BRKCRS 2891 PDF

Abstract
This session provides an overview of the Cisco TrustSec solution for Enterprise network
segmentation and Role-Based Access Control. SGA allows for simplified network
segmentation based on User Identity/Role and allows for secure access and consistent
security policies across Wired/Wireless networks.
We will cover SGA solution on the Catalyst, Nexus Switching and Routing
(ASR1K/CSR/ISR) platforms, including converged wired/wireless with a focus on the
deployment use cases in a campus, data center & branch networks. The session covers
an architectural overview of SGA and benefits of TrustSec role based policies, elements of
Cisco TrustSec such as user identification with 802.1x, device identification, role
classification using Security Group Tagging (SGT) and enforcement using Security Group
Access Control List (SGACL).
This session is for Network Architects, Pre-Sales Engineers and Technical Decision
Makers. Previous knowledge or experience is recommended in campus design, Internet
edge design, routing protocol design, and Layer 2 and Layer 3 switching.
Things have changed and are changing
Dialup Internet is history

today. We moved on to
faster means to connect to
Internet
From days to week it took

for provisioning physical
servers, it takes minutes to
provision VMs
How do you get to create

logical segments on the fly?
Enterprise Network Segmentation

with Cisco TrustSec
Hariprasad Holla
Technical Marketing Engineer, Cisco
BRKCRS-2981
hari_holla
Agenda
1
Network Segmentation
The past present and future of network segmentation
TrustSec Deep-dive
Deploying TrustSec
Use cases & Deployment scenarios
Key takeaways
For Your
Reference
WHAT is Cisco TrustSec

Cisco ISE
HOW to deploy TrustSec
WHY segment the TrustSec way?
WHEN to deploy TrustSec: Now!
Authenticated
User
Cisco ISE & TrustSec Sessions: Building Blocks

BRKSEC-3699
Designing ISE for
Scale & High
Availability
(Mon 1:00pm)
CCSSEC-2002
Cisco IT Identity
Services Engine (ISE)
Deployment and
Best Practices
(Thurs 12:30pm).
BRKSEC-3697
Advanced ISE
Services, Tips and
Tricks
(Tues 1:00pm)
(Wed 1:00pm)
BRKSEC-2045 Mobile Devices and

BYOD Security Deployment and Best
Practices
(Tues 3:30pm)
(Wed 3:30pm)
BRKSEC-2695 - Building an Enterprise Access Control Architecture using ISE and TrustSec
(Mon 10:00 am + Thur 8:00 am)
BRKCRS-2891 Enterprise Network

Segmentation with
Cisco TrustSec
(Mon 8:00am)
BRKSEC-2203
Deploying TrustSec
Security Group
Tagging
(Wed 3:30pm)
BRKSEC-3690
Advanced Security
Group Tags: The
Detailed Walk Through
(Thur 10:00am)
BRKSEC-2026 Network as a Sensor

and Enforcer
(Mon 1:00pm)
Network Segmentation
Deploying
TrustSec
Network
Segmentation
Start
TrustSec
Deep-dive
Key
Take-aways
Use-cases &
Scenarios
Segmentation at Cisco Live

Get appropriate passes
It all starts
with
registration
Enforcers
refer the
policy
Enforcers grant access to
places you are authorized for
http://www.ciscolive.com/us/registration-packages/
Factors governing segmentation

POS
Network
Line of business BU segmentation
Medical Device
Other
Network
Doctor
Payment Card Industry
Staff
Hospital Network
As networks evolve, granular segmentation is desired

INTERNET
Bring-Your-Own-Device
Mergers and Acquisitions
Multi-Tenancy
Network Segmentation is a must to contain threats!

Good network and role segmentation will do wonders for
containing an incident.
Effective network segmentation reduces the extent to

which an adversary can move across the network
Network segmentation is one of the most effective controls
an agency can implement to mitigate the second stage of a
network intrusion, propagation or lateral movement
Segregate networks, limit allowed protocols usage and

limit users excessive privileges.
Traditional Segmentation
Fundamentally VLAN based
Every segment is a separate

VLAN / Subnet / VRF
Segment to segment
communication governed by
IP routes and IP based
policies
Classify assets in to VLAN,
transport context in L2 (VLAN
tag) / L3 (IP address / VRF),
Enforce based on IP-ACLs
Enforcement
IP based policies.
ACLs, Firewall
rules
Propagation
Carry segment
context over
the network
through VLAN
tags / IP
address / VRF
Classify
Static /
Dynamic VLAN
assignments
VLAN
10
VLAN
20
VRF-20
VRF-10
Campus LAN
Subnet
10.10.X.X
VLAN-10
Subnet
10.20.X.X
VLAN-20
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
102
102
102
102
102
102
102
102
102
102
deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993

deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878
permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
ACL
Aggregation Layer
VLAN
Addressing
Redundancy
ACL rules grow with more segments
Quarantine
DHCP Scope
Routing
Static ACL
Access Layer
Voice
Data
Suppliers
Guest
Simple
More Policies
Segmentation
using more
with VLANs
2 VLANs
Steps replicated across floors, buildings and sites
TrustSec Overview
Security Group based Policy
HR Group : SGT-05
ENG Group : SGT-06
AD
ISE
IP
SG
SGT
Address Name #
10.0.0.1 HR
10.0.0.1
SRC \ DST
HR-Servers (11)
ENG-Servers (12)
Group-HR (5)
Group-ENG (6)
HR-Servers (11)
ENG-Servers (12)
10.0.1.1
HR Servers
Switch/WLC
(Inline SGT)
S: 10.0.0.1
SGT=5
D: 10.0.1.1
SGT=11
S: 10.0.0.1
D: 10.0.1.1
Employee1
(HR Group)
S: 10.0.0.2
D: 10.0.1.1
Switch
Employee2
(ENG Group)
10.0.0.2
IP
SG
SGT
Address Name #
Classify
S: 10.0.0.2
D: 10.0.1.1
Firewall
SXP
IP:10.0.0.2 = SGT:6
Switch/WLC
(No SGT)
10.0.0.2 ENG
DC SW
SGT=12
S: 10.0.0.2
SGT=6
D:
10.0.1.1
S: 10.0.0.2
D: 10.0.1.1
S: 10.0.0.1
D: 10.0.1.1
ENG Servers
10.0.1.2
IP
SG
SGT
Address Name #
10.0.0.2 ENG
Transport
Enforce
User to Data Center Access Control with TrustSec

Regardless of topology
or location, policy
(Security Group Tag)
stays with users,
devices and servers
Data Center
Data Center
Firewall
Campus Core
Access Layer
Employee Tag
Supplier Tag
Guest Tag
Quarantine Tag
Voice
Building 3
WLAN Data VLAN
Voice
Employee Suppliers
Guest Quarantine
Main Building
Data VLAN
Campus Segmentation with TrustSec

Enforcement is based
on the Security Group
Tag, can control
communication in
same VLAN
Data Center
Data Center
Firewall
Campus Core
Access Layer
Employee Tag
Supplier Tag
Guest Tag
Quarantine Tag
Voice
Building 3
Data VLAN (200)
Voice
Employee Employee Guest Quarantine
Main Building
Data VLAN (100)
TrustSec Deep-dive
(WHAT is TrustSec)
Deploying
TrustSec
Network
Segmentation
Start
TrustSec
Deep-dive
Key
Take-aways
Use-cases &
Scenarios
TrustSec and ISE

Cisco Identity Services Engine (ISE)
NDAC
The Cisco TrustSec Network Device Admission

Control (NDAC) feature creates an independent
layer of trust between Cisco TrustSec devices to
prohibit rogue devices from being allowed on the
network.
SGACL: Security Group ACL
Define policy matrix on ISE that

will be pushed down to the
enforcement points in the
network via secure channel
SGACL /
Name table
SGT and
SGT Names
Sources
Destinations
Centrally define business

relevant Security Group names.
SGT numbers are autogenerated corresponding to SGT
names
Employee
PCI Clients
PCI Servers
Prod. Servers
Rogue
Device(s)
802.1X
Dynamic SGT
Assignment
Static SGT Assignments
ISE authenticates
Wired/Wireless/VPN
clients and assigns
Security Group Tags
(SGT)
TrustSec Functions
5
Employee
Voice
Partner
Classification
Assigning SGTs
Static Assignments
Dynamic Assignments
A
Propagation
Inline SGT
SXP
WAN Options
Enforcement
Security Group ACL
SG Firewall
SG Zone Based FW
Classification
Assigning Security Group Tags

Dynamic Assignments
For Mobile Devices
Static Assignments
For Servers and Topologies

VLAN to SGT
VLAN-10
Employee_SGT
10.1.1.0/24
MAB
(VLAN-10 = LAN-A_SGT)
Subnet to SGT
(10.1.1.0/24 = SiteA_SGT)
Phone_SGT
0/1
0/2
Guest_SGT
Port to SGT, L2/L3

0/1 = DEV_SGT, 0/2 = PROD_SGT
Virtual Port Profile to SGT

1.1.1.1
IP to SGT
1.1.1.1=PROD, 1.1.1.2=PCI
1.1.1.2
Classification
L3 Interface to SGT Mappings

Route Prefix Monitoring on a specific Layer 3 Port mapping to a SGT
Can apply to Layer 3 interfaces regardless of the underlying physical interface:
Routed port, SVI (VLAN interface) , Tunnel interface
cts role-based sgt-map interface GigabitEthernet 3/0/1 sgt 8
cts role-based sgt-map interface GigabitEthernet 3/0/2 sgt 9
Joint
Ventures
Business
Partners
Route Updates
17.1.1.0/24
g3/0/1
VSS-1#show cts role-based sgt-map all

Active IP-SGT Bindings Information
IP Address
SGT
Source
========================================
11.1.1.2
2
INTERNAL
12.1.1.2
2
INTERNAL
13.1.1.2
2
INTERNAL
17.1.1.0/24
8
L3IF
43.1.1.0/24
9
L3IF
49.1.1.0/24
9
L3IF
DC Access
g3/0/2
Route Updates
43.1.1.0/24
49.1.1.0/24
Hypervisor SW
SGT Classification Binding Source Priority (IOS)

The current priority enforcement order, from lowest (1) to highest (7), is as follows:
1. VLANBindings learned from snooped ARP packets on a VLAN that has VLAN-SGT
mapping configured.
2. CLI Address bindings configured using the IP-SGT form of the cts role-based sgt-map
global configuration command.
3. Layer 3 Interface(L3IF) Bindings added due to FIB forwarding entries that have paths
through one or more interfaces with consistent L3IF-SGT mapping or Identity Port
Mapping on routed ports.
4. SXPBindings learned from SXP peers.
5. IP_ARPBindings learned when tagged ARP packets are received on a CTS capable
link.
6. LOCALBindings of authenticated hosts which are learned via EPM and device tracking.
This type of binding also include individual hosts that are learned via ARP snooping on L2
[I]PM configured ports.
7. INTERNALBindings between locally configured IP addresses and the device own SGT.
Classification
Access Layer Classification Summary

Dynamic
Static
C2960-S
C3750X
**C3850/WL
C 5760
C4500
C6x00
ISR/ASR1000
WLC
802.1X
MAB
Web Auth
VLAN/SGT
X*
X*
Subnet/SGT
Layer 3
Interface
Mapping
** limits on number of SGTs (255) * - limits on the number of VLANs
Classification
Nexus 1000V: SGT Assignment in Port Profile

Port Profile
Container of network
properties
Applied to different
interfaces
Server Admin may assign
Port Profiles to new VMs
VMs inherit network
properties of the portprofile including SGT
SGT stays with the VM
even if moved
TrustSec Functions
5
Employee
Voice
Partner
Classification
Assigning SGTs
Static Assignments
Dynamic Assignments
A
Propagation
Inline SGT
SXP
WAN Options
Enforcement
Security Group ACL
SG Firewall
SG Zone Based FW
Propagation
Inline tagging (SGT in data plane)

Capable switches process SGT at
line-rate
Cisco Meta Data
MACsec Frame
Destination MAC
CMD EtherType
Destination MAC
Source MAC
Version
Source MAC
802.1Q
Length
CMD
Optional MACsec protection
SGT Option Type

ETHTYPE
SGT Value
No impact to QoS, IP
MTU/Fragmentation
PAYLOAD
Other CMD Option
802.1AE Header
802.1Q
CMD
ETHTYPE
PAYLOAD
CRC
L2 Frame Impact: ~40 bytes
Recommend L2 MTU~1600 bytes
Ethernet Frame
AES-GCM 128bit
Encryption
SGT embedded within Cisco Meta

Data (CMD) in Layer 2 frame
ETHTYPE:0x8909
N.B. Assume incapable devices will

drop frames with unknown Ethertype
802.1AE Header
CRC
ETHTYPE:0x88E5
Propagation
SGT link Authentication and Authorization

Mode
MACSEC
MACSEC Pairwise
Master Key (PMK)
MACSEC Pairwise
Transient Key (PTK)
Encryption Cipher
Selection
(no-encap, null, GCM,
GMAC)
Trust/Propagation
Policy for Tags
cts dot1x
Dynamic
Dynamic
Negotiated
Dynamic from
ISE/configured
cts manual
with encryption
Static
Dynamic
Static
Static
cts manual no
encryption
N/A
N/A
N/A
Static
CTS Manual is strongly recommended configuration for SGT propagation

cts dot1x takes link down with AAA down. Tight coupling of link state and AAA state
CTS Critical Authentication recently introduced on 3K/4K/6K only

Some platforms (ISRG2, ASR1K, N5K, ASA, N1KV, etc.) only support cts manual/no encryption
Propagation
Source-Group Tag
eXchange Protocol (SXP)
SGT Exchange Protocol (SXP)
IETF Draft
http://tinyurl.com/sxp-draft
SXP very simple to enable

SGT propagation without hardware dependencies
Propagation from access edge to enforcement device
Control plane protocol that conveys the IP-SGT

map of authenticated hosts to enforcement point
Listener
SXP uses TCP as the transport layer

(Port No. 64999)
Two roles: Speaker (initiator) and Listener
(receiver)
(SXP Aggregation)
Speaker
Switch
Switch
Use MD5 for authentication and integrity check

Support Single Hop SXP & Multi-Hop SXP
(aggregation)
Switch
Router
Propagation
SXP Versions
Version 1, This is the initial SXP version supports IPv4 binding propagation.
Version 2, includes support for IPv6 binding propagation and version negotiation.
(Older switch and router IOS prior March 2013, WLC)
Version 3, adds support for Subnet/SGT bindings propagation and expansion.
(6K only). If speaking to a lower version listener will expand the subnet
Version 4, Loop Detection and Prevention, Capability Exchange, built-in Keep
Alive mechanism. (New switch and router IOS After March 13)
Propagation
SXP Connection Types

Single-Hop SXP
SXP
Listener
Speaker
Non-TrustSec Domain
SGT Capable HW
SXP Enabled Switch/WLC
SXP
Multi-Hop SXP
Speaker
SXP
Listener
SXP
Enabled SW
SXP Enabled SW/WLC
Speaker
SXP
SXP Enabled SW/WLC
Speaker
Listener
SGT Capable HW
Propagation
Inline SGT and SXP in action

SXP
Inline SGT Tagging

CMD Field
ASIC
ASIC
IP Address
SGT
10.1.100.98
50
ASIC
L2 Ethernet Frame
SRC: 10.1.100.98
Optionally Encrypted
Campus Access
Distribution
Core
DC Core
EOR
DC Access
Enterprise
Backbone
SXP
SRC: 10.1.100.98
Hypervisor SW
WLC
Inline Tagging: If Device supports SGT in its ASIC
SXP: If there are devices are not SGT-capable
FW
IP Address
SGT
SRC
10.1.100.98
50
Local
SXP IP-SGT Binding Table
Propagation
SGT Transport over L3 networks

SGACL
Enterprise
Network
CTS Link
OTP
Finance
Guest Server
Posture
Profiler
ISE
Catalyst Switch
WLC
Nexus 5000/2000
Enterprise LAN
BYOD
Internet
SXP
DMVPN
Catalyst 6500
Catalyst Switch
Nexus 7000
Catalyst Switch
Admin
GETVPN
Ent. MPLS
HR
Multiple options for SGT transport over non CTS Layer 3 networks
DMVPN for Internet based VPNS
GETVPN for security private MPLS clouds
Over The Top (OTP) for private enterprise networks (1HCY15)
Data Center
TrustSec Functions
5
Employee
Voice
Partner
Classification
Assigning SGTs
Static Assignments
Dynamic Assignments
A
Propagation
Inline SGT
SXP
WAN Options
Enforcement
Security Group ACL
SG Firewall
SG Zone Based FW
Enforcement
Policy Enforcement - Security Group ACL (SGACL)

Destination Classification
Web_Dir: SGT 20
CRM: SGT 30
User authenticated
Classified as Marketing (5)
Cat3750X
Cat6500
Cat6500
Nexus 7000
Nexus 5500
Nexus 2248
Enterprise
Backbone
5
SRC: 10.1.10.220
FIB Lookup
Destination MAC/Port SGT 20
Web_Dir
DST: 10.1.100.52
SGT: 20
SRC:10.1.10.220
DST: 10.1.100.52
SGT: 5
Nexus 2248
WLC5508
SRC\DST
Web_Dir
(20)
CRM (30)
Marketing
(5)
SGACLA
SGACL-B
BYOD (7)
Deny
Deny
CRM
DST: 10.1.200.100
SGT: 30
Enforcement
SGACL Enforcement Policy
Source
Destination
Policy Representing
Source = Empoloye_SGT
Destination=CreditCard_Server
Policy = Deny IP
Enforcement
Centralized SGACL Management in ISE
Enforcement
Security Group Access Control List (SGACL)
SGACL is an access
control list to filter
traffic based on
security group
Source Security Group

(SGT) and Destination
Security Group (DGT)
in ACL syntax are
substituted with
classification result
No IP address in
syntax
IP version agnostic
Permit_Mail_Traffic
permit tcp dst
permit tcp dst
permit tcp dst
permit tcp dst
permit tcp dst
permit tcp dst
permit tcp dst
deny all log
eq
eq
eq
eq
eq
eq
eq
110
143
25
465
585
993
995
Enforcement
Applying SGACL policies in ISE (Tree view)
Enforcement
Policy Enforcement on Firewalls: ASA SG-FW

SGT Defined in the ISE or locally
defined on ASA
Trigger IPS/CX based on

SGT
More on ASA TrustSec:

BRKSEC-3690
Advanced Security
Group Tags: The
Detailed Walk Through
(Thur 10:00am)
Use Destination SGT received

from Switches connected to
destination
Use Network Object (Host, Range,

Network (subnet), or FQDN)
TrustSec Platform Support

Tagging
Propagation
Catalyst 2960-S/-C/-Plus/-X/-XR
Catalyst 2960-S/-C/-Plus/-X/-XR
SXP
Catalyst 3560-E/-C/-X
Catalyst 3750-E/-X
Catalyst 3850, 3650
WLC 5760
Catalyst 4500E (Sup6E/7E)
Catalyst 4500E (8E)
Catalyst 6500E (Sup720/2T), 6880X
Wireless LAN Controller
2500/5500/WiSM2
Nexus 7000
Nexus 6000
Nexus 5600
Nexus 5500
Catalyst 3560-E/-C/, 3750-E
SXP
SXP
SGT
Catalyst 3560-X, 3750-X
SXP
SGT
Catalyst 3650, 3850
SXP
SGT
Catalyst 4500E (Sup 7E), 4500X
SXP
SGT
Catalyst 4500E (Sup 8E)
Catalyst 6500E (Sup720)
SXP
SGT
ISR G2 Router, CGR2000

IE2000/3000, CGS2000
SXP
SGT
WLC 5760
SXP
SGT
Nexus 1000v
SXP
SGT
Nexus 5500/22xx FEX
SXP
SGT
Nexus 5600/6000
SXP
SGT
Nexus 7000/22xx FEX
SXP
SGT
GETVPN
DMVPN
ISRG2, CGR2000
SXP
SGT
GETVPN
DMVPN
ASR1000,
SGT
SGACL
Catalyst 3560-X
Catalyst 3750-X
Catalyst 3850, 3650
WLC 5760
Catalyst 4500E (Sup7E)
Catalyst 6500E (Sup2T) / 6880X
Nexus 7000
SGACL
SGACL
Nexus 6000
Nexus 5600
Nexus 5500
Nexus 1000v
SGACL
SGFW
CSR1000V, ISR 4400
ASA5500X, ASAv (VPN RAS)

SXP
SGACL
Catalyst 6500E (Sup 2T) / 6880X

WLC 2500, 5500, WiSM2
SXP
Nexus 1000v (Port Profile)
SGACL
SXP
SXP
Enforcement
ASA5500(X), ASAv
All ISRG2 Inline SGT (except C800): Today
SGFW
SGFW
ISR G2 Router, CGR2000

ASR 1000 Router, ISR 4400,
CSR1000V
ASA 5500/5500X Firewall
ASAv Firewall
Deploying TrustSec
(HOW to deploy TrustSec)
Deploying
TrustSec
Network
Segmentation
Start
TrustSec
Deep-dive
Key
Take-aways
Use-cases &
Scenarios
Defining TrustSec Policy

Define Source and Destination Groups
Discover Assets, User Groups and Applications

Email
Web
Internet
Term
App1
Chat
Find
Cloud App
Mgmt
DB
File
Nam
e
Dir.
Cloud App
Cloud App
App2
SSO
Define relationship between the Groups
Cloud App
SGT Policy Matrix Example
Write it down on
a spreadsheet!
Classify your network

User/Device SGT
assignments
Wired
Wireless
Remote Access VPN
IP-SGT
MAB
Web
Auth
ISE
Profiling
Data Center Server

Assignments
NX-OS/ VLAN-SGT
UCS Dir/
Hypervisors
Port-SGT
802.1X
RA-VPN
SG
T
SG
T
SG
T
SG
T
IOS/Routing
Port
Profile
SG
T
Prefix
Learning
(L3IF-SGT)
Subnet-SGT
VLAN-SGT
Business Partners & 3rd party connections
Enabling TrustSec in Enterprise Network

Branch Office-1
Branch Office-2
WAN
Datacenter
Campus Core
Internet Edge
Internet
Campus Access
Preparing Cisco ISE

Branch Office-1
Branch Office-2
WAN
Datacenter
Campus Core
Internet Edge
Internet
Campus Access
Enabling SGT/SGACL
Following is a high-level overview of SGT/SGACL configuration on Cat6K Sup2T

when used with ISE1.x
Configure ISE 1.x to the point where you can perform 802.1X authentication (bootstrap, certificate,
AD integration, basic authentication & authorization rules)
Configure Device SGT (Policy > Policy Elements > Results > Trustsec > Security Group)
All SGTs should have access to Device_SGT by policy (ARP needs to work )
SGT Configuration for ISE
Under Policy > Trustsec > Network Device Authorization, assign Device SGT created in step (2)
to default condition
Optionally under Admin > System > Settings > Protocols > EAP-FAST > EAP-FAST Settings, change A-ID
description to something meaningful, so that you can recognize which ISE you are receiving PAC file on the switch
CLI.
Configuration Cat6K Sup2T as Seed Device
Under Admin > Network Resources > Network Devices, create AAA client entry for
Cat6500 Sup2T
After the first device (called the seed device) authenticates with
the authentication server to begin the Cisco TrustSec domain,
each new device added to the domain is authenticated by its
peer devices already within the domain.
Configuration an SGT Device
Configure RADIUS
secret. Also Advanced
Trustsec Settings,
check Use Device ID
for Trustsec, then type
device password. This
ID and Password needs
to be exactly same as
you define on network
device CLI
Extra Steps to setup Private Server List
Update seed device (closest device to ISE) with list of multiple servers it can fall back
to in case first PDP becomes unavailable. You can set such list under Admin >
Network Resources > Trustsec AAA Servers. This data is available via CTS
Environment Data (show cts environment-data)
Preparing ISE for SGACL Enforcement
In order to provision SGACL policy automatically to Sup2T, ISE needs to be

configured for SGT/SGACL and associated policies
Under Policy > Trustsec > Egress Policy, create Mapping for policy
2
1
Select Permission
Preparing ISE for SGACL Enforcement

In same screen, add Security Group ACL Mapping. Create additional Security Group ACL if
needed
Create new SGACL if needed
Known Limitation: Cat6K Sup2T supports multiple SGACLs in the policy. Nexus 7K only supports single
SGACL therefore best practice is to select one SGACL and add explicit deny or permit in the SGACL
itself, not in Final Catch Rule
Egress Policy: Source Tree View
3 Views Source Tree, Destination Tree, Matrix
Source View
Filter Applied
Only SGT/DGT with SGACL shown
as default in source/destination tree
view
Egress Policy: Matrix View
TrustSec on IOS Switches

Branch Office-1
Branch Office-2
WAN
Datacenter
Campus Core
Internet Edge
Internet
Campus Access
Monitor Mode
Egress Enforcement
Security Group ACL
PCI Server
Campus
Network
Users,
Endpoints
Monitor Mode
authentication port-control auto
authentication open
dot1x pae authenticator
Production Server
Catalyst Switches/WLC
(3K/4K/6K)
N7K
AUTH=OK
SGT= PCI User (10)
SRC \ DST
Development Server
PCI Server (111)
Dev Server (222)
Dev User(8)
Deny all
Permit all
PCI User (10)
Permit all
Permit all
Unknown (0)
Deny all
Deny all
1. Users connect to network, Monitor mode allows traffic regardless of authentication

2. Authentication can be performed passively resulting in SGT assignments
3. Traffic traverses network to Data Center enforcement points
4. Enforcement may be enabled gradually per destination Security Group
Configuring an IOS Switch for SGT
Following CLI is required to turn on NDAC (to authenticate device to ISE and
receive policies including SGACL from ISE)
Enabling AAA
Switch#config t
Enter configuration commands, one per line.
Switch(config)#aaa new-model
End with CNTL/Z.
Defining RADIUS server with PAC keyword
Switch(config)#radius-server host <ISE_PDP_IP> pac key <RADIUS_SHARED_SECRET>
Define authorization list name for SGA policy download
Switch(config)#cts authorization list <AUTHZ_List_Name>
Use default AAA group for 802.1X and defined authz list for authorization
Switch(config)#aaa authentication dot1x default group radius

Switch(config)#aaa authorization network <AUTHZ_List_Name> group radius
Configuring an IOS switch for SGT(cont.)
Configure RADIUS server to use VSA in authentication request
Switch(config)#radius-server vsa send authentication
Enable 802.1X in system level
Switch(config)#dot1x system-auth-control
Define device credential (EAP-FAST I-ID), which must match ones in ISE AAA client configuration
Switch#cts credential id <DEVICE_ID> password <DEVICE_PASSWORD>
Note: remember that device credential under IOS is configured in Enable mode, not in
config mode. This is different CLI command level between IOS and NX-OS, where you
need to configure device credential in config mode
Verification - PAC
Use show cts pac to verify whether PAC is provisioned or not. Key points are that A-ID matches to
one that is found in environment data with IP address. Also check to see your I-ID is the one you
setup in Device ID, and A-ID-Info matches one you configured on ISE (EAP-FAST configuration)
TS2-6K-DIST#show cts pacs
AID: 04FB30FE056125FE90A340C732ED9530
PAC-Info:
PAC-type = Cisco Trustsec
AID: 04FB30FE056125FE90A340C732ED9530
I-ID: TS2-6K-DIST
A-ID-Info: ISE PAP
Credential Lifetime: 00:54:33 UTC Dec 21 2011
PAC-Opaque:
000200B0000300010004001004FB30FE056125FE90A340C732ED95300006009400030100980BC43B8BDAB7ECC3B12C04D2D3CA6E
000000134E7A69FD00093A80AD1F972E0C67757D29DBF9E8452EDC3E0A46858429C8E4714315533061DAD4FB2F31346FE4408579
D4F55B3813ADA9876F04ACC1656DE2F476ED3CBC96A0DB937403AC3B0CAB64EEC15A1BD6E351A005A8DE6E6F894DEE619F4EFFF0
31BC7E7BD9C8B230885093FF789BAECB152E3617986D3E0B
Refresh timer is set for 12w0d
IOS SXP Configuration

C3750#show cts role-based sgt-map all details
3750
cts sxp enable
cts sxp connection peer 10.1.44.1 source
10.1.11.44 password default mode local
! SXP Peering to Cat6K
6K
cts sxp enable
cts sxp default password cisco123
!
10.1.44.1 password default mode local listener
hold-time 0 0
! ^^ Peering to Cat3K
10.1.44.1 password default mode local listener
hold-time 0 0
! ^^ SXP Peering to WLC
IP Address
Security Group
Source
======================================================================
10.10.11.1
2:device_sgt
INTERNAL
10.10.11.100
3:Full_Access
LOCAL
C6K2T-CORE-1#show cts sxp connections brief
SXP
: Enabled
Highest Version Supported: 4
Default Password : Set
Default Source IP: Not Set
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is not running
----------------------------------------------------------------------------Peer_IP
Source_IP
Conn Status
Duration
----------------------------------------------------------------------------10.1.11.44
10.1.44.1
On
11:28:14:59 (dd:hr:mm:sec)
10.1.44.44
10.1.44.1
On
22:56:04:33 (dd:hr:mm:sec)
Total num of SXP Connections = 2
C6K2T-CORE-1#show cts role-based sgt-map all details
IP Address
Security Group
Source
======================================================================
10.1.40.10
5:PCI_Servers
CLI
10.1.44.1
2:Device_sgt
INTERNAL
--- snip --10.0.200.203
4:GUEST
SXP
10.10.11.100
3:Full_Access
SXP
Activating SGACL Enforcement on IOS switch
After setting up SGT/SGACL on ISE, you can now enable SGACL Enforcement
on IOS switch
Defining IP to SGT mapping for servers
Switch(config)#cts role-based sgt-map 10.1.40.10 sgt 5
Enabling SGACL Enforcement Globally and for VLAN
Switch(config)#cts role-based enforcement
Switch(config)#cts role-based enforcement vlan-list 40
Downloading Policy on IOS switch
After enabling SGACL enforcement, policies need to be downloaded to IOS, the

egress enforcement point
Refresh Environment Data using cts refresh environment-data
Switch#cts refresh environment-data
Environment data download in progress
Refresh Policy using cts refresh policy

Switch#cts refresh policy
Policy refresh in progress
Downloading Policy on IOS Switch

Verify Environment Data
TS2-6K-DIST#show cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 2-00
Server List Info:
Installed list: CTSServerList1-0004, 3 server(s):
*Server: 10.1.100.3, port 1812, A-ID 04FB30FE056125FE90A340C732ED9530
Status = ALIVE
auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs
Status = ALIVE
Status = ALIVE
Multicast Group SGT Table:
Security Group Name Table:
0001-22 :
7-98 : 80 -> FIN_SRV
6-98 : 80 -> HR_DB
5-98 : 80 -> HR_ADMIN_SRV
4-98 : 80 -> FIN_ADMIN
3-98 : 80 -> HR_CONTRACTOR
2-98 : 80 -> Device_SGT
unicast-unknown-98 : 80 -> Unknown
Any : 80 -> ANY
Transport type = CTS_TRANSPORT_IP_UDP
Environment Data Lifetime = 86400 secs
Last update time = 22:50:57 UTC Mon Sep 26 2011
Env-data expires in
0:23:59:49 (dd:hr:mm:sec)
Env-data refreshes in 0:23:59:49 (dd:hr:mm:sec)
Cache data applied
= NONE
State Machine is running
Security Group Name Table:

0001-22 :
7-98 : 80 -> FIN_SRV
6-98 : 80 -> HR_DB
5-98 : 80 -> HR_ADMIN_SRV
4-98 : 80 -> FIN_ADMIN
3-98 : 80 -> HR_CONTRACTOR
2-98 : 80 -> Device_SGT
unicast-unknown-98 : 80 -> Unknown
Any : 80 -> ANY
Downloading Policy on IOS Switch

Verify SGACL Content
TS2-6K-DIST#show cts rbacl
CTS RBACL Policy
================
name
= Deny IP-00
IP protocol version = IPV4, IPV6
refcnt = 6
flag
= 0xC1000000
stale = FALSE
RBACL ACEs:
deny ip
name
= ALLOW_HTTP-10
IP protocol version = IPV4
refcnt = 2
flag
= 0x41000000
stale = FALSE
RBACL ACEs:
permit tcp dst eq 80
deny ip
name
= Permit IP-00
IP protocol version = IPV4, IPV6
refcnt = 6
flag
= 0xC1000000
stale = FALSE
RBACL ACEs:
permit ip
name
= ALLOW_HTTP_SQL-10
IP protocol version = IPV4
refcnt = 2
flag
= 0x41000000
stale = FALSE
RBACL ACEs:
deny ip
show cts rbacl is only available when cts

role-based enforcement is enabled
Different from NX-OS syntax, which is show
cts role-based access-list
<ACL_NAME>-XX: XX stands for
generation ID, and this should match one on
ISE. Gen-ID is only incremented when ACL
content is updated. No Gen-ID changes
upon name change.
Downloading SGACL Policy on IOS Switch

Verify SGACL Content
TS2-6K-DIST#show cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 3 to
Deny IP-00
ALLOW_HTTP_HTTPS-20
ALLOW_HTTP_SQL-10
Permit IP-00
Deny IP-00
Deny IP-00
Permit IP-00
group 5:
group 5:
group 6:
group 6:
group 7:
group 7:
SGACL Mapping Policy should

match to one on ISE
Verifying SGACL Drops

Use show cts role-based counter to show traffic drop by SGACL
TS2-6K-DIST#show cts role-based
Role-based IPv4 counters
From
To
SW-Denied
*
*
0
3
5
53499
4
5
0
3
6
0
4
6
3773
3
7
0
4
7
0
counters
HW-Denied
0
53471
0
0
3773
0
0
SW-Permitted
48002
0
0
0
0
0
0
HW_Permitted
369314
0
3777
53350
0
From *
0
0
to * means Default Rule
show command displays the content statistics of RBACL enforcement.

Separate counters are displayed for HW and SW switched packets. The user
can specify the source SGT using the from clause and the destination SGT
using the to clause.
Mostly SGACL is done in HW. Only if the packet needs to be punted to SW
(e.g. TCAM is full, marked to be logged) , SW counter increments
SGACL Policy Push

Destination
Source
Server_A
(111 / 006F )
Server_B
(222 / 00DE )
User_Group_A
(10 / 000A )
Permit_All
SGACL_C
SGACL_A
User_Group_B
(11 / 000B )
Deny_All
SGACL_B
cts role-based permissions \

from 10 to 222
deny
iptcp dst eq 80
permit
deny ip
Default refresh period = 86,400 seconds or 1 day

aaa server radius dynamic-author
client <ISE_IP> server-key *****
Destination
Source
Server_A
(111 / 006F )
Server_B
(222 / 00DE )
User_Group_A
(10 / 000A )
Permit_All
SGACL_C
SGACL_A
User_Group_B
(11 / 000B )
Deny_All
SGACL_B
cts role-based permissions \

from 10 to 222
permit
deny
iptcp dst eq 80
deny ip
The Push button initiates an environment CoA notification
Policy Update
SGACL Policy CoA (Change of Authorization) to push

policy change from ISE to appropriate devices
Currently supported on Cat6500/Sup2T, Cat4500,

Cat3K-X
Campus
Network
WAN
CoA
ISE
SGACL Monitoring Best effort syslog

C6K2T-CORE-1#show cts role-based permissions
IPv4 Role-based permissions from group 8:EMPLOYEE_FULL to group 8:EMPLOYEE_FULL:
Malware_Prevention-11
C6K2T-CORE-1#sho ip access-list
Role-based IP access list Deny IP-00 (downloaded)
10 deny ip
Role-based IP access list Malware_Prevention-11 (downloaded)
10 deny icmp log-input (51 matches)
20 deny udp dst range 1 100 log-input
30 deny tcp dst range 1 100 log-input
40 deny udp dst eq domain log-input
*May 24 04:50:06.090: %SEC-6-IPACCESSLOGDP: list Malware_Prevention-11 denied icmp 10.10.18.101

(GigabitEthernet1/1 ) -> 10.10.11.100 (8/0), 119 packets
TrustSec on Cisco Wireless

Branch Office-1
Branch Office-2
WAN
Datacenter
Campus Core
Internet Edge
Internet
Campus Access
TrustSec on Wireless
Platform
SGT Classification
& Mapping
SXP Support
(role / version)
Inline SGT
Tagging
SGT
Enforcement
Minimum Version
(License)
Cisco 5500 Series and 2500 Series; Cisco

Wireless Services Module 2 (WiSM2);
and Cisco Wireless LAN Controller
Module for Integrated Services Routers
G2 (WLCM2)
802.1X
MAB
WEB AUTH
Speaker *
(version 2)
No
No
Cisco AirOS 7.4.121
Cisco Wireless LAN Controller 8510,

8540, and 5520
802.1X
MAB
WEB AUTH
Speaker *
(version 2)
No
No
Cisco AirOS 8.1
Cisco Wireless LAN Controller 7500 and

vWLC
No
No
No
No
No
Cisco 5760 Wireless LAN Controller
802.1X
MAB
WEB AUTH
IP-to-SGT
VLAN-to-SGT
Port-to-SGT
Subnet-to-SGT
Speaker,
Listener
(version 4)
SGT over
Ethernet
SGACL
03.06.00E
(IP Base K9)
* FlexConnect Central Switching Mode and Centralized mode

support SXP (AirOS8.0). Local Switch Mode does not support SXP
TrustSec on Wireless (IOS)

IOS Wireless Controllers
Switch / FW
Inline SGT
5760
Cisco ISE
Assign
OR
Sources
SGT
Destinations
CTS-5760#show auth sessions interface Ca0 details

Interface: Capwap0
IIF-ID: 0xE8FD8000000008
MAC Address: 0050.5601.0001
IPv6 Address: Unknown
IPv4 Address: 10.0.201.7
User-Name: [email protected]
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0a0a65015157f38b0000000c
Acct Session ID: Unknown
Handle: 0x31000002
Current Policy: (No Policy)
Server Policies (priority 100)
SGT Value: 5
Enforce on WLC or pass on SGT via inline tagging for

external enforcement. Config same as IOS Switches
Method status list:

Method
dot1x
State
Authc Success
TrustSec on Wireless (AirOS)

AirOS Wireless Controllers*
Switch / FW
SXP (IP-SGT)
5508
Cisco ISE
Assign
Destinations
Sources
SGT
No SG based enforcement locally on the controller. IPSGT sent over SXP to enforcers / Aggregators
* Not supported on 7500 & vWLC
TrustSec on Wireless (AirOS)

AirOS Wireless Controllers*
Switch / FW
SXP (IP-SGT)
5508
Cisco ISE
Assign
Destinations
Sources
SGT
No SG based enforcement locally on the controller. IPSGT sent over SXP to enforcers / Aggregators
* Not supported on 7500 & vWLC
TrustSec in Data Center

Branch Office-1
Branch Office-2
WAN
Datacenter
Campus Core
Internet Edge
Internet
Campus Access
TrustSec in Data Center

Platform
SGT Classification
& Mapping
SXP Support
(role / version)
Inline SGT
Tagging
SGT
Enforcement
Minimum Version
(License)
Cisco Nexus 7000 line cards and chassis

(All line cards except F1 series module)
IP-to-SGT
VLAN-to-SGT
Port-to-SGT
PortProfile-to-SGT
(Known limitation:
vPC/Fabric Path
are not supported
with some TrustSec
Features)
Speaker
Listener
(version 1)
SGT over
Ethernet,
SGT over
MACsec
(MACsec
supported on
all line cards
except F1,
F2, and F3
40/100G line
cards)
SGACL
Cisco NX-OS 6.2(8)
Cisco Nexus 5600/6000 Series
Port-to-SGT
Speaker
(version 1)
SGT over
Ethernet
SGACL
Cisco NX-OS
7.0(1)N1(1)
Cisco Nexus 5548P, 5548UP, and

5596UP
(Note: No support for 5010 or 5020)
IP-to-SGT
Port-to-SGT
Speaker
(version 1)
SGT over
Ethernet
SGACL
Cisco NX-OS
6.0(2)N2(5)
Cisco Nexus 1000V for VMware vSphere

(N1Kv for Hyper-V and KVM are not
supported)
Port-Profile to SGT
Speaker
(version 1)
SGT over
Ethernet
SGACL
Cisco NX-OS
5.2(1)SV3(1.1)
DC Traffic Segmentation with SGT
Servers are assigned SGTs via

static port profile/port/IP-SGT Map
Servers attempt to communicate
east-west
Traffic hits the egress enforcement
point
Only permitted traffic path (source
SGT to destination SGT) is allowed
Traffic Enforcement can be
distributed across 5K, 6K and 7K
Core Network
Data Center
Nexus 7000s
VMs/Baremetal
Nexus 55XXs
Nexus 6XXXs
Security Server
(444)
SGACL: PCILOB1-ACL
PCI DB (111)
LOB1 DB (222)
LOB2 DB (333)
ISE
SRC \ DST
PCI DB(111)
LOB1 DB (222)
LOB2 DB
(333)
Security Server
(444)
PCI DB (111)
Permit all
PCI-LOB1-ACL
PCI-LOB2-ACL
Deny All
LOB1 DB
(222)
PCI-LOB1ACL
Permit All
Deny All
Deny All
LOB2 DB
(333)
PCI-LOB2ACL
Deny All
Permit All
Deny All
Security
Server (444)
Deny All
Deny All
Deny All
Deny All
Configure Nexus 7K: (Bootstrap)
Step 1: Configure Communications between Nexus and ISE

N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
feature cts
feature dot1x
cts device-id N7K-DST1 password trustsec
radius-server 10.39.1.120 key trustsec pac
aaa group server ISE
server 10.39.1.120
aaa authentication dot1x default group ISE
aaa authorization cts default group ISE
aaa accounting dot1x default group ISE
Step 2: Verify PAC is downloaded

N7K-DST1# show cts pacs
PAC Info :
==============================
PAC Type
: TrustSec
AID
: a6f054a3856a15221714bba63e968867
I-ID
: N7K-DST1
AID Info
: ise
Credential Lifetime : Sun Aug 3 16:56:29 2014
PAC Opaque
:
000200a80003000100040010a6f054a3856a15221714bba63e9688670006008c000301005f22d715cffe37591f629bae3bcc3c9e0000001353641
81a00093a80bf65b034bb89456288e2863a540d797ab17d1593b354e4aa3b74835df48ed45fad79c744083420c96ceef74ea3e51490566967d9c8
dcfb191d2e8448a4de98b5578f83b526fb4d586ecc2510eefe1d90dee1746998fb1b77291aac4848ac2d4d5d3694e9d0e5fadbdaae5a7f
Step 3: Enable Role based counter and enforcement

N7K-DST1(config)# cts role-based counters enable
N7K-DST1(config)# cts role-based enforcement
Configure Nexus 5K/6K: (Bootstrap)

Step 1: Configure Communications between Nexus and ISE
N55KA(config)#
N55KA(config)#
N55KA(config)#
N55KA(config)#
N55KA(config)#
N55KA(config)#
N55KA(config)#
N55KA(config)#
N55KA(config)#
N55KA(config)#
feature cts
feature dot1x
cts device-id N55KA password trustsec
radius-server 10.39.1.120 key trustsec pac
aaa group server ISE
server 10.39.1.120
use-vrf management
aaa authentication dot1x default group ISE
aaa authorization cts default group ISE
aaa accounting dot1x default group ISE
Step 2: Verify PAC is downloaded

N55KA# show cts pacs
PAC Info :
==============================
PAC Type
: TrustSec
AID
: a6f054a3856a15221714bba63e968867
I-ID
: N55KA
AID Info
: ise
Credential Lifetime : Fri Jul 11 04:25:45 2014
PAC Opaque
: 000200b00003000100040010a6f054a3856a15221714bba63e96886700060094000301000c629fc10ec7608000296933
d0b283e1000000135348689a00093a809914bbf46a3d8d8c81eab9e4819bde120047a2f28ca7181760c9b65015c3a851f5a9c99b6541d40b8d991114
9d045c1f7262b3a72e3b99b661733f92f71dcad42673a67549a5608611af2b1c0b18438a514178e98c7ed72f088d7b8db9cdbfba76b11c209f401ba8
c522f5fe5900e264a8ab02fd
Step 3: Enable Role based counter and enforcement

N55KA(config)# cts role-based counters enable
N55KA(config)# vlan 118
N55KA(config)# cts role-based enforcement
Nexus for Native tagging Up/Down Stream:

We MUST enable the physical ports to trust the neighboring device to send native
tagged packets
When enabling TrustSec on a switch the default behavior is to drop packets sent to it
with a native tag.
This is similar to QoS where we trust dscp on trunk links
BEST PRACTICE: On All platforms it is best practice to manually shut/no shut the port
after applying cts manual commands
This guarantees that the control plane has fully programmed the port level PHY/ASIC
N7K-DST1(config)# int e1/30
N7K-DST1(config)# cts manual
N7K-DST1(config-if-cts-manual)# policy static sgt 0x0002 trusted
N7K-DST1(config-if)# shutdown
N7K-DST1(config-if)# no shutdown
Configure ISE SGACL Policy Matrix

Best Practice: NXOS can only
handle 1 SGACL. Put implicit
deny/permit in the SGACL
Configure Nexus to Statically assign Tags:

Static IP-SGT - There is an option to manage this in ISE via IP/SGT or DNS/SGT mappings
N7K-DST1(config)# cts role-based sgt-map 10.39.1.223 17
Static SGT on Physical Port facing the server

N7K-DST1(config)# int e1/30
N7K-DST1(config-if)# cts manual
N7K-DST1(config-if-cts-manual)# policy static sgt 0X3
N7K-DST1(config-if-cts-manual)# no propagate-sgt
NOTE: If you forget this

command your server will not be
able to access the network!!
Port-Profile: NOTE: Port-Profile on N7K will only work on NON-FEX ports. 5K/6K dont have support yet. N1KV supported
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
port-profile type ethernet PCI-DB

cts manual
policy static sgt 0x17
no propagate-sgt
switchport
switchport access vlan 100
VLAN to SGT
N7K-DST1(config)# (config)# vlan 100
N7K-DST1(config-vlan)# cts role-based sgt 17
Verify Configuration
Verify environmental data
N7K-DST1# show cts role-based access-list

rbacl:Deny IP
deny ip
rbacl:Permit IP
permit ip
rbacl:PCI_Web_Server
rbacl:shaun_deny
N7K-DST1# show cts role-based counters
RBACL policy counters enabled
Counters last cleared: 04/16/2014 at 06:28:11 PM
Verify SGACLs downloaded and look at counters:
sgt:unknown dgt:19
[41677]
rbacl:Deny IP
deny ip [41677]
sgt:unknown dgt:24
[13269]
rbacl:Deny IP
deny ip [13269]
sgt:4 dgt:3
[0]
rbacl:Deny IP
deny ip [0]
sgt:6 dgt:12
[0]
rbacl:Deny IP
deny ip [0]
sgt:7 dgt:3
[53769]
rbacl:Deny IP
deny ip [53769]
East West Traffic Control

N55KA(config)# cts role-based counters enable
N55KA(config)# vlan 118
N55KA(config-vlan)# cts role-based enforcement
Nexus 5K/6K
N55KA(config-vlan)# int e102/1/1

N55KA(config-vlan)# switchport
N55KA(config-vlan)# switchport access vlan 118
N55KA(config-vlan)# cts manual
N55KA(config-if-cts-manual)# policy static sgt 0x111
N55KA(config-if-cts-manual)# no propagate-sgt
PCI_DB
(10.30.1.10)
LOB1_DB
(10.40.1.10)
N55KA(config-vlan)# int e102/1/2

N55KA(config-vlan)# switchport
N55KA(config-vlan)# switchport access vlan 118
N55KA(config-vlan)# cts manual
N55KA(config-if-cts-manual)# policy static sgt 0x222
N55KA(config-if-cts-manual)# no propagate-sgt
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
N7K-DST1(config)#
feature cts
cts role-based
cts role-based
cts role-based
cts role-based
counters enable
sgt-map 10.30.1.10 111
sgt-map 10.40.1.10 222
enforcement
Nexus 7K
SGT Caching
SRC:10.65.1.9
DST: 10.1.100.52
SGT: 8
Service Chaining
Possible 3rd party devices for Server
Load Balancing (SLB), Intrusion
Prevention Services (IPS), etc.
SGT Caching on C6500/N7K

Caches IP-SGT mappings from data plane
Sends IP-SGT mappings to ASA in SXP
Security Group Firewalling

Firewall rule automation
using ASA SG-Firewall functions
DC Access Layer
IP Address
SGT
10.65.1.9
8 (Employee_Full)
SGT Tagged Traffic
Untagged Traffic
Physical Servers
Physical Servers
SGACL enabled Device
SG Firewall enabled Device
SXP
N7K SGT Caching Config

N7K-DST1(config)# cts role-based sgt-caching ?
<CR>
with-enforcement SGT caching with RBACL enforcement
N7K-DST1(config)# cts role-based sgt-caching with-enforcement
SGT caching with enforcement will implicitly display syslogs for all the ACEs in RBACLs.
Continue(yes/no) [no] yes
N7K-DST1# show cts role-based sgt-caching
-------------------------------- -------Caching Modes
Status
-------------------------------- -------SGT caching
Disabled
SGT caching with enforcement
Enabled
N7K-DST2# sho cts role-based sgt-map cached
IP ADDRESS
SGT
10.1.50.1
1000(Production_Servers)
10.1.51.2
2(Device_SGT)
10.1.56.2
2(Device_SGT)
10.1.100.1
10.1.100.82
VRF/VLAN
vrf:1
vrf:1
vrf:1
vrf:1
vrf:1
SGT CONFIGURATION
Cached
Cached
Cached
Cached
Cached
N7K SGT Caching Notes
SGT Caching enabled with and without enforcement
Without enforcement its just converting from data plane to control plane
at a mid point in the network
Typically Deployed at an aggregation layer where there is no
enforcement
With enforcement is for when the N7K is the enforcement point and
needs to convert from data plane to control plane.
Service chains to 3rd party devices that do not support SGT

Convert form native tagging to SXP for pre 9.3(1) ASA
Typically when the N7K is acting as a aggregated routing/service layer in the DC
N7K will ask ISE for relevant policies of all its SGTs when it
receives an IP/SGT update
Everytime time it receives an update..

Yes that is a lot of information filling ISE logs
SGT Caching Configuration Catalyst 6500

(Global CLI Commands)
Enabling CTS SGT Caching globally in independent mode
Enabling CTS SGT Caching on vlans in independent mode
cts role-based sgt-caching with-enforcement
Enabling RBACL enforcement globally
cts role-based sgt-caching vlan-list <[all | vlan_id]>
Enabling CTS SGT Caching globally in dependent mode
cts role-based sgt-caching
cts role-based enforcement
Enabling RBACL enforcement on vlans
cts role-based enforcement vlan-list <[all | vlan_id]>
SGT Caching Show Commands Catalyst 6500
To display the SGT-IPv4 bindings
To display the SGT-IPv6 bindings
show cts role-based sgt-map all ipv6

show cts role-based sgt-map vrf <vrf_name> all ipv6
To display RBACL entires programmed in ACL TCAM
show cts role-based sgt-map all ipv4

show cts role-based sgt-map vrf <vrf_name> all ipv4
show platform hardware acl entry rbacl all
To display the ACL result of RBACL entries programmed in ACL TCAM
show platform hardware acl tcam result <acl_entry_result>
SGT Caching Debug Commands Catalyst 6500
[no] debug fm rbacl caching events
Detailed debugs:
[no] debug rbm bindings
[no] debug rbm api
[no] debug fm rbacl caching packets
[no] debug fm rbacl all
Note: no logging console is recommended before enabling these detailed

debugging commands as they could potentially flood the console
TrustSec on Edge
Branch Office-1
Branch Office-2
WAN
Datacenter
Campus Core
Internet Edge
Internet
Campus Access
TrustSec on Edge
(1)
Platform
SGT Classification
& Mapping
SXP Support
(role /
version)
Inline SGT Tagging
SGT
Enforcement
Minimum Version
(License)
Cisco 890
IP-to-SGT
Subnet-to-SGT
L3IF-to-SGT
Speaker
Listener
(version 4)
SGT over GETVPN,

IPsec VPN, DMVPN
SGFW
Cisco IOS 15.4(3)M

(ISR SEC/K9)
Cisco 1900, 2900, 3900 Series
IP-to-SGT
Subnet-to-SGT
L3IF-to-SGT
Speaker
Listener
(version 4)
SGT over Ethernet,

SGT over GETVPN,
IPsec VPN, DMVPN
SGFW
Cisco IOS 15.4(3)M

(ISR SEC/K9)
Cisco ISR 4451-X
IP-to-SGT
Subnet-to-SGT
L3IF-to-SGT
Speaker
Listener
(version 4)
SGT over Ethernet,

SGT over GETVPN,
IPsec VPN, DMVPN
SGFW
Cisco IOS-XE 3.13

(0)S
(ISR SEC/K9)
Cisco ISRG2 Series SM-X Layer

2/3 EtherSwitch Module
802.1X
MAB
WEB AUTH
IP-to-SGT
VLAN-to-SGT
Speaker
Listener
(version 4)
SGT over Ethernet,

SGT over MACsec
SGACL
Cisco IOS 15.2(2)E

(ISR SEC/K9)
Cloud Services Router 1000V

Series
IP-to-SGT
Subnet-to-SGT
L3IF-to-SGT
Speaker
Listener
(version 4)
SGT over IPsec

VPN, DMVPN
SGFW
Cisco IOS XE 3.11.0S

(ISR SEC/K9)
TrustSec on Edge
(2)
Platform
SGT Classification &

Mapping
SXP Support
(role/version)
Inline SGT
Tagging
SGT
Enforcement
Minimum Version
(License)
Cisco ASR 1000 Series Router Processor

1 or 2 (RP1/RP2); ASR 1001, 1002, 1004,
1006, and 1013 Routers with Embedded
Services Processor (10, 20, or 40 Gbps)
and SPA Interface Processor (10/40)
IP-to-SGT
Subnet-to-SGT
L3IF-to-SGT
Speaker
Listener
(version 4)
SGT over
Ethernet, SGT
over GETVPN,
IPsec VPN,
DMVPN
SGFW
IOS XE 3.13.0S
(ASR1000 SECFW)
Cisco ASR1001-X and 1002-X
IP-to-SGT
Subnet-to-SGT
L3IF-to-SGT
Speaker
Listener
(version 4)
SGT over
Ethernet, SGT
over GETVPN,
IPsec VPN,
DMVPN
SGFW
IOS XE 3.13. 0S
(ASR1000 SECFW)
Cisco ASA 5505, 5510, 5520, 5540, 5550,

5580
Speaker
Listener
(version 2)
SGFW
ASA 9.0.1,
ASDM 7.1.6
Cisco ASAv
Remote Access VPN (IPSec,

SSL-VPN) - Clientless is not
supported for classification
Speaker
Listener
(version 2)
SGT over
Ethernet
SGFW
ASA 9.3.1, ASDM

7.0.1
Cisco ASA 5512-X, 5515-X, 5525-X, 5545X 5555-X, 5585-X
Remote Access VPN (IPSec,

SSL-VPN) - Clientless is not
suported for classification
Speaker
Listener
(version 2)
SGT over
Ethernet
SGFW
ASA 9.3.1,
ASDM 7.1.6
Branch Segmentation/Inline Tagging Across WAN

Branch B
Cat3750-X
Inline tagging across WAN
ISRG2
SGT over
GET-VPN,
DM-VPN or
IPsec VPN
IPsec, DM-VPN, GET-VPN
Inline tagging on built-in ISRG2 &

ASR 1000 Ethernet interfaces (all
except 800 series ISR)
HQ
ISRG2
e.g. 2951/3945
ASR1000
Router
Inline SGT
Branch A
Can also use SGT-aware Zone-based Firewall in branch & DC WAN edge for reasons like PCI
compliance
SGT is used only as a source criteria only in ISR G2 Zone-Based Firewall
Data Center
Branch Segmentation/SXP WAN

Bidirectional SXP with
Loop Detection available
now:
ISRG2 15.4(1)S
ASR1000/ISR4k/CSR
E 3.11
N7K
IP Address
SGT
10.1.10.1
Contractor - 10
10.1.10.4
Employee - 30
10.1.254.1
Contractor - 10
10.1.254.4
Employee - 30
Cat6K
ASR1K
ASR1K
Listener-1
Allows ASR1000 to be an
IP/SGT relay from remote
to remote
SXP is a full replication
model each remote
router will learn all IP/SGT
bindings
Cat6K
Listener-2
SXPv4
WAN
SXPv4
Speaker-1
IP Address
SGT
10.1.10.1
Contractor - 10
10.1.10.4
Employee - 30
10.1.254.1
Contractor - 10
10.1.254.4
Employee - 30
Speaker-300
...
IP Address
SGT
10.1.10.1
10.1.254.1
Contractor - 10
10.1.10.4
10.1.254.4
Employee - 30
10.1.254.1
Contractor - 10
10.1.254.4
Employee - 30
Bidirectional SXP WAN scaling

From previous slide - SXP is a full replication model each remote
router will learn all IP/SGT bindings with this approach
http://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book/cts-bi-sxp.html
IPSec and Inline Tagging

cts role-based sgt-map 9.9.9.1 sgt 5000
CTS infrastructure CLI , to configure static IP to SGT bindings
!
crypto ikev2 proposal p1
encryption 3des
integrity md5
group 2
!
IKEv2 is used to negotiate and inform
crypto ikev2 policy policy1
IPsec about the SGT capability. Once
proposal p1 !
crypto ikev2 keyring key
the peers acknowledge the SGT
peer v4
tagging capability, an SGT tag number
address 0.0.0.0 0.0.0.0
pre-shared-key cisco
(a 16-bit) is added as the SGT Cisco
!
Meta Data (CMD) payload into IPsec
crypto ikev2 profile prof3
match identity remote address 0.0.0.0
and sent to the receiving peer.
authentication local pre-share
authentication remote pre-share
keyring key
CTS infra CLI used to configure IP->SGT mapping
!
crypto ikev2 cts sgt
SGT capability negotiation for IPSec inline tagging functionality
!
crypto ipsec transform-set trans esp-3des esp-sha-hmac
! ...........
GETVPN and Inline Tagging

GETVPN Key Server can enable SGT tagging on a per-SA basis
crypto gdoi group GDOI
identity number 12345
server local
sa ipsec 2
no tag
match address ipv4 ACL_GETVPN_NO_SGT
sa ipsec 1
Enabling SGT tagging on the Key Server
tag cts sgt
match address ipv4 ACL_GETVPN_SGT
If the Key Server is configured for tagging, Group Members must be registering
using GETVPN software version 1.0.5 or higher to be accepted.
Router# show crypto gdoi feature cts-sgt
Group Name: GETVPN
Key Server ID
Version
Feature Supported
10.0.5.2
1.0.5
Yes
10.0.6.2
1.0.5
Yes
Group Member ID
Version
Feature Supported
10.0.1.2
1.0.2
No
10.0.2.5
1.0.3
No
10.0.3.1
1.0.5
Yes
10.0.3.2
1.0.5
Yes
SGT DMVPN Inline Tagging Config

ipsec-1900b#
CTS infra CLI used to configure IP->SGT mapping
!
crypto ikev2 proposal p1
encryption 3des
integrity md5
group 2
!
crypto ikev2 policy policy1
proposal p1
!
crypto ikev2 keyring key
peer v4
address 0.0.0.0 0.0.0.0
pre-shared-key cisco
!
crypto ikev2 profile prof3
match identity remote address 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring key
!
Enables Trustsec on DMVPN. This command is valid for GRE and tunnel
cts sgt inline
interface mode only
!
crypto ipsec transform-set trans esp-3des esp-sha-hmac
! (.continued in next slide)
SGT DMVPN Show commands

ipsec-1900b# show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- ----1 1.1.1.99
10.1.1.99
UP 00:00:01
SC
ipsec-1900b# show ip nhrp nhs detail
Legend: E=Expecting replies, R=Responding, W=Waiting
Tunnel0:
10.1.1.99 RE NBMA Address: 1.1.1.99 priority = 0 cluster = 0 req-sent 44
TrustSec Enabled
Shows peer capability and Trustsec
negotiation
req-failed 0
repl-recv 43 (00:01:37 ago)
SGT-Aware Zone based Firewall

class-map type inspect match-any partner-services
match protocol http
match protocol icmp
match protocol ssh
class-map type inspect match-any partner-sgts
match security-group source tag 2001
class-map type inspect match-all partner-class
match class-map partner-services
match class-map partner-sgts
class-map type inspect match-any guest-services
match protocol http
class-map type inspect match-any guest-sgts
class-map type inspect match-all guest-class
match class-map guest-services
match class-map guest-sgts
class-map type inspect match-any emp-services
match protocol http
match protocol ftp
match protocol icmp
match protocol ssh
class-map type inspect match-any emp-sgts
class-map type inspect match-all emp-class
match class-map emp-services
match class-map emp-sgts
policy-map type inspect branch-policy

class type inspect emp-class
inspect
class type inspect partner-class
inspect
class type inspect guest-class
inspect
class class-default
drop
!
zone security lan
zone security ho
zone-pair security lan-ho source lan destination ho
service-policy type inspect branch-policy
!
interface GigabitEthernet0/1
description ***branch lan network***
ip address 10.20.0.1 255.255.255.0
zone-member security lan
!
!
interface GigabitEthernet0/2
description ***connection to head-office***
ip address 172.20.0.1 255.255.255.0
zone-member security ho
SGT is a source criteria only in ISR FW,

Source or Destination in ASR 1000
TrustSec and Netflow

Branch Office-1
Branch Office-2
WAN
Datacenter
Campus Core
Internet Edge
Internet
Campus Access
How do I know if I am tagging? SGT and

Flexible NetFlow (FNF)
flow record cts-v4
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match flow cts source group-tag
match flow cts destination group-tag
collect counter bytes
collect counter packets
flow exporter EXP1

destination 10.2.44.15
source GigabitEthernet3/1
flow monitor cts-mon
record cts-v4
exporter EXP1
Interface vlan 10
ip flow monitor cts-mon input
ip flow monitor cts-mon output
Interface vlan 20
Interface vlan 30
Interface vlan 40
cts role-based ip flow mon cts-mon dropped
*Optional will create flows for only Role-based ACL drops

Cat6K/Sup2T
Monitoring SGT/FNF Flow Cache Example

SJC01#show flow mon cts-mon cache
Cache type:
Cache size:
Current entries:
High Watermark:
Flows added:
Flows aged:
- Active timeout
( 1800 secs)
- Inactive timeout
(
15 secs)
- Event aged
- Watermark aged
- Emergency aged
Normal
4096
1438
1632
33831
32393
0
32393
0
0
0
IPV4 SOURCE ADDRESS:

IPV4 DESTINATION ADDRESS:
TRNS SOURCE PORT:
TRNS DESTINATION PORT:
FLOW DIRECTION:
FLOW CTS SOURCE GROUP TAG:
FLOW CTS DESTINATION GROUP TAG:
IP PROTOCOL:
counter bytes:
counter packets:
192.168.30.209
192.168.200.156
60952
80
Output
30
200
6
56
1
IPV4 SOURCE ADDRESS:

IPV4 DESTINATION ADDRESS:
TRNS SOURCE PORT:
TRNS DESTINATION PORT:
FLOW DIRECTION:
FLOW CTS SOURCE GROUP TAG:
FLOW CTS DESTINATION GROUP TAG:
IP PROTOCOL:
counter bytes:
counter packets:
192.168.20.140
192.168.200.104
8233
80
Output
20
200
6
56
1
Monitoring SGT Traffic with Netflow

Plixer collector displays SGT information
http://www.plixer.com/blog/netflow/cisco-trustsec-netflow-support/
Live Action Netflow with SGT Support
Lancope Custom Events
Generate a security event when a

flow condition based on the SGT
value is seen
Lancope Flow Query
Use the SGT value to find (and

classify) network traffic
Lancope Flow Query Configured
Find all traffic tagged with SGT 8
Lancope Conversational Flow Record

Who
When
What
Where
Security
Group
How
Who
Conversational Flow Record: Zoom in on Details
Security
Group
Use Cases &

Deployment Scenarios
(WHY TrustSec)
Deploying
TrustSec
Network
Segmentation
Start
TrustSec
Deep-dive
Key
Take-aways
Use-cases &
Scenarios
TrustSec Common Deployment Scenarios
User to Data Center

Access Control
Context-based access
Compliance requirements
PCI, HIPAA, export
controlled information
Merger & acquisition
integration, divestments
Data Center
Segmentation
Zoning & Micro-segmentation
Production vs Development
Server segmentation
Compliance requirements, PCI,
HIPAA
Firewall rule automation
Campus and Branch

Segmentation
Line of business segregation
PCI, HIPAA and other
compliance regulations
Malware propagation
control/quarantine
TrustSec Common Deployment Scenarios

Branch Office-1
Branch Office-2
WAN
Datacenter
Campus Core
Internet Edge
User to Data Center Segmentation

Internet
Server to Server Segmentation
Campus Access
User to User Segmentation
Branch to DC Segmentation
Global company segmentation scenario

(Without TrustSec)
Business 1
Business 2
Guest
B1
User can authenticate to
network, but cant be
authorized due to unavailability of the VLAN locally
Business 79
Business 80
Guest
Global Company with 400+ Sites

Each Site hosts 1-5 Segments
(Mostly Unique)
Every segment defined with Static
VLANs today
Company wants to deploy NAC
Global company segmentation scenario

(With TrustSec)
Site VLAN
Guest VLAN
B1
User authenticates successfully,
gets local IP address & BU-SGT
assigned, has consistent
access from remote site.
Site VLAN
Guest VLAN
No matter what IP the user gets,

access control is governed by the
SGTs.
Consistent access is granted from
home and remote sites.
University IPv6 Scenario
IPv6
University has IPv6 endpoints
Wanted to enabled identity based access
Wanted Low-Impact Mode
Limited access before (or failed) authentication

Full access post successful authentication
Certain access switches did not support peruser IPv6 ACLs
Source-Group Tag
eXchange Protocol (SXP)
IETF Draft
SGT Exchange Protocol (SXP)
http://tinyurl.com/sxp-draft
Control plane protocol that conveys the IP-SGT

map of authenticated hosts to enforcement point
SXP uses TCP as the transport layer
(Port No. 64999)
Support Single Hop SXP & Multi-Hop SXP
(aggregation)
Two roles: Speaker (initiator) and Listener
(receiver)
IPv4
15.2(2)E/
3.6.0E
Listener
IPv6 Support for

SGT/SGACL
(SXP Aggregation)
Speaker
Switch
Switch
IPv6
Switch
SXPv4 support bidirectional mode

From 15.2(2)E / 03.06.00E IPv6-to-SGT bindings
can be transported over IPv4 SXP sessions.
Router
Before Authentication
IPv6 and TrustSec

E.g. Low-Impact mode
Cisco ISE
Infra Server
(DHCP, DNS, AD)
SGT=3
Access Switch
15.2(2)E
Speaker
172.20.252.102
2001:DB8:254::10
C6500
SXP
Listener
Campus LAN
172.20.252.100
Student1
2001:DB8:100:0:7CB0:3B1D:2F77:16A6
2001:DB8:100:0:9112:EB74:784F:E88B
CTS-C6500#show cts role-based sgt-map all ipv6

IP Address
SGT
Source
================================================================
2001:DB8:100::1
2
INTERNAL
2001:DB8:252::100
2
INTERNAL
2001:DB8:254::10
9
CLI
2001:DB8:254::12
7
CLI
To Infra Server
To Lab Server
Lab Server
2001:DB8:254::12
After Authentication
IPv6 and TrustSec

E.g. Low-Impact mode
Cisco ISE
Infra Server
(DHCP, DNS, AD)
SGT=3
Access Switch
15.2(2)E
Speaker
172.20.252.102
2001:DB8:254::10
C6500
SXP
Listener
Campus LAN
172.20.252.100
Student1
2001:DB8:100:0:7CB0:3B1D:2F77:16A6
2001:DB8:100:0:9112:EB74:784F:E88B
To Infra Server
To Lab Server
CTS-C6500#show cts role-based sgt-map all ipv6

IP Address
SGT
Source
================================================================
2001:DB8:100::1
2
INTERNAL
2001:DB8:252::100
2001:DB8:100:0:7CB0:3B1D:2F77:16A6
3
2
INTERNAL
SXP
2001:DB8:254::10
2001:DB8:100:0:9112:EB74:784F:E88B
9
3
CLI
SXP
2001:DB8:254::12
2001:DB8:252::100
7
2
CLI
INTERNAL
2001:DB8:254::10
9
CLI
2001:DB8:254::12
7
CLI
Lab Server
2001:DB8:254::12
US Consumer Electronics Manufacturer

Large Campus Wireless Deployment
Data Center
Large Electronics Device Manufacturing

Company deploying Secure Wi-Fi
ACL needs to scale more than 64 lines of ACL

(>1,500)
TrustSec solution within C6k chassis

WiSM2 aggregates AP traffic
Branch Office
Campus D
10.4.150.0/24 = SGT 7
10.5.1.0/24 = SGT 22
Campus C
10.39.22.0/24 = SGT 6
Corporate
Network
Internet
10.0.0.0/8 = SGT 100
Policy enforcement Sup2T based on SGT

SXP
Destination SGT values defined by IP &

Subnet
16.34.22.0/24 = SGT 10
Cat6500VSS
System
Sup2T
WiSM2
WiSM2
Sup2T
WiSM2
WiSM2
SXP
ISE
VSS
CAPWAP Tunnel
Reduced IOS static ACL managing policy

using Egress Matrix
e.g. about 500 lines of ACL allowing HTTPS is now

supported by single line of SGACL
Access Points
Non-Compliant
Mobile Device
SGT 2: Limited Access
Compliant
Corporate Asset
SGT 3: Full Access
SGT=4
SGT=5
SGT=3
Policy Enforcement TCAM Scaling
Enterprise
Backbone
SGACL
Enforcement
Web_Server
(SGT=7)
SGACL
Enforcement
Time_Stamp_Server
(SGT=10)
Network devices download policies

only when they have a device connected
only for connected systems
Egress filtering and dynamic download scales the TCAM of
switches
Key Takeaways
(WHEN to-do TrustSec? NOW!)
Deploying
TrustSec
Network
Segmentation
Start
TrustSec
Deep-dive
Key
Take-aways
Use-cases &
Scenarios
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
102
102
102
102
102
102
102
102
102
deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848

deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878
permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
Cisco TrustSec
Policy-Defined Segmentation based on business policy
Traditional Security Policy
Security Control Automation

Improved Efficiency
Simplified Access Management
Segmentation
Policy
Switch
Router
DC FW
DC Switch
Flexible and Scalable Policy Enforcement
Gartner on TrustSec
logical source and destination security groups are
more flexible, are easier to maintain and reduce
runtime overhead in the networks switching fabric.
There is much to like about Ciscos ambitious and
innovative initiative.
Cisco has made great strides in integrating support for
the TrustSec framework across its product lines
Flexibility to Segregate Resources Without Physical
Segmentation or Managing VLANs
Reduction in ACL Maintenance, Complexity and
Overhead
http://blogs.cisco.com/security/gartners-perspective-on-ciscotrustsec
TrustSec for PCI Compliance

PCI Audit Partner
http://www.cisco.com/c/dam/en/us/solutions/collateral/borderless-networks/trustsec/trustsec_pci_validation.pdf
PCI Compliance - Scope Reduction
PCI Scope Reduction Branch and Data Center

PCI Server
Legend:
DATA CENTRE
Server
Data Center
Network
Segmentation enforcement
PCI scope
WAN
BRANCH
Register
Workstation
TrustSec is :
Flexible
TrustSec enables you to segment networks without

disturbing the network topology
Efficient
Policy management gets simpler when written and

implemented in business relevant language
Ubiquitous
TrustSec offers consistent access control across

wired, wireless and VPN networks.
Ready
More customers adopt TrustSec, TrustSec is the

next MPLS! Its ready.
Make a choice!
caranddriver.com
bcarwallpapers.com
About 100 years after a crank was required to start a car,

modern batteries can now start many cars using just a button.
Methods
Segmenting using TrustSec
Participate in the My Favorite Speaker Contest

Promote Your Favorite Speaker and You Could Be a Winner
Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
Send a tweet and include

Your favorite speakers Twitter handle <Speakerenter your Twitter handle here>
Two hashtags: #CLUS #MyFavoriteSpeaker
You can submit an entry for more than one of your favorite speakers
Dont forget to follow @CiscoLive and @CiscoPress
View the official rules at http://bit.ly/CLUSwin
Complete Your Online Session Evaluation
Give us your feedback to be

entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
Complete your session surveys

though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Dont forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Table Topics
Meet the Engineer 1:1 meetings
Related sessions
Thank you
Security Cisco Education Offerings

Course
Implementing Cisco IOS Network Security (IINS)
Implementing Cisco Edge Network Security Solutions
(SENSS)
Description
Focuses on the design, implementation, and monitoring of a comprehensive
security policy, using Cisco IOS security features
Cisco Certification
CCNA Security
Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco
Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls
Implementing Cisco Threat Control Solutions (SITCS)
Implementing Cisco Secure Access Solutions (SISAS)

Implementing Cisco Secure Mobility Solutions
(SIMOS)
Deploy Ciscos Next Generation Firewall (NGFW) as well as Web Security, Email
Security and Cloud Web Security
Deploy Ciscos Identity Services Engine and 802.1X secure network access
Protect data traversing a public or shared infrastructure such as the Internet by
implementing and maintaining Cisco VPN solutions
Securing Cisco Networks with Threat Detection and

Analysis (SCYBER)
Designed for professional security analysts, the course covers essential areas of
competency including event monitoring, security event/alarm/traffic analysis, and
incident response
Network Security Product and Solutions Training
For official product training on Ciscos latest security products, including Adaptive
Security Appliances, NGIPS, Advanced Malware Protection, Identity Services
Engine, Email and Web Security Appliances see
www.cisco.com/go/securitytraining
For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact [email protected]
Cisco Cybersecurity Specialist
R&S Related Cisco Education Offerings

Course
Description
Cisco Certification
CCIE R&S Advanced Workshops (CIERS-1 &

CIERS-2) plus
Self Assessments, Workbooks & Labs
Expert level trainings including: instructor led workshops, self

assessments, practice labs and CCIE Lab Builder to prepare candidates
for the CCIE R&S practical exam.
CCIE Routing & Switching
Implementing Cisco IP Routing v2.0

Implementing Cisco IP Switched
Networks V2.0
Troubleshooting and Maintaining
Cisco IP Networks v2.0
Professional level instructor led trainings to prepare candidates for the

CCNP R&S exams (ROUTE, SWITCH and TSHOOT). Also available in
self study eLearning formats with Cisco Learning Labs.
CCNP Routing & Switching
Interconnecting Cisco Networking Devices:

Part 2 (or combined)
Configure, implement and troubleshoot local and wide-area IPv4 and IPv6
networks. Also available in self study eLearning format with Cisco Learning
Lab.
CCNA Routing & Switching
Interconnecting Cisco Networking Devices:

Part 1
Installation, configuration, and basic support of a branch network. Also

available in self study eLearning format with Cisco Learning Lab.
CCENT Routing & Switching

Wireless Cisco Education Offerings

Course
Description
Conducting Cisco Unified Wireless Site Survey

Implementing Cisco Unified Wireless Voice
Networks
Implementing Cisco Unified Wireless Mobility
Services
Implementing Cisco Unified Wireless Security
Services
Professional level instructor led trainings to prepare candidates to conduct

site surveys, implement, configure and support APs and controllers in
converged Enterprise networks. Focused on 802.11 and related
technologies to deploy voice networks, mobility services, and wireless
security.
CCNP Wireless
Implementing Cisco Unified Wireless Network

Essential
Prepares candidates to design, install, configure, monitor and conduct

basic troubleshooting tasks of a Cisco WLAN in Enterprise installations.
CCNA Wireless

Cisco Certification
Data Center / Virtualization Cisco Education Offerings

Course
Description
Cisco Certification
Cisco Data Center CCIE Unified Fabric

Workshop (DCXUF);
Cisco Data Center CCIE Unified Computing
Workshop (DCXUC)
Prepare for your CCIE Data Center practical exam with hands on lab
exercises running on a dedicated comprehensive topology
CCIE Data Center
Implementing Cisco Data Center Unified Fabric

(DCUFI);
Implementing Cisco Data Center Unified
Computing (DCUCI)
Obtain the skills to deploy complex virtualized Data Center Fabric and
Computing environments with Nexus and Cisco UCS.
CCNP Data Center
Introducing Cisco Data Center Networking

(DCICN); Introducing Cisco Data Center
Technologies (DCICT)
Learn basic data center technologies and how to build a data center
infrastructure.
CCNA Data Center
Product Training Portfolio: DCAC9k, DCINX9k,

DCMDS, DCUCS, DCNX1K, DCNX5K, DCNX7K
Get a deep understanding of the Cisco data center product line including
the Cisco Nexus9K in ACI and NexusOS modes


BRKCRS 2891 PDF

Uploaded by

Copyright:

Available Formats

BRKCRS 2891 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCRS 2891 PDF

Uploaded by

Copyright:

Available Formats

Abstract

Things have changed and are changing

Dialup Internet is history

From days to week it took

How do you get to create

Enterprise Network Segmentation

Use cases & Deployment scenarios

WHAT is Cisco TrustSec

HOW to deploy TrustSec

WHY segment the TrustSec way?

WHEN to deploy TrustSec: Now!

Cisco ISE & TrustSec Sessions: Building Blocks

BRKSEC-2045 Mobile Devices and

BRKCRS-2891 Enterprise Network

BRKSEC-2026 Network as a Sensor

Segmentation at Cisco Live

Factors governing segmentation

Line of business BU segmentation

Payment Card Industry

As networks evolve, granular segmentation is desired

Mergers and Acquisitions

Network Segmentation is a must to contain threats!

Effective network segmentation reduces the extent to

Segregate networks, limit allowed protocols usage and

Fundamentally VLAN based

Every segment is a separate

deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993

ACL rules grow with more segments

Security Group based Policy

User to Data Center Access Control with TrustSec

Campus Segmentation with TrustSec

Employee Employee Guest Quarantine

TrustSec and ISE

The Cisco TrustSec Network Device Admission

SGACL: Security Group ACL

Define policy matrix on ISE that

Centrally define business

Static SGT Assignments

Assigning Security Group Tags

For Mobile Devices

For Servers and Topologies

Port to SGT, L2/L3

Virtual Port Profile to SGT

L3 Interface to SGT Mappings

VSS-1#show cts role-based sgt-map all

SGT Classification Binding Source Priority (IOS)

Access Layer Classification Summary

** limits on number of SGTs (255) * - limits on the number of VLANs

Nexus 1000V: SGT Assignment in Port Profile

Inline tagging (SGT in data plane)

Cisco Meta Data

Optional MACsec protection

SGT Option Type

Other CMD Option

L2 Frame Impact: ~40 bytes

Recommend L2 MTU~1600 bytes

SGT embedded within Cisco Meta

N.B. Assume incapable devices will

SGT link Authentication and Authorization