Choice of Segmentation and Group Based Policies...
Transcript of Choice of Segmentation and Group Based Policies...
Choice of Segmentation and Group Based Policies for Enterprise Networks
Hari Holla
Technical Marketing Engineer, Cisco ISE
BRKCRS-2893
hari_holla /in/hariholla
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to chat with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
Cisco Spark spaces will be available until July 3, 2017.
cs.co/ciscolivebot#BRKCRS-2893
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
A multi-national retailer’s segmentation problem
Customer Concerns
• Employees, PCI devices, Vendors & Guest in branch needing segmentation.
• Each segment today is a VLAN and / or a SSID.
• Provisioning and decommissioning vendors is a tedious task
Store
Guest
BYOD
Vendor-1
Vendor-2
Vendor-3
…
Vendor-N
Store
PCI
Demo
Vendor-2
Vendor-A
Vendor-B
…
Vendor-N
Internet
WANData Center
WLC ServersISR w/
ZBFW
VRFs
* Additional VLAN/VRFs for Voice,
Print, AP, etc. not shown in the picture
Need dynamic
segmentation
Reduce
operational costs
Keep it secure
Case Study
The segmentation challenge common to many other type of networks: University, Hospitals, Manufacturing, etc.
BRKCRS-2893 4
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
VLANs for segmentation?
5BRKCRS-2893
VLAN
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Segmenting with VLANs
Access Layer
Enterprise
Backbone
Voice
VLAN
Voice
Data
VLAN
Employee
Aggregation Layer
Supplier
Guest
VLAN
BYOD
BYOD
VLAN
Non-Compliant
Quarantine
VLAN
VLAN
Address
DHCP Scope
Redundancy
Routing
Static ACL VACLLimitations of Traditional
Segmentation
• Security Policy based on
Topology
• High cost and complex
maintenance
Applications
access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
Classification
Static / Dynamic
VLAN assignments
Propagation
Carry segment context
over the network
through VLAN tags /
IP address / VRF
Enforcement
IP based policies.
ACLs, Firewall
rules
BRKCRS-2893 6
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The alternative: ‘Software Defined Segmentation’
Controller driven
✓ ✓ ✓ ✓
✓ ✓ X X
X X X X
Employees
Phones
Servers
Quarantine
Topology independent Segment IDs(VLAN / IP agnostic)
Policy definition and enforcement based on segment IDs.
BRKCRS-2893 7
• Segmenting using
• Security Group Tags (SGTs)
• End-Point Groups (EPGs)
• Virtual Networks (VNs)
• Closing thoughts
Agenda
Heads up
For your reference
Hidden Slide (or)
For quick glance if the slide shows up
This is ISE icon,
Cisco Identity Service Engine
Segmentation using
Security Group Tags (SGT)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco TrustSec
EnforcementClassification Propagation
Routers
Cisco ISE
DC Firewall
Production
Servers
Wireless
Remote
Access
Switch
DC Switch Application
Servers
Directory
Employees
8 SGT
7 SGT
Network5 SGT
Employee
App_Serv
Prod_Serv
App_Serv Prod_Serv
Permit All
Permit All Deny All
Permit AllDeny All
Deny All
So
urc
e
Destination
Egress Policy
BRKCRS-2893 11
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Consistent access governed by simplified policy
VLAN: Data-1VLAN: Data-2
Switch
Data Center
DC Switch
Application
Servers
ISE
Enterprise
Backbone
Remediation
Switch
Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant
Shared
Services
Employee Tag
Supplier Tag
Non-Compliant Tag
DC switch receives policy
for only what is connected
Regardless of topology or
location, policy (Security
Group Tag) stays with
users, devices, and servers
TrustSec simplifies ACL
management for intra/inter-
VLAN traffic
BRKCRS-2893 12
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Same policy to control lateral access
VLAN: Data-1VLAN: Data-2
Switch
Data Center
DC Switch
Application
Servers
ISE
Enterprise
Backbone
Switch
Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant
Shared
Services
Employee Tag
Supplier Tag
Non-Compliant Tag
Segment traffic based on
classified group (SGT), not
based on topology (VLAN,
IP subnet)
Micro-Segmentation / Host
Isolation in LAN and DC
with single policy (segment
devices even in same
VLAN or same security
group)
FOR YOUR REFERENCE
BRKCRS-2893 13
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The three common deployment scenarios
• Context--based access control
• Compliance requirements PCI,
HIPAA, export controlled
information
• Merger & acquisition integration,
divestments
• Server zoning & Micro-segmentation
• Production vs. Development Server
segmentation
• Compliance requirements, PCI, HIPAA
• Firewall rule automation
• Line of business segregation
• PCI, HIPAA and other compliance
regulations
• Malware propagation
control/quarantine
User to Data Center Access Control
Data Center Segmentation
Campus and Branch Segmentation
BRKCRS-2893 14
TrustSec Deep Dive
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Doing TrustSec
EnforcementClassification Propagation
Routers
Cisco ISE
DC Firewall
Production
Servers
Wireless
Remote
Access
Switch
DC Switch Application
Servers
Directory
Employees
8 SGT
7 SGT
Network5 SGT
Employee
App_Serv
Prod_Serv
App_Serv Prod_Serv
Permit All
Permit All Deny All
Permit AllDeny All
Deny All
So
urc
e
Destination
Egress Policy
BRKCRS-2893 16
TrustSec Enablement
• Cisco ISE configuration
• Network readiness assessment and
• TrustSec feature enablement
The 3 TrustSec functions
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE is the TrustSec controller
BRKCRS-2893 17
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE is the TrustSec controller
SGACL / Name table:
TrustSec policy matrix
to be pushed down to
the enforcers via
secure channel
SGT: Centrally define
Security Group Tags
802.1X Dynamic SGT
Assignment
SGT Assignment:
ISE can dynamically
(via authentications /
SXP / pxGrid) or
statically (via CLI)
assign SGTs to assets
SGACL /
Name table
So
urc
es
Destinations
✕ ✓ ✕ ✓ ✓ ✓
✓ ✓ ✕ ✓ ✕ ✕
✕ ✓ ✓ ✕ ✕ ✕
Security Group ACL
NDAC(Network Device
Admission Control)
Rogue
Device(s)
SGT and
SGT Names3: Employee
4: Contractors
8: PCI_Servers
9: App_Servers
Security Group Tags
NDAC for a trusted
domain of ‘Network
Devices’
BRKCRS-2893 18
Dynamic / Static SGT
Assignments
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Device Admission Control
BRKCRS-2893 19
SGACL / Name table:
TrustSec policy matrix
to be pushed down to
the enforcers via
secure channel
SGT: Centrally define
Security Group Tags
SGT Assignment:
ISE can dynamically
(via authentications /
SXP / pxGrid) or
statically (via CLI)
assign SGTs to assets
NDAC for a trusted
domain of ‘Network
Devices’
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Device Admission Control
Device_SGT to facilitate the
communication between
ISE and TrustSec devicesEnvironmental Data
TrustSec Egress Policy
RADIUS EAP FAST Channel
Switch# cts credential id C6800-001 password cisco
Switch authenticates with Cisco ISE for Secure EAP FAST Channel
IOSISE
FOR YOUR REFERENCE
BRKCRS-2893 20
SGACL / Name table:
TrustSec policy matrix
to be pushed down to
the enforcers via
secure channel
SGT: Centrally define
Security Group Tags
SGT Assignment:
ISE can dynamically
(via authentications /
SXP / pxGrid) or
statically (via CLI)
assign SGTs to assets
NDAC for a trusted
domain of ‘Network
Devices’
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Device Admission Control
PAC settings – used for
secure channel between
ISE and TrustSec devices
Admin can opt to have custom
SGT numbers. Default is
System generated.
FOR YOUR REFERENCE
BRKCRS-2893 21
SGACL / Name table:
TrustSec policy matrix
to be pushed down to
the enforcers via
secure channel
SGT: Centrally define
Security Group Tags
SGT Assignment:
ISE can dynamically
(via authentications /
SXP / pxGrid) or
statically (via CLI)
assign SGTs to assets
NDAC for a trusted
domain of ‘Network
Devices’
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Defining Security Group Tags (SGTs)
Define SGTs under ‘Components’ section in TrustSec Work Center (from ISE 2.0)
BRKCRS-2893 22
SGACL / Name table:
TrustSec policy matrix
to be pushed down to
the enforcers via
secure channel
SGT: Centrally define
Security Group Tags
SGT Assignment:
ISE can dynamically
(via authentications /
SXP / pxGrid) or
statically (via CLI)
assign SGTs to assets
NDAC for a trusted
domain of ‘Network
Devices’
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec egress policy
A user friendly policy matrix based on ‘Security Group Tags’
BRKCRS-2893 23
SGACL / Name table:
TrustSec policy matrix
to be pushed down to
the enforcers via
secure channel
SGT: Centrally define
Security Group Tags
SGT Assignment:
ISE can dynamically
(via authentications /
SXP / pxGrid) or
statically (via CLI)
assign SGTs to assets
NDAC for a trusted
domain of ‘Network
Devices’
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SGT assignment for endpoints
Work Centers > TrustSec > Authorization Policy
BRKCRS-2893 24
SGACL / Name table:
TrustSec policy matrix
to be pushed down to
the enforcers via
secure channel
SGT: Centrally define
Security Group Tags
SGT Assignment:
ISE can dynamically
(via authentications /
SXP / pxGrid) or
statically (via CLI)
assign SGTs to assets
NDAC for a trusted
domain of ‘Network
Devices’
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The ‘3’ TrustSec functions
5 Employee
6 Voice
7 Partner
Classification
(Assigning SGTs)
Static Assignments
Dynamic Assignments
A B
Propagation
Inline methods
SXP
pxGrid
Enforcement
Security Group ACL
SG Firewall
BRKCRS-2893 25
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Two ways to assign ’Security Group Tags’
VLAN to SGT
L3 Interface (SVI) to SGT L2 Port to SGT
VM (Port Profile) to SGTSubnet to SGT
WLC Firewall Hypervisor SW
Campus
Access Distribution Core DC Core DC Access
Enterprise
Backbone
Static Classification
MAB
Dynamic Classification
BRKCRS-2893 26
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SGT assignment to wired endpoint
Cisco ISE Catalyst Switch
Assign
SGT
Switch# show authentication sessions int Gi 0/1 details
Interface: GigabitEthernet1/0/23
IIF-ID: 0x107AB4000000076
MAC Address: 0005.0005.0005
IPv6 Address: 2001:DB8:100:0:3809:A879:5197:16DB
IPv4 Address: 172.20.100.2
User-Name: [email protected]
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A01010100000FC50BEC5800
Acct Session ID: 0x00000FBE
Handle: 0xD4000009
Current Policy: POLICY_Gi1/0/23
Server Policies:
SGT Value: 10
Method status list:
Method State
mab Authc Success
G 0/1
BRKCRS-2893 27
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28BRKCRS-2893
Assigning SGTs to wireless sessions
Cisco ISE WLC
Assign
SGT
Works on AirOS and IOS Wireless
controllers.
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
VLANs can be mapped to SGTs
Catalyst Switch
Switch(config)#cts role-based sgt-map vlan-list 100 sgt 100
Switch#show cts role-based sgt-map all
Active IPv4-SGT Bindings Information
IP Address SGT Source
============================================
172.20.100.2 10 LOCAL
172.20.254.1 2 INTERNAL
172.20.100.10 100 VLAN
172.20.100.20 100 VLAN
IP-SGT Active Bindings Summary
============================================
Total number of VLAN bindings = 2
Total number of LOCAL bindings = 1
Total number of active bindings = 4
G 0/1
BRKCRS-2893 29
G 0/2
VLAN-100 = SGT-100
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Routes learnt on the interface get SGT
Business
Partners
Joint
Ventures
Route Updates
43.1.1.0/24
49.1.1.0/24
Route Updates
17.1.1.0/24
Can apply to Layer 3 interfaces regardless of the underlying physical interface:
Routed port, SVI (VLAN interface) , Tunnel interface, etc.
DC Access
Hypervisor SW
g3/0/1
g3/0/2
IP Address SGT Source========================================11.1.1.2 2 INTERNAL12.1.1.2 2 INTERNAL13.1.1.2 2 INTERNAL17.1.1.0/24 8 L3IF43.1.1.0/24 9 L3IF49.1.1.0/24 9 L3IF
GigabitEthernet 3/0/1 maps to SGT 8
GigabitEthernet 3/0/2 maps to SGT 9
BRKCRS-2893 30
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SGT classification binding source priorityThe current priority enforcement order, from lowest (1) to highest (7), is as follows:
1. VLAN—Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT
mapping configured.
2. CLI— Address bindings configured using the IP-SGT form of the cts role-based sgt-map
global configuration command.
3. Layer 3 Interface—(L3IF) Bindings added due to FIB forwarding entries that have paths
through one or more interfaces with consistent L3IF-SGT mapping or Identity Port Mapping
on routed ports.
4. SXP—Bindings learned from SXP peers.
5. IP_ARP—Bindings learned when tagged ARP packets are received on a CTS capable link.
6. LOCAL—Bindings of authenticated hosts which are learned via ISE and device tracking.
This type of binding also include individual hosts that are learned via ARP snooping on L2
[I]PM configured ports.
7. INTERNAL—Bindings between locally configured IP addresses and the device own SGT.
FOR YOUR REFERENCE
BRKCRS-2893 31
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
In Nexus 1000V, SGTs can be assigned to Port Profile
• Port Profile
– Container of network properties
– Applied to different interfaces
• Server Admin may assign Port Profiles to new VMs
• VMs inherit network properties of the port-profile including SGT
• SGT stays with the VM even if moved
BRKCRS-2893 32
CLASSIFICATION PROPAGATION ENFORCEMENT
FOR YOUR REFERENCE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The ‘3’ TrustSec functions
5 Employee
6 Voice
7 Partner
Classification
(Assigning SGTs)
Static Assignments
Dynamic Assignments
A B
Propagation
Inline methods
SXP
pxGrid
Enforcement
Security Group ACL
SG Firewall
BRKCRS-2893 33
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34BRKCRS-2893
Two ways to propagate tags
INLINE METHOD
10.1.1.1 10.20.20.1
SW1 R1 SW2
5/Employees 7/WebServers
IP 5 IP 5
Ethernet MACSec LISP/VxLAN
IPSec DMVPN GETVPN
SGT carried inline in the data traffic. Methods include, SGT over:
OUT-OF-BAND METHOD
10.1.1.1 10.20.20.1
SW1 R1 SW2
10.1.1.1 = SGT-5
5/Employees 7/WebServers
IPIP
SXP pxGrid
IP-to-SGT data shared over control protocol. No SGT in the data plane. Methods include, IP-to-SGT exchange over:
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ethernet Inline tagging
CRC
PAYLOAD
ETHTYPE
CMD
802.1Q
Source MAC
Destination MAC
Ethernet Frame
EtherType:0x8909
SGT Value:16bits
CMD EtherType
Version
Length
SGT Option Type
Cisco Meta Data
SGT Value
Other CMD Option
CRC
PAYLOAD
ETHTYPE
CMD
802.1Q
Source MAC
Destination MAC
MACsec Frame
802.1AE Header
802.1AE Header
AE
S-G
CM
128
bit
En
cry
ption
http://tinyurl.com/sgt-draft
IETF
Faster, and most scalable way to
propagate SGT within LAN or DC
SGT embedded within Cisco Meta
Data (CMD) in Layer 2 frame
Capable switches understands and
process SGT in line-rate
Optionally protect CMD with MACsec
(IEEE802.1AE)
No impact to QoS, IP
MTP/Fragmentation
L2 Frame Impact: ~20 bytes
16 bits field ~ 64,000 tag space
Non-capable device drops frame with
unknown Ethertype
EtherType:0x88E5
BRKCRS-2893 35
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
L3 Inline: Crypto transport for SGT
Cisco Meta Data (CMD) uses protocol 99, and is inserted to
the beginning of the ESP/AH payload.
IP header (Protocol Type = ESP)
SGT in IPSec
IV
ESP Header
Next Header (IP) Len = 3 Version (0x1) Reserved
Len (0x0)
Len (0x1)
Type (1 = SGT)
Type (5 = PST)
SGT Number (16 bits)
GETVPN Psuedo timestamp
Original IP Header
Original IP Payload
Pad
Authentication Tag
Pad Length Next Header
CM
D
crypto ikev2 cts sgt
SGT over IPSec
cts sgt inline
SGT over DMVPN
crypto gdoi group GDOI
identity number 12345
server local
sa ipsec 1
tag cts sgt
match address ipv4 ACL_GETVPN_SGT
SGT over GETVPN
IPSec, DMVPN and GETVPN
BRKCRS-2893 36
CLASSIFICATION PROPAGATION ENFORCEMENT
FOR YOUR REFERENCE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
L3 Inline: Non-crypto SGT propagation over IP
router eigrp my-wan
!
address-family ipv4 unicast \
autonomous-system 100
topology base
cts propagate sgt
exit-af-topology
exit-address-family
Learn more: http://bit.ly/cts-eigrp-otp
3.15S
EIGRP Over The Top - EIGRP on the control plane and Locator ID Separation Protocol (LISP) encapsulation on the data plane to route traffic across the underlying WAN architecture.
CE
CE
CE
PE PE
PE
Internet / WAN
SGT in LISP
Time to Live
Identification
N L E
Pad Pad Length Next Header
Ver IHL Total LengthToS
Flags Fragmentation Offset
Protocol (17) Header Checksum
Source Routing Locator
Destination Routing Locator
Source Port Destination Port (4341)
UDP ChecksumUDP Length
Resrv’d
Locator Status Bits
Reserved Security Group Tag
Time to Live
Identification
Ver IHL Total LengthToS
Flags Fragmentation Offset
Protocol (17) Header Checksum
Source Endpoint Identifier
Destination Endpoint Identifier
LISP Header
Overall IP MTU Increase: 36 Bytes
SGT (16 bit) insertion in the Nonce field (24 bit)
BRKCRS-2893 37
CLASSIFICATION PROPAGATION ENFORCEMENT
FOR YOUR REFERENCE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SGT Exchange Protocol (SXP)
Routers
Firewall
• Propagation method of IP-SGT binding
– Propagate IP-SGT from classification to enforcement point
• Open protocol (IETF-Draft) & ODL Supported
– TCP - Port:64999
• Role: Speaker (initiator) and Listener (receiver)
• Use MD5 for authentication and integrity check
• Support Single Hop SXP & Multi-Hop SXP (aggregation)
• Cisco ISE 2.0 and beyond can be an SXP Speaker and Listener.
(SXP Aggregation)
Speaker Listener
Switches
Switches
5 10.0.1.2
6 10.4.9.5
5 10.0.1.2
6 10.4.9.5
For out-of-band IP-SGT binding propagation
http://tinyurl.com/sxp-draft
IETF
BRKCRS-2893 38
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SXP example on AireOS
* Supported on all Wireless Controllers except 7500 & vWLC
Cisco ISE
Switch / FW
5520
Assign
SGT
SXP
So
urc
es
Destinations
✕ ✓ ✕ ✓ ✓ ✓
✓ ✓ ✕ ✓ ✕ ✕
✕ ✓ ✓ ✕ ✕ ✕
No SG based enforcement locally on
the controller. IP-SGT sent over SXP to
enforcers / Aggregators
SXP Listener (Switch / Firewall)
SXP Speaker(Wireless Controller)
BRKCRS-2893 39
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40BRKCRS-2893
SXP support in ISE
ISE Authorization Policy ISE IP to SGT binding table
If AD_Group_Employee,
then SGT: 5/Employees
IP address: 10.20.20.1 is
SGT: 9/WebServers
10.1.1.1 10.20.20.1
802.1X, RADIUS SXP
IP Address SGT Source=================================10.1.1.1 5 LOCAL
IP Address SGT Source=================================10.20.20.1 9 SXP
• Cisco ISE as SXP Speaker and Listener
• Support from ISE 2.0
• Useful for classifying destination SGTs
• Enables 3rd party access devices for TrustSec
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41BRKCRS-2893
SXP Devices
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE and SXP
10.5.1.222 10.5.1.1
Switch #show cts sxp connections
SXP : Enabled
Highest Version Supported: 4
Default Password : Set
Default Source IP: 10.5.1.1
<Output trimmed>
----------------------------------------------
Peer IP : 10.5.1.222
Source IP : 10.5.1.1
Conn status : On
Conn version : 4
Conn capability : IPv4-IPv6-Subnet
Conn hold time : 120 seconds
Local mode : SXP Listener
<Output trunkated>
Switch# show cts sxp sgt-map brief
SXP Node ID(generated):0x0A050301(10.5.3.1)
IP-SGT Mappings as follows:
IPv4,SGT: <172.20.100.32/27 , 120:Mail_Servers>
IPv4,SGT: <172.20.100.64/27 , 110:Web_Servers>
Total number of IP-SGT Mappings: 2
cts sxp enable
cts sxp default source-ip 10.5.1.1
cts sxp default password cisco
cts sxp connection peer 10.5.1.222 password default mode peerCisco ISE IOS Switch
BRKCRS-2893 42
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SXP in action
IP Address SGT Source
========================================
172.22.2.2 2 INTERNAL
IP Address SGT Source
========================================
172.21.1.1 2 INTERNAL
IP-SGT Binding Table – Nexus SwitchIP-SGT Binding Table – Access Switch
WAN
10.2.2.2
802.1X Employee = SGT-5
Web_Server172.21.1.1 172.22.2.2
105
Cisco ISE 2.0+
5
10
TrustSec Policy
SXP IP-10.2.2.2 = SGT-10
SXP IP-10.1.1.1 = SGT-5
10.2.2.2 10 SXP
10.1.1.1 5 SXP
10.1.1.1 5 LOCAL
2960X N7K
10.1.1.1
Employee
SRC: 10.1.1.1
DST: 10.2.2.2SRC: 10.1.1.1
DST: 10.2.2.2
BRKCRS-2893 43
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
3rd party access and ISE SXP
IP Address SGT Source
========================================
172.22.2.2 2 INTERNAL
IP Address SGT Source
========================================
172.21.1.1 2 INTERNAL
IP-SGT Binding Table – Nexus SwitchIP-SGT Binding Table – Access Switch
WAN
10.2.2.2
802.1X Employee = SGT-5
Web_Server172.22.2.2
105
Cisco ISE 2.0+ 5
10
TrustSec Policy
SXP IP-10.2.2.2 = SGT-10
SXP IP-10.1.1.1 = SGT-5
10.2.2.2 10 SXP
10.1.1.1 5 SXP
10.1.1.1 5 LOCAL
3rd PartyN7K
10.1.1.1
Employee
SRC: 10.1.1.1
DST: 10.2.2.2SRC: 10.1.1.1
DST: 10.2.2.2
BRKCRS-2893 44
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SXP can be single or multi-hop
Single-Hop SXP SXP
SXP Enabled Switch/WLCSGT Capable HW
Multi-Hop SXP SXP
SGT Capable HW
SXP
Enabled SW
SXP
SXP
SXP Enabled SW/WLC
SXP Enabled SW/WLC
Non-TrustSec
Domain
Speaker Listener
SXP
Aggregation
FOR YOUR REFERENCE
BRKCRS-2893 45
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
4 SXP versions
Version 1 This is the initial SXP version supports IPv4 binding propagation.
Version 2 Includes support for IPv6 binding propagation and version negotiation. (Older
switch and router IOS – prior March 2013, WLC)
Version 3 Adds support for Subnet/SGT bindings propagation and expansion. If speaking
to a lower version listener will expand the subnet
Version 4 Loop Detection and Prevention, Capability Exchange, built-in Keep Alive
mechanism. (New switch and router IOS – After March 2013)
FOR YOUR REFERENCE
BRKCRS-2893 46
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SXP ScalabilityPlatform Max SXP Conn. Max IP-SGT Bindings
Cisco ISE 2.2 100 per PSN 250,000
Catalyst 6500 Sup2T, 6800 2000 200,000
Nexus 7000 980 M Series: 200,000 from v7.2 earlier 50,000
F3 Series 64,000 (recommended 50K)
F2E Series 32,000 (recommended 25K)
Catalyst 4500 Sup7E 1,000 256,000
Catalyst 4500X / 4500 Sup7LE 1,000 64,000
ASA 5585-X SSP 60 1,000 100,000
ASA 5585-X SSP 40 500 50,000
Catalyst 3850/WLC 5760 128 12,000
CSR1000 900 (450 for bi-dir) 135,000
ISR4400 1800 (900 for bi-dir) 135,000
ASR1000 1800 (900 for bi-dir) 750,000 (from XE3.15), earlier 180,000
ISR2900, ISR 3900 250 (125 for bi-dir 180,000 for unidirectional SXP
125,000 for bi-directional SXP
FOR YOUR REFERENCE
BRKCRS-2893 47
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48BRKCRS-2893
pxGrid
ISE SXP Node 10:30 AM
IP address: 10.20.20.1 is SGT: 9/0009
Firepower Management Center 10:30 AM
Received
APIC-EM Controller 10:30 AM
Received
pxGrid Overview
• XMPP / Jabber based protocol for context exchange.
• Secure bi-directional connectivity, grid controlled by ISE
• Group members can publish or/and subscribe to specific topics
• TrustSecMetaData topic for Security Group table and IP-SGT binding exchange
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49BRKCRS-2893
Sharing IP-to-SGT bindings over pxGrid
RADIUS pxGrid
FMC WSA APIC-EM
Any pxGridsubscriber, E.g
Infoblox
• pxGrid clients can subscribe to SGT table and bindings
• IP to SGT bindings received over SXP can be
published via pxGrid
• Data format:
SXPBinding= {ipPrefix=10.20.20.1/32 tag=9
source=172.20.254.21 peerSequence=172.20.254.21}
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50BRKCRS-2893
Sharing context over pxGrid
PxG
RID
NGIPS /
ASA + Firepower
‘Access Control Policies’ based on ISE Attributes (SGT, Device-type and Endpoint Location)
FOR YOUR REFERENCE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SGT transport over WAN overview
Learn more: http://bit.ly/cts-eigrp-otp
Nexus 7000
Data Center
ISE
Internet
Nexus 1000v
Catalyst 6500
SGACL
CTS Link
Enterprise LAN
HR
Finance
EnterpriseMPLS
DMVPN
• Multiple options for SGT transport over non CTS Layer 3 networks
• DMVPN for Internet based VPNS
• GETVPN and OTP for private WAN
BYOD
EnterpriseNetwork
IPSEC
Switch
Switch
Wireless
Switch
GETVPN
SXP
SXP
SXP
BRKCRS-2893 51
CLASSIFICATION PROPAGATION ENFORCEMENT
FOR YOUR REFERENCE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The ‘3’ TrustSec functions
5 Employee
6 Voice
7 Partner
Classification
(Assigning SGTs)
Static Assignments
Dynamic Assignments
A B
Propagation
Inline SGT
SXP
WAN Options
Enforcement
Security Group ACL
SG Firewall
BRKCRS-2893 52
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53BRKCRS-2893
TrustSec policy matrix in ISE
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54BRKCRS-2893
Deploy the policy on click of a button
CLASSIFICATION PROPAGATION ENFORCEMENT
Deploy
CATALYST
SWITCHESNEXUS
SWITCHESVIRTUAL
SWITCHES
INDUSTRIAL
SWITCHESWIRELESS
ACCESS POINTS
ROUTING
PLATFORMS
Push and deploy TrustSec
policies consistently across
switching, wireless and
routing infrastructure
cts role-based enforcement
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy download only for known destinations
55
Dev_Server
(SGT=7)
Prod_Servers (7) Dev_Servers (8)
SEGMENTATION DEFINED IN ISE
SG
T=
3
SG
T=
4
SG
T=
5
SGACL
Enforcement
Switches pull down only
the policies they need
I have nothing to protect
I know SGT-7, is there a policy for it?I pulled policies to
protect SGT-7
interface ethernet 2/1
cts manual
policy static sgt 0x7
no propagate-sgt
• TrustSec switches requests policies for
assets they protect
• Policies downloaded & applied dynamically
• Result = Software Defined Segmentation
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
East-west segmentation
56
1 Scan for open ports / OS
Distribution Switch
Access Switch
BYOD Device PC
AP
Wireless Segment Wired Segment
2 Exploits vulnerability
Pawned
PC
Employee Tag
• Replaces Private Isolated / Community VLAN
functionality with centrally provisioned policy
• Supports mobile devices (with DHCP address). Static
ACLs cannot support same level of policy
• No other vendor can support this type of use case
Anti-Malware-ACL
deny icmp
deny udp src dst eq domain
deny tcp src dst eq 3389
deny tcp src dst eq 1433
deny tcp src dst eq 1521
deny tcp src dst eq 445
deny tcp src dst eq 137
deny tcp src dst eq 138
deny tcp src dst eq 139
deny udp src dst eq snmp
deny tcp src dst eq telnet
deny tcp src dst eq www
deny tcp src dst eq 443
deny tcp src dst eq 22
deny tcp src dst eq pop3
deny tcp src dst eq 123
Sample ACEs to
block PtH (SMB
over TCP) used
for privilege
escalation
SGACL Policy
PtH: Pass-the-Hash
“When executed, the
malware first checks the
"kill switch" domain name;
if it is not found, then the
ransomware encrypts the
computer's data, then
attempts to exploit the
SMB vulnerability to
spread out to random
computers on the Internet,
and "laterally" to computers
on the same network.”
http://bit.ly/w-cry
Wannacry
AireOS 8.4 | Wave-1, Wave-2 APs and WLC 8540, 5520
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Zone based Firewallclass-map type inspect match-any partner-services
match protocol http
match protocol icmp
match protocol ssh
class-map type inspect match-any partner-sgts
match security-group source tag 2001
match security-group source tag 2002
match security-group source tag 2003
class-map type inspect match-all partner-class
match class-map partner-services
match class-map partner-sgts
class-map type inspect match-any guest-services
match protocol http
class-map type inspect match-any guest-sgts
match security-group source tag 5555
class-map type inspect match-all guest-class
match class-map guest-services
match class-map guest-sgts
class-map type inspect match-any emp-services
match protocol http
match protocol ftp
match protocol icmp
match protocol ssh
...
SGT is a source criteria only in ISR FW,
Source or Destination in ASR 1000
BRKCRS-2893 57
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firewall policy based on SGTs
Use Destination SGT received
from Switches connected to
destination
Use Network Object (Host, Range,
Network (subnet), or FQDN)
SGT Defined in the ISE or locally
defined on ASA
Trigger IPS/CX based on
SGT
BRKCRS-2893 58
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SGT based path selection
VRF-GUEST
Enterprise
WAN
Inspection Router
Router /
Firewall
Network A
Policy-based
Routing based
on SGT
SGT-based VRF
Selection
User C
Guest
User A
Employee
User B
Suspicious
Redirect traffic from malware-infected hosts
• Contain threats
• Pass traffic through centralized analysis and
inspection functions
Security Example
To map different user groups to different WAN
service
Other Example
Segment traffic to different VRFs based on context
route-map SG_PBR
match security-group source tag 100
set ip next-hop 172.20.100.2
match security-group destination tag 150
set ip next-hop 172.20.101.2
Available Today: Cisco IOS XE Release 3.16S (ASR 1000) as well as ASA5500-X (9.5.1)
BRKCRS-2893 59
CLASSIFICATION PROPAGATION ENFORCEMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FirePOWER service redirect on tagsCreate service policy to forward suspicious
traffic to FirePOWER services
BRKCRS-2893 60
CLASSIFICATION PROPAGATION ENFORCEMENT
FOR YOUR REFERENCE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SGT based path selection
Enterprise
WAN
Applications Router
Router /
Firewall
Network A
Critical applications
get priority treatment
Non-critical
class gets lower
bandwidth
CriticalServers (100)
NonCritical (254)
f Y
Employee (10) 3.17S
Different user groups can be offered different Quality of
Service (QoS)
class-map employee-non_critical
match security-group source tag 10
match security-group destination tag 254
end
!
class-map employee-critical
match security-group source tag 10
match security-group destination tag 100
end
!
policy-map sg_qos
class employee-critical
priority percent 50
class employee-non_critical
bandwidth percent 25
set dscp ef
end
BRKCRS-2893 61
CLASSIFICATION PROPAGATION ENFORCEMENT
FOR YOUR REFERENCE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62BRKCRS-2893
TrustSec platform support
Switch Router Router Firewall DC Switch vSwitch ServerUser
Propagation EnforcementClassificationCatalyst 2960-S/-SF/-C/-CX/-Plus/-X/-XR
Catalyst 3560-E/-C/-X/-CX/-CG
Catalyst 3750-E/-X
Catalyst 3650, 3850, 3850-XS
Catalyst 4500E (Sup6-E, 6L-E)
Catalyst 4500E (Sup 7-E, 7L-E, 8-E, 8L-E)
Catalyst 4500-X
Catalyst 6500E (Sup720/2T)
Catalyst 6800
WLC 2500/5500/WiSM2/Flex7500
WLC 5760
WLC 8510/8540
Nexus 7000
Nexus 6000/5600
Nexus 5500/2200
Nexus 1000v
ISRG2, ISR4000, ISRv
ASR1000,1000-X; CSR 1000v
IE2000/2000U/3000/4000/5000
CGR 2010, CGS2500
ASA 5500, ASAv, FP4100/9300, ISA 3000
ISE
Catalyst 2960-S/-SF/-C/-CX/-Plus/-X/-XR
Catalyst 3560-E/-C/-X/-CX/-CG
Catalyst 3750-E/-X
Catalyst 3650, 3850, 3850-XS
Catalyst 4500E (Sup6-E, 6L-E)
Catalyst 4500E (Sup 7-E, 7L-E, 8-E, 8L-E)
Catalyst 4500-X
Catalyst 6500E (Sup720/2T)
Catalyst 6800
WLC 2500/5500/WiSM2/Flex7500
WLC 5760
WLC 8510/8540
Nexus 7000
Nexus 6000/5600
Nexus 5500/2200
Nexus 1000v
ISRG2, ISR4000, ISRv
ASR1000,1000-X; CSR 1000v
IE2000/2000U/3000/4000/5000
CGR 2010, CGS2500
ASA 5500, ASAv, FP4100/9300, ISA 3000
FP 7000/8000; ISE
Catalyst 3560-X/-CX
Catalyst 3750-E/-X
Catalyst 3650, 3850, 3850-XS
Catalyst 4500E (Sup 7-E, 7L-E, 8-E, 8L-E)
Catalyst 4500-X
Catalyst 6500E (Sup 2T)
Catalyst 6800
WLC 5760
Nexus 7000
Nexus 6000/5600
Nexus 5500/2200
Nexus 1000v
ISRG2, ISR4000, ISRv
ASR1000,1000-X; CSR 1000v
IE4000/5000
CGR 2010
ASA 5500, ASAv, FP4100/9300, ISA 3000
Web Security Appliance
SGT
Propagation PropagationClassification Enforcement
ISE
WAN(GETVPN
DMVPN
IPSEC)
Enforcement
For up-to-date information visit: http://bit.ly/cisco-trustsec-matrix
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use NetFlow
How about monitoring segmentation policies?
BRKCRS-2893 63
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec traffic monitoring with Stealthwatch
• Highly scalable (enterprise class) collection
• High compression long term storage• Months of data retention
When Who
Where
What
Who
Security Group
More Context
flow record my-flow-record
...
match flow cts source group-tag
match flow cts destination group-tag
...
NetFlow
BRKCRS-2893 64
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Real-time segmentation policy validation
DGTSGT
Trigger on traffic in both directions;
Successful or unsuccessful
Custom event
triggers on traffic
condition
More on StealthWatch:
BRKSEC-3014: Security
Monitoring with StealthWatch
BRKCRS-2893 65
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enterprise
Network
Real-time policy check
Monitor Network Activity
• Detect suspicious and malicious activity
• Network Behaviour and Anomaly Detection
• Policy Violations
• Monitor Policy configuration and misconfiguration
• Monitor for business continuity Register
Contractor
FOR YOUR REFERENCE
BRKCRS-2893 66
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec reduces operational costs for segmentation
“Based on the results of the PCI validation and PCI Internal Network Penetration and
Segmentation Test, it is Verizon’s opinion that Cisco TrustSec can successfully perform
network segmentation, for the purpose of PCI scope reduction.”
http://bit.ly/pci-trustsec-report
“Cisco has made great strides in integrating support for the TrustSec framework across its
product lines” - “Flexibility to Segregate Resources Without Physical Segmentation or
Managing VLANs” - “Reduction in ACL Maintenance, Complexity and Overhead”
http://blogs.cisco.com/security/gartners-perspective-on-cisco-trustsec
“Cisco TrustSec enabled the organizations interviewed, to reduce operational costs by
avoiding additional IT headcount, deploy new environments faster, and implement consistent
and effective network segmentation resulting in lower downtime.”
http://bit.ly/ts-forrester-report
BRKCRS-2893 67
Segmentation using
Endpoint Groups (EPG)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec – ACI comparison
TRUSTSEC ACI
Segment Identifier 16-bit Security Group Tags
(SGT)
16-bit Endpoint Groups
(EPG)
Classification Static or Dynamic Static or Dynamic
Transport SGT-over-Ethernet, SXP,
LISP and IPSec
VxLAN
Policy SG-ACL, SG-Firewall,
SG-based-PBR, SG-QoS
Contracts: ACL, QoS,
Redirect (Service-chaining)
Scope End-to-end (User to DC) Data Center only
Controller Cisco ISE Cisco APIC-DC
APIC – Application Policy Infrastructure Controller BRKCRS-2893 69
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Centric Infrastructure (ACI)
Non-Blocking Penalty Free Overlay
VXLAN
VNID = 78
802.1Q
VLAN 50VXLAN
VNID = 11300
NVGRE
VSID = 7456
ACI FABRIC
Normalized
Overlay (VXLAN)
40 Gbps uplink
Localized
Encapsulation
Cisco ACI is a comprehensive
SDN architecture for Data
Center networks
Spine-leaf architecture with
Nexus 9000 switches
Network controlled by APIC-
DC controller
Routed mesh topology,
ECMP load balancing
VXLAN for overlay
EPG and Contracts for policy
ACI POLICY
VM
VM
WEB
VM
VM
APP DB
CLIENTS
EPGs
CONTRACTS
BRKCRS-2893 70
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Manage the fabric instead of individual switches
BRKCRS-2893 71
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Extensible LAN (VXLAN)Extend VLAN capabilities with flexibility
LAYER 2
LAYER 3
24 bit VNID (VXLAN Network
Identifier)
16 million segments
4 times more than VLANs
Members need not be co-located like in VLAN
VXLAN tunnels Layer 2 network over Layer 3 network. No need for Spanning Tree Protocol
IP mobility is supported
10.0.0.1
VNID 1100
172.20.0.1
VNID 1100 VLANs can be mapped to VNIDs
10.0.0.1
VNID 1100
VXLAN tunnel endpoint (VTEP) devices to map end devices to VXLAN segments
VTEP VTEP VTEP
ENCAP DECAP
VLAN
VXLAN
BRKCRS-2893 72
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
VXLAN Encapsulation
OuterMACDA
OuterMACSA
OuterIEEE
802.1Q
OuterIP DA
(VTEP)
OuterIP SA
(VTEP)
OuterUDP
VXLAN Header
InnerMACDA
InnerMACSA
OptionalInner IEEE
802.1Q
OriginalEthernetPayload
CRC
VXLAN Encapsulation Original Ethernet Frame
MAC in UDP encapsulation
UDP destination Port # 8472
ACI implementation of VXLAN is similar to LISP
VXLAN Header
LISP Flags (8b)
Flags (8b)
Source Group (16b)
Metrics (8b)
VXLAN Instance ID (24b)
Source Endpoint Group (EPG)
VXLAN Network Identifier (VNID)
Locator/ID Separation Protocol (LISP) BRKCRS-2893 73
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
VTEP-2 Cache
* 10.0.5.1
VTEP-1 Cache
* 10.0.5.1
VTEP-1 Cache
Host 172.20.0.2
VNID 10
VTEP 10.0.2.1
* 10.0.5.1
VXLAN / ACI packet walkVTEPs use Multicast or host tracking method to learn remote host
Spine-1
10.0.1.1/24 10.0.2.1/24
10.0.5.1/24
SIP: 172.20.0.1DIP: 172.20.0.2
SMAC: Host-ADMAC: Host-B
1
SIP: 172.20.0.1DIP: 172.20.0.2
SMAC: Host-ADMAC: Host-B
SIP: 10.0.1.1DIP: 10.0.2.1
SMAC: VTEP-1DMAC: Spine-1
VNID: 10
2
SIP: 172.20.0.1DIP: 172.20.0.2
SMAC: Host-ADMAC: Host-B
SIP: 10.0.1.1DIP: 10.0.2.1
SMAC: Spine-1DMAC: VTEP-2
VNID: 10
3
SIP: 172.20.0.1DIP: 172.20.0.2
SMAC: Host-ADMAC: Host-B
4
HOST DATABASE
Host 172.20.0.1
VNID 10
VTEP 10.0.1.1
Host 172.20.0.1
VNID 10
VTEP 10.0.1.1
VTEP-1 VTEP-2
VTEP-2 Cache
Host 172.20.0.1
VNID 10
VTEP 10.0.1.1
* 10.0.5.1
172.20.0.1
Host-A
VNID-10
172.20.0.2
Host-B
VNID-10VNID-10
ARP-172.20.0.2
BRKCRS-2893 74
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Endpoint Groups (EPG)
WEB EPG
Application Servers
APP EPG DB EPG
Database Servers
Like SGTs, EPGs are topology independent
10.10.10.X
10.10.11.X
Web Servers
Logical group of objects that require similar policy
EPG is ’16 bits’
PHYSICAL PORT VIRTUAL PORT VLAN ID VXLAN (VNID) NVGRE (VSID)
IP ADDRESS IP SUBNET LAYER 4 PORTS *.DOMAIN.NAME* VM ATTRIBUTES*
INGRESS PORTS ONLY
EPGs can be assigned to
* - Future BRKCRS-2893 75
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example: Assigning EPG to IP address pool
10.0.1.2
VNID 1101
10.0.3.2
VNID 1103
10.0.2.2
VNID 1102
Firewall
Eth 1/1 =
APP EPG
10.0.1.2 =
WEB EPG
VLAN-20 =
DB EPG
Other classification options for EPG
BRKCRS-2893 76
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contracts
172.20.0.0/15
VNID 1101
10.0.2.2
VNID 1103
10.0.1.2
VNID 1102
Firewall
EPGs can’t talk to each other without a ’contract’
USER WEB APP
HTTP
HTTPS
CONTRACT-W2ACONTRACT-U2W10.0.1.2 =
WEB EPG
172.20.X =
USER EPG
Eth 1/1 =
APP EPG HTTP / HTTPS
Service Chaining
C P C P
Contract definitions
IN/EG PERMIT IN/EG DENY
QOS REDIRECT
Contracts connect EPGs over a Provider (P) and
Consumer (C) relationship
IN: Ingress, EG: Egress BRKCRS-2893 77
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contracts – ACL
BRKCRS-2893 78
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contracts – Service Graph
BRKCRS-2893 79
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
EPGs and Contracts summary
EPG + Contracts = Application Network Profile
BRKCRS-2893 80
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRIDGE DOMAINBRIDGE DOMAIN BRIDGE DOMAIN
Subnet A, B
ACI policy hierarchy
Subnet B,C Subnet D
CONTEXT CONTEXT
TENANT
C
USER
WEB
WEB
APP
DB
DBC C
EPG EPG EPG
ACI POLICY
ACI NETWORKING
ACI MANAGEMENT
APPLICATION NETWORK PROFILE
Set of EPGs and Contracts
IP Spaces
Layer 2 boundary
Layer 3 / VRF
http://bit.ly/aci-model BRKCRS-2893 81
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Seeing it on APIC
ACI Policy
ACI Networking
EPGs
Contracts
BRKCRS-2893 82
TrustSec – ACI Integration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why integrate TrustSec and ACI?
VM
VM
WEB
VM
VM
APP DB
USERS
What users? (Employee / Contractors / Guests)
What device-type? (Corporate / BYOD / IOT)
Posture complaint? (Compliant / Non-complaint)
Threats / Vulnerabilities? (Safe / Compromised hosts)
Location? (Corporate / Public / Home)
ACI POLICY
I can help!
CONTRACTS
ENDPOINT GROUPS
BRKCRS-2893 84
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE and APIC-DC exchange context for interoperability
ACI Policy DomainTrustSec Policy Domain
Switch Router Router Firewall Nexus9000 Nexus9000 ServerUser
SGT
over
Ethernet
IPSec / DMVPN /
GETVPN / SXPClassification
WAN(GETVPN
DMVPN
IPSEC)
ISE creates matching
Security Groups and
Endpoint Groups
ISE exchanges IP-SGT/EPG
‘Name bindings’
IP-ClassId, VNI bindingsIP-Security Group bindings
exchanged with network
Spine Leaf
Cisco ISE 2.1 Cisco APIC-DC
Security Groups End Point Groups
APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure
BRKCRS-2893 85
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE and APIC integration settingsWork Centers > TrustSec > Settings > ACI Settings
APIC-DC IP address
ACI tenant where EPGs must be created
Suffixes to identify groups created by the integrations
BRKCRS-2893 86
FOR YOUR REFERENCE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SGT – EPG exchange
Cisco ISE 2.1 Cisco APIC-DC
Security Groups and IP bindings
End Point Groups (EPG) and IP bindings
More on ACI Security:
BRKSEC-2048 -
Demystifying ACI
Security
APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure
BRKCRS-2893 87
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACITRUSTSEC
88BRKCRS-2893
Scaling TrustSec-ACI integrationSGT-EPG translation in the data plane
BORDER
ASR1K#show cts sg-epg translations
Total Entries: 2
Last update time: 05:07:17 UTC Jun 05 2017
Next refresh time: 05:07:17 UTC Jun 06 2017
* Represents truncated names
Status Codes:
A - Active
--------------------------------------------------------------------------------
Security-Group Endpoint-Group VRF Status
--------------------------------------------------------------------------------
10001:WebServers_APIC 32771 BLUE (2) A
05:Employees 16380 BLUE (2) A
IP SGT IP EPG
Policy plane (APIC REST API)
SG/EPG Names and Info for translation table
Routing plane (MP-BGP EVPN & Opflex)
Data plane (iVxLAN with inline groups)
16.5.1
* This feature is applicable for a single ACI tenant with multiple VRFs.
Cisco ISE 2.2 APIC 2.3
Segmentation using
Virtual Networks (VNs)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Software Defined Access
90BRKCRS-2893
EMPLOYEE
VIRTUAL NETWORK
GROUP-1 GROUP-2
IOT
VIRTUAL NETWORK
GROUP-1 GROUP-2
SECURE CAMPUS FABRIC(S)
ISE APIC-EM NDP
CISCO DNA CENTER DNA-C Workflows
APIC-EM – Application Policy Infrastructure Controller, Enterprise Module | NDP – Network Data Platform
Software Defined Access (SDA) is the next-generation network technology to automate and assure network services securely with simplified administration
Some key benefits of SDA are:
NETWORK AUTOMATION
Transform business intent in to network configuration on a click of a button
END-TO-END SEGMENTATION
Role based segmentation of the network with Virtual Networks and Scalable Groups
NETWORK ASSURANCE
Based on collected data, provide contextual insights into users and network activities
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Best of both worlds
TRUSTSEC
Security Group Tags (SGT)
Dynamic SGT assignments
to endpoints with ISE
Policy Automation
Robust platform support
Leverage ISE ecosystem
for a secure enterprise
ACI
Normalized overlay
Contracts and Service
chaining
Hierarchical policies
IP mobility
Reusable policies and
constructs
CAMPUS
FABRIC
BRKCRS-2893 91
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92BRKCRS-2893
Assurance*
Sites-Locations | Global Settings | Wired-Wireless profiles
Access control policies | Segmentation | QoS policies
Create Campus Fabric | Provision WLCs and APs
*(FCS +1)
Network Health | Client Status | Troubleshooting
DNA Center 4 Step Workflow FOR YOUR REFERENCE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93BRKCRS-2893
Overlay for Campus FabricSimilar format, different payload
LISP – IP Based
Time to Live
Identification
N L E
Pad Pad Length Next Header
Ver IHL Total LengthToS
Flags Fragmentation Offset
Protocol (17) Header Checksum
Source Routing Locator
Destination Routing Locator
Source Port Destination Port (4341)
UDP ChecksumUDP Length
Resrv’d
Instance ID / Locator Status Bits
Reserved Security Group Tag
Time to Live
Identification
Ver IHL Total LengthToS
Flags Fragmentation Offset
Protocol (17) Header Checksum
Source Endpoint Identifier
Destination Endpoint Identifier
Overlay Header
Overall IP MTU Increase: 36 Bytes
SGT (16 bit) insertion in the Nonce field (24 bit)
VXLAN – Ethernet Based
Time to Live
Identification
Pad Pad Length Next Header
Ver IHL Total LengthToS
Flags Fragmentation Offset
Protocol (17) Header Checksum
Source Routing Locator
Destination Routing Locator
Source Port Destination Port (8472)
UDP ChecksumUDP Length
VxLAN Network Identifier (VN ID)
Endpoint Group
Inner Destination MAC
Address
Inner Destination MAC Address
Inner Source MAC Address
Reserved
Reserved
Inner Source MAC Address
Ethertype = C-Tag (802.1Q) Inner VLAN Tag Information
Ethertype Original Payload
Original Ethernet Payload
New FCS for Outer Ethernet Frame Locator Id Separation Protocol
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Campus fabric in a nutshell
PAYLOADETHERNET IPVXLANUDPIPETHERNET
1. LISP based Control-Plane
2. VXLAN like Data-Plane
3. Integrated Cisco TrustSec
VRF + SGT
Virtual Routing & Forwarding
Security Group Tags
BRKCRS-2893 94
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Simplifying TrustSec with Campus Fabric
SGT-over-ETHERNET
SGT-over-VPN
SXP
SOURCE
DESTINATION
TRUSTSEC today
Multiple encapsulations / transport options SOURCE
DESTINATION
TRUSTSEC tomorrow
Normalized transport and encapsulation for SGTs
BRKCRS-2893 95
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
VLAN
SUBNET
VLAN
SUBNET
VLAN
SUBNET
Host Pool
Based on IP Subnet + VLAN-ID with Edge node as Anycast gateway. AAA / Static configuration
Campus Fabric ‘network’ constructs
Fabric Network
ISIS for underlay, VXLAN (LISP) for overlay
CAMPUS FABRIC
C
Fabric Control-Plane Node (LISP Map Server/Resolver) - Has host tracking
database that provides reachability information
B B
Fabric Border Node (LISP Proxy tunnel router) –
Connects Fabric to outside world
E E E
Fabric Edge Node
(LISP Tunnel Router) connects users and devices to the fabric.
- Anycast L3 gateway
- Registers endpoint ID with control-plane node
AAA: Authentication, Authorization and Accounting BRKCRS-2893 96
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Campus Fabric ‘policy’ constructs
VN-A VN-B VN-C
Virtual Neighborhood
based on Virtual Routing & Forwarding (VRF)
Maintains a separate Routing & Switching instance for each Virtual Neighborhood
So
urc
es
Destinations
✕ ✓ ✕ ✓ ✓ ✓
✓ ✓ ✕ ✓ ✕ ✕
✕ ✓ ✓ ✕ ✕ ✕
TrustSec Policy
SGT Assignments Security Group Tags
Policy download
TrustSec Policy
BRKCRS-2893 97Note: at FCS, all SG based policies must be contained within one VN
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 98BRKCRS-2893
SDA Fabric work flowInternet &
IntranetAPIC-EMDNA-C (UI)
Hosts
Devices
+ Create FabricCreate Fabric
SJC-19-Fabric
Add Nodes to Fabric
Select Control Plane Node
Select Border Node
SJC-19-FABRIC
Layer-3 Underlay (ECMP)
VxLAN Overlay
B B CC
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99BRKCRS-2893
SDA Policy and on-boardingInternet &
IntranetAPIC-EMDNA-C (UI)
Hosts
Devices
+ Create FabricCreate Fabric
SJC-19-Fabric
Add Nodes to Fabric
Select Control Plane Node
Select Border Node
B B CC
Add ‘Virtual Network(s)’
VN: IOTSGT: 10-15
IP-POOL: A
VN: EMPLSGT: 20-25
IP-POOL: B
VN:
GUESTSGT: 30
IP-POOL: C
Select Authentication type
STATIC802.1X
EASY-CSTATIC
Cisco ISE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100BRKCRS-2893
SDA policy deployment
Employees Contractors PCI_Servers POS_Systems
Source Destination
FABRIC NODES
Contract
CISCO
DNA CENTER
CISCO ISE
FABRIC POLICIES
DENY
Employees PCI_Servers
Employees PCI_Servers
API
POLICY DOWNLOAD
At SDA release 1, all SG policies must be contained within one Virtual Network
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101BRKCRS-2893
SDA group-based policy administration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102BRKCRS-2893
ISE programming over APIs from DNA-C
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
HOST POOLHOST POOL HOST POOL
Subnet A
Campus Fabric summary
Subnet B Subnet C
VN VN
DOMAIN
POLICY
NETWORKING
MANAGEMENT
http://bit.ly/aci-model
VLAN-X VLAN-Y VLAN-Z
SGT + SGACL
SGT + SGACL
SGT + SGACL
Enterprise Policy
Set of SGTs and Policy
Host pool
Layer 2 and L3 access boundary
Virtual Neighborhood
Layer 3 / VRF
BRKCRS-2893 103
FOR YOUR REFERENCE
Closing thoughts
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Integrating Security into the Network
Discover and Classify Assets
Understand Behavior
Enforce Policy
Active Monitoring
Network
Segmentation
Design and Model Policy
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE is critical for Software defined segmentation
REST APIs
Orchestration Tools
Security Group Definitions
New Group Members
Policy Definition (SGACLs)
Software-Defined
Segmentation
Integrated
Service RoutersWireless
LAN
Catalyst
switchesIndustrial Ethernet
switches
Connected Grid
Routers & Switches
Nexus
switches
RADIUS, SXP, PxGrid
Sec Group / Membership Info
ASA NGFW WSA Stealthwatch
SGT classifications, Sec Group & policy download, SGT-EPG translation
Security Group based
Policies / Analysis
ACISDAOpen Daylight
Sec Groups, SGACLs
and Membership Info
SXP, REST, pxGrid
On-prem cross policy
integrations
Sec Groups and
Membership Info
REST, APIs
Group policy
connections
Other vendorsCisco ISE
106
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Solution to the segmentation challenge
TrustSec
segmentation
Lower operational
costs
Secure
Case Study
TrustSec Solution
• Cisco ISE authorizes each endpoint with SGT and pushes SGACL to Branch CA* Switch
• One network for all Vendors, but each vendor is segmented with TrustSec
• Less VLANs & SSIDs to manage. Provisioning / retiring vendors is now EASY!
Store
Guest
BYOD
Vendors
Store
PCI
Demo
Vendors
WANData Center
ServersISR w/
ZBFW
*Converged
Access
= Authenticated and authorized by ISE
AD
Employee
Accounts
* Additional VLAN/VRFs for Voice,
Print, AP, etc. not shown in the picture
VRFs
Vendor & Guest
Accounts
Cisco ISE
Internet
BRKCRS-2893 107
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What should be the choice?For Segmentation and Group-based Policies for Enterprise Networks
Topology independent segment identifiers (SGTs, EPGs…)
Reusable Group based policies (TrustSec policies, Contracts…)
Controller driven (ISE, APIC…)
Open and programmable
BRKCRS-2893 108
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Other ISE Break Out Sessions
BRKSEC-2695 Building an Enterprise Access Control Architecture using ISE and TrustSec
Imran Bashir | Tue 08:00-10:00 AM, Level 3, South Seas F | Wed 1:30-03:30 PM, Level 2, Mandalay Bay E
BRKSEC-3699 Designing ISE for Scale & High Availability
Craig Hyps | Tue 1:30-03:30 PM, Level 2, Mandalay Bay J
BRKSEC-2059 Deploying ISE in a Dynamic Environment
Clark Gambrel | Tue 04:00-05:30 PM, Level 3, South Seas E
BRKSEC-3697 Advanced ISE Services, Tips and Tricks
Aaron Woland | Tue 08:00-10:00 AM, L-2, Mandalay Bay G | Wed 1:30-03:30 PM, L-2, Mandalay Bay H
BRKSEC-2039 Cisco Medical Device NAC
Mark Bernard and Tim Lovelace | Mon 04:00-05:30 PM, Level 3, South Seas D
BRKCOC-2018 Inside Cisco IT: How Cisco Deployed ISE and TrustSec
David Iacobacci, Bassem Khalife | Thu 08:30-10:00 AM, Level 3, South Seas E
BRKCRS-2893
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Other TrustSec Break Out Sessions
BRKSEC-2203 Enabling Software-Defined Segmentation with TrustSec
Fay Lee | Tue 4:00-5:30 PM, Level 2, Mandalay Bay G
BRKCRS-2893 Choice of Segmentation and Group based Policies for Enterprise Networks
Hariprasad Holla | Thu 10:30-12:00 PM, Level 2, Breakers IJ
BRKCRS-2810 Cisco SD-Access - A Look Under the Hood
Shawn Wargo | Mon 1:30-03:30 PM, L-2, Lagoon I | Tue 08:00-10:00 AM L-3, South Seas D
BRKSEC-2205 Security and Virtualization in the Data Center
Justin Poole | Mon 08:00-10:00 AM, Level 2, Reef F
BRKSEC-3014 Security Monitoring with StealthWatch: The detailed walkthrough
Matthew Robertson | Mon 1:30-3:30 PM, Level 2, Breakers IJ
BRKSEC-2026 Building Network Security Policy Through Data Intelligence
Darrin Miller, Matthew Robertson | Wed 4:00-5:30 PM, Level 3, South Seas G
BRKCRS-2893
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
ISE / TrustSec Labs
ISE integration with Firepower using pxGrid protocol
LTRSEC-2002
Vibhor Amrodia
Aditya Ganjoo
Wed 8:00-12:00 PM
MGM Grand, Level 1,
Room 104
Visibility Driven Secure Segmentation
LTRCRS-2006
Hariprasad Holla
Aaron Rohyans
Wed 01:00-05:00 PM
MGM Grand, Level 1,
Room 115
Cisco SD-Access- Hands-on Lab
LTRCRS-2810
Derek Huckaby
Larissa Overbey
Wed 01:00 PM, MGM L-1, 116
Thu 08:00 PM, MGM L-1, 101
BRKCRS-2893
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.
• Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
113BRKCRS-2893
Thank you