

IP-SGT Binding Table – Nexus SwitchIP-SGT Binding Table – Access Switch

WAN

10.2.2.2

802.1X Employee = SGT-5

Web_Server172.22.2.2

105

Cisco ISE 2.0+ 5

10

TrustSec Policy

SXP IP-10.2.2.2 = SGT-10

SXP IP-10.1.1.1 = SGT-5

10.2.2.2 10 SXP

10.1.1.1 5 SXP

10.1.1.1 5 LOCAL

3rd PartyN7K

10.1.1.1

Employee

SRC: 10.1.1.1

DST: 10.2.2.2SRC: 10.1.1.1

DST: 10.2.2.2

BRKCRS-2893 44



SXP can be single or multi-hop

Single-Hop SXP SXP

SXP Enabled Switch/WLCSGT Capable HW

Multi-Hop SXP SXP

SGT Capable HW

SXP

Enabled SW

SXP

SXP

SXP Enabled SW/WLC

SXP Enabled SW/WLC

Non-TrustSec

Domain

Speaker Listener

SXP

Aggregation

FOR YOUR REFERENCE

BRKCRS-2893 45



4 SXP versions

Version 1 This is the initial SXP version supports IPv4 binding propagation.

Version 2 Includes support for IPv6 binding propagation and version negotiation. (Older

switch and router IOS – prior March 2013, WLC)

Version 3 Adds support for Subnet/SGT bindings propagation and expansion. If speaking

to a lower version listener will expand the subnet

Version 4 Loop Detection and Prevention, Capability Exchange, built-in Keep Alive

mechanism. (New switch and router IOS – After March 2013)

FOR YOUR REFERENCE

BRKCRS-2893 46



SXP ScalabilityPlatform Max SXP Conn. Max IP-SGT Bindings

Cisco ISE 2.2 100 per PSN 250,000

Catalyst 6500 Sup2T, 6800 2000 200,000

Nexus 7000 980 M Series: 200,000 from v7.2 earlier 50,000

F3 Series 64,000 (recommended 50K)

F2E Series 32,000 (recommended 25K)

Catalyst 4500 Sup7E 1,000 256,000

Catalyst 4500X / 4500 Sup7LE 1,000 64,000

ASA 5585-X SSP 60 1,000 100,000

ASA 5585-X SSP 40 500 50,000

Catalyst 3850/WLC 5760 128 12,000

CSR1000 900 (450 for bi-dir) 135,000

ISR4400 1800 (900 for bi-dir) 135,000

ASR1000 1800 (900 for bi-dir) 750,000 (from XE3.15), earlier 180,000

ISR2900, ISR 3900 250 (125 for bi-dir 180,000 for unidirectional SXP

125,000 for bi-directional SXP

FOR YOUR REFERENCE

BRKCRS-2893 47



pxGrid

ISE SXP Node 10:30 AM

IP address: 10.20.20.1 is SGT: 9/0009

Firepower Management Center 10:30 AM

Received

APIC-EM Controller 10:30 AM

Received

pxGrid Overview

• XMPP / Jabber based protocol for context exchange.

• Secure bi-directional connectivity, grid controlled by ISE

• Group members can publish or/and subscribe to specific topics

• TrustSecMetaData topic for Security Group table and IP-SGT binding exchange



Sharing IP-to-SGT bindings over pxGrid

RADIUS pxGrid

FMC WSA APIC-EM

Any pxGridsubscriber, E.g

Infoblox

• pxGrid clients can subscribe to SGT table and bindings

• IP to SGT bindings received over SXP can be

published via pxGrid

• Data format:

SXPBinding= {ipPrefix=10.20.20.1/32 tag=9

source=172.20.254.21 peerSequence=172.20.254.21}



Sharing context over pxGrid

PxG

RID

NGIPS /

ASA + Firepower

‘Access Control Policies’ based on ISE Attributes (SGT, Device-type and Endpoint Location)

FOR YOUR REFERENCE


SGT transport over WAN overview

Learn more: http://bit.ly/cts-eigrp-otp

Nexus 7000

Data Center

ISE

Internet

Nexus 1000v

Catalyst 6500

SGACL

CTS Link

Enterprise LAN

HR

Finance

EnterpriseMPLS

DMVPN

• Multiple options for SGT transport over non CTS Layer 3 networks

• DMVPN for Internet based VPNS

• GETVPN and OTP for private WAN

BYOD

EnterpriseNetwork

IPSEC

Switch

Switch

Wireless

Switch

GETVPN

SXP

SXP

SXP

BRKCRS-2893 51


FOR YOUR REFERENCE

http://bit.ly/cts-eigrp-otp



5 Employee

6 Voice

7 Partner

Classification

(Assigning SGTs)

Static Assignments

Dynamic Assignments

A B

Propagation

Inline SGT

SXP

WAN Options

Enforcement

Security Group ACL

SG Firewall

BRKCRS-2893 52


TrustSec policy matrix in ISE



Deploy the policy on click of a button


Deploy

CATALYST

SWITCHESNEXUS

SWITCHESVIRTUAL

SWITCHES

INDUSTRIAL

SWITCHESWIRELESS

ACCESS POINTS

ROUTING

PLATFORMS

Push and deploy TrustSec

policies consistently across

switching, wireless and

routing infrastructure

cts role-based enforcement


Policy download only for known destinations

55

Dev_Server

(SGT=7)

Prod_Servers (7) Dev_Servers (8)

SEGMENTATION DEFINED IN ISE

SG

T=

3

SG

T=

4

SG

T=

5

SGACL

Enforcement

Switches pull down only

the policies they need

I have nothing to protect

I know SGT-7, is there a policy for it?I pulled policies to

protect SGT-7

interface ethernet 2/1

cts manual

policy static sgt 0x7

no propagate-sgt

• TrustSec switches requests policies for

assets they protect

• Policies downloaded & applied dynamically

• Result = Software Defined Segmentation



East-west segmentation

56

1 Scan for open ports / OS

Distribution Switch

Access Switch

BYOD Device PC

AP

Wireless Segment Wired Segment

2 Exploits vulnerability

Pawned

PC

Employee Tag

• Replaces Private Isolated / Community VLAN

functionality with centrally provisioned policy

• Supports mobile devices (with DHCP address). Static

ACLs cannot support same level of policy

• No other vendor can support this type of use case

Anti-Malware-ACL

deny icmp

deny udp src dst eq domain

deny tcp src dst eq 3389







deny udp src dst eq snmp

deny tcp src dst eq telnet

deny tcp src dst eq www



deny tcp src dst eq pop3


Sample ACEs to

block PtH (SMB

over TCP) used

for privilege

escalation

SGACL Policy

PtH: Pass-the-Hash

“When executed, the

malware first checks the

"kill switch" domain name;

if it is not found, then the

ransomware encrypts the

computer's data, then

attempts to exploit the

SMB vulnerability to

spread out to random

computers on the Internet,

and "laterally" to computers

on the same network.”

http://bit.ly/w-cry

Wannacry

AireOS 8.4 | Wave-1, Wave-2 APs and WLC 8540, 5520



Zone based Firewallclass-map type inspect match-any partner-services

match protocol http

match protocol icmp

match protocol ssh

class-map type inspect match-any partner-sgts

match security-group source tag 2001



class-map type inspect match-all partner-class

match class-map partner-services

match class-map partner-sgts

class-map type inspect match-any guest-services

match protocol http

class-map type inspect match-any guest-sgts


class-map type inspect match-all guest-class

match class-map guest-services

match class-map guest-sgts

class-map type inspect match-any emp-services

match protocol http

match protocol ftp

match protocol icmp

match protocol ssh

...

SGT is a source criteria only in ISR FW,

Source or Destination in ASR 1000

BRKCRS-2893 57



Firewall policy based on SGTs

Use Destination SGT received

from Switches connected to

destination

Use Network Object (Host, Range,

Network (subnet), or FQDN)

SGT Defined in the ISE or locally

defined on ASA

Trigger IPS/CX based on

SGT

BRKCRS-2893 58



SGT based path selection

VRF-GUEST

Enterprise

WAN

Inspection Router

Router /

Firewall

Network A

Policy-based

Routing based

on SGT

SGT-based VRF

Selection

User C

Guest

User A

Employee

User B

Suspicious

Redirect traffic from malware-infected hosts

• Contain threats

• Pass traffic through centralized analysis and

inspection functions

Security Example

To map different user groups to different WAN

service

Other Example

Segment traffic to different VRFs based on context

route-map SG_PBR


set ip next-hop 172.20.100.2

match security-group destination tag 150

set ip next-hop 172.20.101.2

Available Today: Cisco IOS XE Release 3.16S (ASR 1000) as well as ASA5500-X (9.5.1)

BRKCRS-2893 59



FirePOWER service redirect on tagsCreate service policy to forward suspicious

traffic to FirePOWER services

BRKCRS-2893 60


FOR YOUR REFERENCE


SGT based path selection

Enterprise

WAN

Applications Router

Router /

Firewall

Network A

Critical applications

get priority treatment

Non-critical

class gets lower

bandwidth

CriticalServers (100)

NonCritical (254)

f Y

Employee (10) 3.17S

Different user groups can be offered different Quality of

Service (QoS)

class-map employee-non_critical



end

!

class-map employee-critical



end

!

policy-map sg_qos

class employee-critical

priority percent 50

class employee-non_critical

bandwidth percent 25

set dscp ef

end

BRKCRS-2893 61


FOR YOUR REFERENCE


TrustSec platform support

Switch Router Router Firewall DC Switch vSwitch ServerUser

Propagation EnforcementClassificationCatalyst 2960-S/-SF/-C/-CX/-Plus/-X/-XR

Catalyst 3560-E/-C/-X/-CX/-CG

Catalyst 3750-E/-X

Catalyst 3650, 3850, 3850-XS

Catalyst 4500E (Sup6-E, 6L-E)

Catalyst 4500E (Sup 7-E, 7L-E, 8-E, 8L-E)

Catalyst 4500-X

Catalyst 6500E (Sup720/2T)

Catalyst 6800

WLC 2500/5500/WiSM2/Flex7500

WLC 5760

WLC 8510/8540

Nexus 7000

Nexus 6000/5600

Nexus 5500/2200

Nexus 1000v

ISRG2, ISR4000, ISRv

ASR1000,1000-X; CSR 1000v

IE2000/2000U/3000/4000/5000

CGR 2010, CGS2500

ASA 5500, ASAv, FP4100/9300, ISA 3000

ISE

Catalyst 2960-S/-SF/-C/-CX/-Plus/-X/-XR

Catalyst 3560-E/-C/-X/-CX/-CG

Catalyst 3750-E/-X

Catalyst 3650, 3850, 3850-XS

Catalyst 4500E (Sup6-E, 6L-E)


Catalyst 4500-X

Catalyst 6500E (Sup720/2T)

Catalyst 6800

WLC 2500/5500/WiSM2/Flex7500

WLC 5760

WLC 8510/8540

Nexus 7000

Nexus 6000/5600

Nexus 5500/2200

Nexus 1000v


ASR1000,1000-X; CSR 1000v

IE2000/2000U/3000/4000/5000

CGR 2010, CGS2500

ASA 5500, ASAv, FP4100/9300, ISA 3000

FP 7000/8000; ISE

Catalyst 3560-X/-CX

Catalyst 3750-E/-X

Catalyst 3650, 3850, 3850-XS


Catalyst 4500-X

Catalyst 6500E (Sup 2T)

Catalyst 6800

WLC 5760

Nexus 7000

Nexus 6000/5600

Nexus 5500/2200

Nexus 1000v


ASR1000,1000-X; CSR 1000v

IE4000/5000

CGR 2010

ASA 5500, ASAv, FP4100/9300, ISA 3000

Web Security Appliance

SGT

Propagation PropagationClassification Enforcement

ISE

WAN(GETVPN

DMVPN

IPSEC)

Enforcement

For up-to-date information visit: http://bit.ly/cisco-trustsec-matrix

http://bit.ly/cisco-trustsec-matrix


Use NetFlow

How about monitoring segmentation policies?

BRKCRS-2893 63


TrustSec traffic monitoring with Stealthwatch

• Highly scalable (enterprise class) collection

• High compression long term storage• Months of data retention

When Who

Where

What

Who

Security Group

More Context

flow record my-flow-record

...

match flow cts source group-tag

match flow cts destination group-tag

...

NetFlow

BRKCRS-2893 64


Real-time segmentation policy validation

DGTSGT

Trigger on traffic in both directions;

Successful or unsuccessful

Custom event

triggers on traffic

condition

More on StealthWatch:

BRKSEC-3014: Security

Monitoring with StealthWatch

BRKCRS-2893 65


Enterprise

Network

Real-time policy check

Monitor Network Activity

• Detect suspicious and malicious activity

• Network Behaviour and Anomaly Detection

• Policy Violations

• Monitor Policy configuration and misconfiguration

• Monitor for business continuity Register

Contractor

FOR YOUR REFERENCE

BRKCRS-2893 66


TrustSec reduces operational costs for segmentation

“Based on the results of the PCI validation and PCI Internal Network Penetration and

Segmentation Test, it is Verizon’s opinion that Cisco TrustSec can successfully perform

network segmentation, for the purpose of PCI scope reduction.”

http://bit.ly/pci-trustsec-report

“Cisco has made great strides in integrating support for the TrustSec framework across its

product lines” - “Flexibility to Segregate Resources Without Physical Segmentation or

Managing VLANs” - “Reduction in ACL Maintenance, Complexity and Overhead”

http://blogs.cisco.com/security/gartners-perspective-on-cisco-trustsec

“Cisco TrustSec enabled the organizations interviewed, to reduce operational costs by

avoiding additional IT headcount, deploy new environments faster, and implement consistent

and effective network segmentation resulting in lower downtime.”

http://bit.ly/ts-forrester-report

BRKCRS-2893 67

http://bit.ly/pci-trustsec-report

http://blogs.cisco.com/security/gartners-perspective-on-cisco-trustsec

http://bit.ly/ts-forrester-report

Segmentation using

Endpoint Groups (EPG)


TrustSec – ACI comparison

TRUSTSEC ACI

Segment Identifier 16-bit Security Group Tags

(SGT)

16-bit Endpoint Groups

(EPG)

Classification Static or Dynamic Static or Dynamic

Transport SGT-over-Ethernet, SXP,

LISP and IPSec

VxLAN

Policy SG-ACL, SG-Firewall,

SG-based-PBR, SG-QoS

Contracts: ACL, QoS,

Redirect (Service-chaining)

Scope End-to-end (User to DC) Data Center only

Controller Cisco ISE Cisco APIC-DC

APIC – Application Policy Infrastructure Controller BRKCRS-2893 69


Application Centric Infrastructure (ACI)

Non-Blocking Penalty Free Overlay

VXLAN

VNID = 78

802.1Q

VLAN 50VXLAN

VNID = 11300

NVGRE

VSID = 7456

ACI FABRIC

Normalized

Overlay (VXLAN)

40 Gbps uplink

Localized

Encapsulation

Cisco ACI is a comprehensive

SDN architecture for Data

Center networks

Spine-leaf architecture with

Nexus 9000 switches

Network controlled by APIC-

DC controller

Routed mesh topology,

ECMP load balancing

VXLAN for overlay

EPG and Contracts for policy

ACI POLICY

VM

VM

WEB

VM

VM

APP DB

CLIENTS

EPGs

CONTRACTS

BRKCRS-2893 70


Manage the fabric instead of individual switches

BRKCRS-2893 71


Virtual Extensible LAN (VXLAN)Extend VLAN capabilities with flexibility

LAYER 2

LAYER 3

24 bit VNID (VXLAN Network

Identifier)

16 million segments

4 times more than VLANs

Members need not be co-located like in VLAN

VXLAN tunnels Layer 2 network over Layer 3 network. No need for Spanning Tree Protocol

IP mobility is supported

10.0.0.1

VNID 1100

172.20.0.1

VNID 1100 VLANs can be mapped to VNIDs

10.0.0.1

VNID 1100

VXLAN tunnel endpoint (VTEP) devices to map end devices to VXLAN segments

VTEP VTEP VTEP

ENCAP DECAP

VLAN

VXLAN

BRKCRS-2893 72


VXLAN Encapsulation

OuterMACDA

OuterMACSA

OuterIEEE

802.1Q

OuterIP DA

(VTEP)

OuterIP SA

(VTEP)

OuterUDP

VXLAN Header

InnerMACDA

InnerMACSA

OptionalInner IEEE

802.1Q

OriginalEthernetPayload

CRC

VXLAN Encapsulation Original Ethernet Frame

MAC in UDP encapsulation

UDP destination Port # 8472

ACI implementation of VXLAN is similar to LISP

VXLAN Header

LISP Flags (8b)

Flags (8b)

Source Group (16b)

Metrics (8b)

VXLAN Instance ID (24b)

Source Endpoint Group (EPG)

VXLAN Network Identifier (VNID)

Locator/ID Separation Protocol (LISP) BRKCRS-2893 73


VTEP-2 Cache

* 10.0.5.1

VTEP-1 Cache

* 10.0.5.1

VTEP-1 Cache

Host 172.20.0.2

VNID 10

VTEP 10.0.2.1

* 10.0.5.1

VXLAN / ACI packet walkVTEPs use Multicast or host tracking method to learn remote host

Spine-1

10.0.1.1/24 10.0.2.1/24

10.0.5.1/24

SIP: 172.20.0.1DIP: 172.20.0.2

SMAC: Host-ADMAC: Host-B

1

SIP: 172.20.0.1DIP: 172.20.0.2


SIP: 10.0.1.1DIP: 10.0.2.1

SMAC: VTEP-1DMAC: Spine-1

VNID: 10

2

SIP: 172.20.0.1DIP: 172.20.0.2


SIP: 10.0.1.1DIP: 10.0.2.1

SMAC: Spine-1DMAC: VTEP-2

VNID: 10

3

SIP: 172.20.0.1DIP: 172.20.0.2


4

HOST DATABASE

Host 172.20.0.1

VNID 10

VTEP 10.0.1.1

Host 172.20.0.1

VNID 10

VTEP 10.0.1.1

VTEP-1 VTEP-2

VTEP-2 Cache

Host 172.20.0.1

VNID 10

VTEP 10.0.1.1

* 10.0.5.1

172.20.0.1

Host-A

VNID-10

172.20.0.2

Host-B

VNID-10VNID-10

ARP-172.20.0.2

BRKCRS-2893 74


Endpoint Groups (EPG)

WEB EPG

Application Servers

APP EPG DB EPG

Database Servers

Like SGTs, EPGs are topology independent

10.10.10.X

10.10.11.X

Web Servers

Logical group of objects that require similar policy

EPG is ’16 bits’

PHYSICAL PORT VIRTUAL PORT VLAN ID VXLAN (VNID) NVGRE (VSID)

IP ADDRESS IP SUBNET LAYER 4 PORTS *.DOMAIN.NAME* VM ATTRIBUTES*

INGRESS PORTS ONLY

EPGs can be assigned to

* - Future BRKCRS-2893 75


Example: Assigning EPG to IP address pool

10.0.1.2

VNID 1101

10.0.3.2

VNID 1103

10.0.2.2

VNID 1102

Firewall

Eth 1/1 =

APP EPG

10.0.1.2 =

WEB EPG

VLAN-20 =

DB EPG

Other classification options for EPG

BRKCRS-2893 76


Contracts

172.20.0.0/15

VNID 1101

10.0.2.2

VNID 1103

10.0.1.2

VNID 1102

Firewall

EPGs can’t talk to each other without a ’contract’

USER WEB APP

HTTP

HTTPS

CONTRACT-W2ACONTRACT-U2W10.0.1.2 =

WEB EPG

172.20.X =

USER EPG

Eth 1/1 =

APP EPG HTTP / HTTPS

Service Chaining

C P C P

Contract definitions

IN/EG PERMIT IN/EG DENY

QOS REDIRECT

Contracts connect EPGs over a Provider (P) and

Consumer (C) relationship

IN: Ingress, EG: Egress BRKCRS-2893 77


Contracts – ACL

BRKCRS-2893 78


Contracts – Service Graph

BRKCRS-2893 79


EPGs and Contracts summary

EPG + Contracts = Application Network Profile

BRKCRS-2893 80


BRIDGE DOMAINBRIDGE DOMAIN BRIDGE DOMAIN

Subnet A, B

ACI policy hierarchy

Subnet B,C Subnet D

CONTEXT CONTEXT

TENANT

C

USER

WEB

WEB

APP

DB

DBC C

EPG EPG EPG

ACI POLICY

ACI NETWORKING

ACI MANAGEMENT

APPLICATION NETWORK PROFILE

Set of EPGs and Contracts

IP Spaces

Layer 2 boundary

Layer 3 / VRF

http://bit.ly/aci-model BRKCRS-2893 81


Seeing it on APIC

ACI Policy

ACI Networking

EPGs

Contracts

BRKCRS-2893 82

TrustSec – ACI Integration


Why integrate TrustSec and ACI?

VM

VM

WEB

VM

VM

APP DB

USERS

What users? (Employee / Contractors / Guests)

What device-type? (Corporate / BYOD / IOT)

Posture complaint? (Compliant / Non-complaint)

Threats / Vulnerabilities? (Safe / Compromised hosts)

Location? (Corporate / Public / Home)

ACI POLICY

I can help!

CONTRACTS

ENDPOINT GROUPS

BRKCRS-2893 84


ISE and APIC-DC exchange context for interoperability

ACI Policy DomainTrustSec Policy Domain

Switch Router Router Firewall Nexus9000 Nexus9000 ServerUser

SGT

over

Ethernet

IPSec / DMVPN /

GETVPN / SXPClassification

WAN(GETVPN

DMVPN

IPSEC)

ISE creates matching

Security Groups and

Endpoint Groups

ISE exchanges IP-SGT/EPG

‘Name bindings’

IP-ClassId, VNI bindingsIP-Security Group bindings

exchanged with network

Spine Leaf

Cisco ISE 2.1 Cisco APIC-DC

Security Groups End Point Groups

APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure

BRKCRS-2893 85


ISE and APIC integration settingsWork Centers > TrustSec > Settings > ACI Settings

APIC-DC IP address

ACI tenant where EPGs must be created

Suffixes to identify groups created by the integrations

BRKCRS-2893 86

FOR YOUR REFERENCE


SGT – EPG exchange

Cisco ISE 2.1 Cisco APIC-DC

Security Groups and IP bindings

End Point Groups (EPG) and IP bindings

More on ACI Security:

BRKSEC-2048 -

Demystifying ACI

Security

APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure

BRKCRS-2893 87


ACITRUSTSEC

88BRKCRS-2893

Scaling TrustSec-ACI integrationSGT-EPG translation in the data plane

BORDER

ASR1K#show cts sg-epg translations

Total Entries: 2

Last update time: 05:07:17 UTC Jun 05 2017

Next refresh time: 05:07:17 UTC Jun 06 2017

* Represents truncated names

Status Codes:

A - Active

--------------------------------------------------------------------------------

Security-Group Endpoint-Group VRF Status

--------------------------------------------------------------------------------

10001:WebServers_APIC 32771 BLUE (2) A

05:Employees 16380 BLUE (2) A

IP SGT IP EPG

Policy plane (APIC REST API)

SG/EPG Names and Info for translation table

Routing plane (MP-BGP EVPN & Opflex)

Data plane (iVxLAN with inline groups)

16.5.1

* This feature is applicable for a single ACI tenant with multiple VRFs.

Cisco ISE 2.2 APIC 2.3

Segmentation using

Virtual Networks (VNs)


Software Defined Access

90BRKCRS-2893

EMPLOYEE

VIRTUAL NETWORK

GROUP-1 GROUP-2

IOT

VIRTUAL NETWORK

GROUP-1 GROUP-2

SECURE CAMPUS FABRIC(S)

ISE APIC-EM NDP

CISCO DNA CENTER DNA-C Workflows

APIC-EM – Application Policy Infrastructure Controller, Enterprise Module | NDP – Network Data Platform

Software Defined Access (SDA) is the next-generation network technology to automate and assure network services securely with simplified administration

Some key benefits of SDA are:

NETWORK AUTOMATION

Transform business intent in to network configuration on a click of a button

END-TO-END SEGMENTATION

Role based segmentation of the network with Virtual Networks and Scalable Groups

NETWORK ASSURANCE

Based on collected data, provide contextual insights into users and network activities


Best of both worlds

TRUSTSEC

Security Group Tags (SGT)

Dynamic SGT assignments

to endpoints with ISE

Policy Automation

Robust platform support

Leverage ISE ecosystem

for a secure enterprise

ACI

Normalized overlay

Contracts and Service

chaining

Hierarchical policies

IP mobility

Reusable policies and

constructs

CAMPUS

FABRIC

BRKCRS-2893 91


Assurance*

Sites-Locations | Global Settings | Wired-Wireless profiles

Access control policies | Segmentation | QoS policies

Create Campus Fabric | Provision WLCs and APs

*(FCS +1)

Network Health | Client Status | Troubleshooting

DNA Center 4 Step Workflow FOR YOUR REFERENCE


Overlay for Campus FabricSimilar format, different payload

LISP – IP Based

Time to Live

Identification

N L E









Resrv’d

Instance ID / Locator Status Bits

Reserved Security Group Tag

Time to Live

Identification




Source Endpoint Identifier

Destination Endpoint Identifier

Overlay Header

Overall IP MTU Increase: 36 Bytes

SGT (16 bit) insertion in the Nonce field (24 bit)

VXLAN – Ethernet Based

Time to Live

Identification









VxLAN Network Identifier (VN ID)

Endpoint Group

Inner Destination MAC

Address

Inner Destination MAC Address

Inner Source MAC Address

Reserved

Reserved

Inner Source MAC Address

Ethertype = C-Tag (802.1Q) Inner VLAN Tag Information

Ethertype Original Payload

Original Ethernet Payload

New FCS for Outer Ethernet Frame Locator Id Separation Protocol


Campus fabric in a nutshell

PAYLOADETHERNET IPVXLANUDPIPETHERNET

1. LISP based Control-Plane

2. VXLAN like Data-Plane

3. Integrated Cisco TrustSec

VRF + SGT

Virtual Routing & Forwarding

Security Group Tags

BRKCRS-2893 94


Simplifying TrustSec with Campus Fabric

SGT-over-ETHERNET

SGT-over-VPN

SXP

SOURCE

DESTINATION

TRUSTSEC today

Multiple encapsulations / transport options SOURCE

DESTINATION

TRUSTSEC tomorrow

Normalized transport and encapsulation for SGTs

BRKCRS-2893 95


VLAN

SUBNET

VLAN

SUBNET

VLAN

SUBNET

Host Pool

Based on IP Subnet + VLAN-ID with Edge node as Anycast gateway. AAA / Static configuration

Campus Fabric ‘network’ constructs

Fabric Network

ISIS for underlay, VXLAN (LISP) for overlay

CAMPUS FABRIC

C

Fabric Control-Plane Node (LISP Map Server/Resolver) - Has host tracking

database that provides reachability information

B B

Fabric Border Node (LISP Proxy tunnel router) –

Connects Fabric to outside world

E E E

Fabric Edge Node

(LISP Tunnel Router) connects users and devices to the fabric.

- Anycast L3 gateway

- Registers endpoint ID with control-plane node

AAA: Authentication, Authorization and Accounting BRKCRS-2893 96


Campus Fabric ‘policy’ constructs

VN-A VN-B VN-C

Virtual Neighborhood

based on Virtual Routing & Forwarding (VRF)

Maintains a separate Routing & Switching instance for each Virtual Neighborhood

So

urc

es

Destinations

✕ ✓ ✕ ✓ ✓ ✓

✓ ✓ ✕ ✓ ✕ ✕

✕ ✓ ✓ ✕ ✕ ✕

TrustSec Policy

SGT Assignments Security Group Tags

Policy download

TrustSec Policy

BRKCRS-2893 97Note: at FCS, all SG based policies must be contained within one VN


SDA Fabric work flowInternet &

IntranetAPIC-EMDNA-C (UI)

Hosts

Devices

+ Create FabricCreate Fabric

SJC-19-Fabric

Add Nodes to Fabric

Select Control Plane Node

Select Border Node

SJC-19-FABRIC

Layer-3 Underlay (ECMP)

VxLAN Overlay

B B CC


SDA Policy and on-boardingInternet &

IntranetAPIC-EMDNA-C (UI)

Hosts

Devices

+ Create FabricCreate Fabric

SJC-19-Fabric

Add Nodes to Fabric

Select Control Plane Node

Select Border Node

B B CC

Add ‘Virtual Network(s)’

VN: IOTSGT: 10-15

IP-POOL: A

VN: EMPLSGT: 20-25

IP-POOL: B

VN:

GUESTSGT: 30

IP-POOL: C

Select Authentication type

STATIC802.1X

EASY-CSTATIC

Cisco ISE


SDA policy deployment

Employees Contractors PCI_Servers POS_Systems

Source Destination

FABRIC NODES

Contract

CISCO

DNA CENTER

CISCO ISE

FABRIC POLICIES

DENY

Employees PCI_Servers

Employees PCI_Servers

API

POLICY DOWNLOAD

At SDA release 1, all SG policies must be contained within one Virtual Network


SDA group-based policy administration


ISE programming over APIs from DNA-C


HOST POOLHOST POOL HOST POOL

Subnet A

Campus Fabric summary

Subnet B Subnet C

VN VN

DOMAIN

POLICY

NETWORKING

MANAGEMENT

http://bit.ly/aci-model

VLAN-X VLAN-Y VLAN-Z

SGT + SGACL

SGT + SGACL

SGT + SGACL

Enterprise Policy

Set of SGTs and Policy

Host pool

Layer 2 and L3 access boundary

Virtual Neighborhood

Layer 3 / VRF

BRKCRS-2893 103

FOR YOUR REFERENCE

Closing thoughts


Integrating Security into the Network

Discover and Classify Assets

Understand Behavior

Enforce Policy

Active Monitoring

Network

Segmentation

Design and Model Policy


ISE is critical for Software defined segmentation

REST APIs

Orchestration Tools

Security Group Definitions

New Group Members

Policy Definition (SGACLs)

Software-Defined

Segmentation

Integrated

Service RoutersWireless

LAN

Catalyst

switchesIndustrial Ethernet

switches

Connected Grid

Routers & Switches

Nexus

switches

RADIUS, SXP, PxGrid

Sec Group / Membership Info

ASA NGFW WSA Stealthwatch

SGT classifications, Sec Group & policy download, SGT-EPG translation

Security Group based

Policies / Analysis

ACISDAOpen Daylight

Sec Groups, SGACLs

and Membership Info

SXP, REST, pxGrid

On-prem cross policy

integrations

Sec Groups and

Membership Info

REST, APIs

Group policy

connections

Other vendorsCisco ISE

106


Solution to the segmentation challenge

TrustSec

segmentation

Lower operational

costs

Secure

Case Study

TrustSec Solution

• Cisco ISE authorizes each endpoint with SGT and pushes SGACL to Branch CA* Switch

• One network for all Vendors, but each vendor is segmented with TrustSec

• Less VLANs & SSIDs to manage. Provisioning / retiring vendors is now EASY!

Store

Guest

BYOD

Vendors

Store

PCI

Demo

Vendors

WANData Center

ServersISR w/

ZBFW

*Converged

Access

= Authenticated and authorized by ISE

AD

Employee

Accounts

* Additional VLAN/VRFs for Voice,

Print, AP, etc. not shown in the picture

VRFs

Vendor & Guest

Accounts

Cisco ISE

Internet

BRKCRS-2893 107


What should be the choice?For Segmentation and Group-based Policies for Enterprise Networks

Topology independent segment identifiers (SGTs, EPGs…)

Reusable Group based policies (TrustSec policies, Contracts…)

Controller driven (ISE, APIC…)

Open and programmable

BRKCRS-2893 108

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109

Other ISE Break Out Sessions

BRKSEC-2695 Building an Enterprise Access Control Architecture using ISE and TrustSec

Imran Bashir | Tue 08:00-10:00 AM, Level 3, South Seas F | Wed 1:30-03:30 PM, Level 2, Mandalay Bay E

BRKSEC-3699 Designing ISE for Scale & High Availability

Craig Hyps | Tue 1:30-03:30 PM, Level 2, Mandalay Bay J

BRKSEC-2059 Deploying ISE in a Dynamic Environment

Clark Gambrel | Tue 04:00-05:30 PM, Level 3, South Seas E

BRKSEC-3697 Advanced ISE Services, Tips and Tricks

Aaron Woland | Tue 08:00-10:00 AM, L-2, Mandalay Bay G | Wed 1:30-03:30 PM, L-2, Mandalay Bay H

BRKSEC-2039 Cisco Medical Device NAC

Mark Bernard and Tim Lovelace | Mon 04:00-05:30 PM, Level 3, South Seas D

BRKCOC-2018 Inside Cisco IT: How Cisco Deployed ISE and TrustSec

David Iacobacci, Bassem Khalife | Thu 08:30-10:00 AM, Level 3, South Seas E

BRKCRS-2893


Other TrustSec Break Out Sessions

BRKSEC-2203 Enabling Software-Defined Segmentation with TrustSec

Fay Lee | Tue 4:00-5:30 PM, Level 2, Mandalay Bay G

BRKCRS-2893 Choice of Segmentation and Group based Policies for Enterprise Networks

Hariprasad Holla | Thu 10:30-12:00 PM, Level 2, Breakers IJ

BRKCRS-2810 Cisco SD-Access - A Look Under the Hood

Shawn Wargo | Mon 1:30-03:30 PM, L-2, Lagoon I | Tue 08:00-10:00 AM L-3, South Seas D

BRKSEC-2205 Security and Virtualization in the Data Center

Justin Poole | Mon 08:00-10:00 AM, Level 2, Reef F

BRKSEC-3014 Security Monitoring with StealthWatch: The detailed walkthrough

Matthew Robertson | Mon 1:30-3:30 PM, Level 2, Breakers IJ

BRKSEC-2026 Building Network Security Policy Through Data Intelligence

Darrin Miller, Matthew Robertson | Wed 4:00-5:30 PM, Level 3, South Seas G

BRKCRS-2893


ISE / TrustSec Labs

ISE integration with Firepower using pxGrid protocol

LTRSEC-2002

Vibhor Amrodia

Aditya Ganjoo

Wed 8:00-12:00 PM

MGM Grand, Level 1,

Room 104

Visibility Driven Secure Segmentation

LTRCRS-2006

Hariprasad Holla

Aaron Rohyans

Wed 01:00-05:00 PM

MGM Grand, Level 1,

Room 115

Cisco SD-Access- Hands-on Lab

LTRCRS-2810

Derek Huckaby

Larissa Overbey

Wed 01:00 PM, MGM L-1, 116

Thu 08:00 PM, MGM L-1, 101

BRKCRS-2893


• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.

• Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.

http://www.ciscolive.com/us

http://ciscolive.com/Online

http://ciscolive.com/Online

http://www.ciscolive.com/Online


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

113BRKCRS-2893

Thank you

Documents

Choice of Segmentation and Group Based Policies ford2zmdbbm9feqrf.cloudfront.net/2017/usa/pdf/BRKCRS-2893.pdf · Choice of Segmentation and Group Based Policies for ... Technical