BRKCRS-2662 (2013)

Deploying Campus Security Group Tags
BRKCRS-2662
BRKCRS-2662 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Abstract
 This session provides an overview of the Cisco TrustSec Security Group Access
(SGA) solution for Role-Based Access Control with focus on Campus Network.
SGA allows for simplified network segmentation based on User Identity/Role and
allows for secure access and consistent security policies across Wired/Wireless
networks. SGA helps define BYOD policies through security policies based on
User/Role/Device/Location.
 The session covers SGA on the Catalyst Switching platforms, including
converged wired/wireless. The session covers an architectural overview of SGA
and benefits of a converged wired/wireless network, elements of Cisco TrustSec
such as user identification with 802.1x, device identification, role classification
using Security Group Tagging (SGT) and enforcement using Security Group
Access Control List (SGACL). We also discuss various SGA deployment use
cases in a campus network. This session is for Network Architects, Pre-Sales
Engineers and Technical Decision Makers.
Why Should You Care About TrustSec
 BYOD, IPv6 and Internet of Things require

different approach to manageability
 Unified Security Policy across Wired and Wireless
Got
TrustSec?
Agenda
 TrustSec Overview
 Campus Deployment Use Cases
 Migration Path
 Wireless Integration
 How to Deploy
Session Objectives
TrustSec is ready to be deployed in campus networks today.
At the end of the session, the participants should be able to:

Understand Components of TrustSec Solution
Differentiate Campus Deployment Models
Learn about Best Practices, Migration Paths and Caveats
Not Covered
 Basic IEEE 802.1X concepts

 Branch Scenario
 ASA Firewall
TrustSec: An Overview
Traditional Campus Network
Security Challenges
Security
Challenges
Core
• User Identification
• Device Identification
Distribution • Segmentation
• Unified Policy
Data Centre
• Central Policy Management
• Network Infrastructure
Protection
• Scalable for future growth
Directory
Service
Access
IT Finance Doctor WLC

Identity
3.1.1.1 2.1.1.1 1.1.1.1 Patient DB Service
10.1.1.1 Engine
Segmentation
The Challenge of Traditional Security Enforcement
permit tcp 1.1.1.1 100.1.1.1 eq https permit tcp 1.1.1.1 100.1.1.1 eq https
permit tcp 1.1.1.1 100.1.1.1 eq 8081 permit tcp 1.1.1.1 100.1.1.1 eq 8081
permit tcp 1.1.1.1 100.1.1.1 eq 445 permit tcp 1.1.1.1 100.1.1.1 eq 445
deny ip 1.1.1.1 100.1.1.2 deny ip 1.1.1.1 100.1.1.2
permit tcp 1.1.1.1 100.1.1.2
deny ip 1.1.1.1 100.1.1.2
eq https permit tcp 1.1.1.1 100.1.1.2
deny ip 1.1.1.1 100.1.1.2
eq https
Access Control with
permit tcp 1.1.1.1 150.1.1.2 eq https permit tcp 1.1.1.1 150.1.1.2 eq https
deny ip 1.1.1.1 150.1.1.2
permit tcp 1.1.1.1 200.1.1.1 eq https
deny ip 1.1.1.1 150.1.1.2
permit tcp 1.1.1.1 200.1.1.1 eq https Core permit tcp any 100.1.1.1 eq https
deny ip all
IP Access Control Lists
deny ip 1.1.1.1 200.1.1.1 deny ip 1.1.1.1 200.1.1.1
permit tcp any 150.1.1.1 eq https • Topology-based

permit tcp 2.1.1.1 150.1.1.1 eq https permit tcp any 150.1.1.1 eq 8081
permit tcp any 150.1.1.1 eq 445
permit tcp 2.1.1.1 150.1.1.1
permit tcp 2.1.1.1 150.1.1.1
eq 8081
eq 445
permit tcp 2.1.1.1 150.1.1.1
permit tcp 2.1.1.1 150.1.1.1
eq https
eq 8081 deny ip all • Manual configurations
deny ip 2.1.1.1 150.1.1.1 permit tcp 2.1.1.1 150.1.1.1 eq 445
permit tcp 2.1.1.1 200.1.1.2 eq https deny ip 2.1.1.1 150.1.1.1
deny ip 2.1.1.1 200.1.1.2 permit tcp 2.1.1.1 200.1.1.2
deny ip 2.1.1.1 200.1.1.2
eq https • Error prone
Distribution Data Centre • Unscalable
permit tcp 3.1.1.1 100.1.1.1 eq https permit tcp 3.1.1.1 100.1.1.1 eq https permit tcp any 200.1.1.1 eq https
permit tcp 3.1.1.1 100.1.1.1 eq 8081
deny ip 3.1.1.1 200.1.1.2
permit tcp 3.1.1.1 100.1.1.1 eq 8081
deny ip 3.1.1.1 200.1.1.2
permit tcp any 200.1.1.1 eq 8081
deny ip all
• Difficult to maintain
Access
Directory
Service
WLC
Identity
VLANIT10 Finance
VLAN 20 Doctor
VLAN 30 Service
3.1.1.1 2.1.1.1 1.1.1.1 Engine
Comprehensive End-to-End Security
Cisco TrustSec
Context-Aware Protect Network

Segmentation (Compliance)
Control Infrastructure
Where
What When
Who How
IDENTITY
MACsec Encryption
Role-Based Access Control with Security Topology Independent Segmentation with
Group Tagging (SGT) Secure Group Access (SGA)
Network Device Admission Control
(NDAC)
Identify, Profile Devices
with Device Sensor
802.1X Authentication
Context-Aware Control
User Authentication: 802.1X
Authentication Features
Cisco Catalyst Switch
Monitor Mode
• Unobstructed access
• No impact on productivity
• Gain visibility
Tablets IP Phones Network Guests

Authorised Users Device
802.1X MAB WebAuth
Context-Aware Control
Device Sensor
Identify Devices and set Device-based policies with Device Sensor
Identity
Service
Engine
Device-Aware Identity- Aware
Device 1 Corp PC Doctor

Sensor Personal Laptop Doctor
CDP
LLDP
DHCP
MAC
IP Phone N/A
Where
Segmentation Who
What When
How
Security Group Access IDENTITY

Financial
Email Server Patient Records
Servers
IT Allow All SQL SQL Access Control with
Finance IMAP Web No Access Secure Group Access
Doctors IMAP No Access File Share
• Context-based Classification
• Role-based Policies
• Topology-independent
Distribution Data Centre • Network wide enforcement

• Scalable
• Easy to administer
• One Policy
Access
Directory
Service
WLC
IT Finance Doctor Identity
3.1.1.1 2.1.1.1 1.1.1.1 Service
Engine
Protect Network Infrastructure
Network Device Admission Control (NDAC)
Switch3 Switch2 Switch1

SGT SGT SGT SGT SGT Switch2
Switch3
Switch4
Cisco
Switch4 TrustSec Domain Switch1 Identity
Service
Engine
Switch5
Platform Release
Cat3Kx 15.0(2)SE
Cat4K 3.3.0SG
Cat6K 15.0(1)SY
VLAN BRKCRS-2662
110 VLAN 120 VLAN 130 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
MAC Security (MACSec)
SGT SGT SGT SGT SGT
Cisco
TrustSec Domain Identity
Service
Engine
Everything is sent in clear therefore you can see everything on wire
SGT
SGT
Platform Release
Cat3Kx 15.0(2)SE
VLAN 110 VLAN 120 VLAN 130
Cat4K 3.3.0SG
BRKCRS-2662 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Cat6K 15.0(1)SY 15
MAC Security (MACSec)
SGT SGT SGT SGT SGT
Cisco
Service
Engine
MACSec Enabled
&^*RTW#(*J^*&*sd#J$%UJ&(&^*RTW#(*J^*&*sd#J$
Platform Release
Cat3Kx 15.0(2)SE
Cat4K 3.3.0SG
How Cisco TrustSec Works
Segmentation
Security Group Tagging (SGT) and SGACL
Dynamic Assignment or Map VLANs or SGACL Enforcement
IP Subnets to SGT Values SGT SGT SGT SGT SGT
cts role-based sgt-map VLAN-list 10 sgt 10 cts role-based permissions from 10 to 111
permit tcp dst eq 443
cts role-based sgt-map 192.168.10.0/24 sgt 10 permit tcp dst eq 80
deny ip
Cisco
TrustSec Domain
Identity
Service
Engine
Can Forward Existing

SGT Traffic or Map
SGTs Manually
Device- Identity- Security

SG Tag Imposed to Incoming Traffic Aware Aware Group
1 Corp PC Doctor Doctor
1 Personal PC Doctor Doctor
IP Phone NA Voice
Role Identification (SGT Assignment)
Campus/Mobile Endpoints
• via 802.1X Authentication

• via MAC Authentication Bypass
Full integration with
Cisco Identity Solution
• via Web Authentication Bypass
• Or Static IP-to-SGT binding on SW Just like VLAN Assignment or dACL, we
assign SGT in authorisation process
Data Centre/ Servers
• via Manual IP-to-SGT binding on TrustSec device

• via IP-to-Port Mapping
How SGT Assignment Works
SGACL Download
cts role-based permissions from 6 to 20
deny ip
IP-to-SGT Assignment
Dynamic SGT Assignment Cisco cts role-based sgt-map 192.168.1.1 sgt 20
10.1.1.102 = SGT 6
Service
Engine
ACCESS-ACCEPT
RADIUS
SGT=6
SRC \ DST Server A (20)
802.1X User A (6) SGACL-A
192.168.1.1
10.1.1.102
How SGACL Enforcement Works
SGACL Download
deny ip
IP-to-SGT Assignment
Dynamic SGT Assignment Cisco cts role-based sgt-map 192.168.1.1 sgt 20
10.1.1.102 = SGT 6
Service
Engine
SRC \ DST Server A (20)

FTP
HTTPS
SGT=6 User A (6) SGACL-A
192.168.1.1
10.1.1.102
RADIUS Access-Request Frame Format
User Authentication Request
RADIUS Access-Accept Frame Format
User Authentication With Downloadable ACL
User Authentication With SGT Assignment
Device Authentication Request
Switch sends
request to
authenticate itself
Device Authentication & SGACL requests
Subsequent
requests include
SGTs found in the
switch
Device Authentication
Switch
authenticated
Device Authentication, SGACL & SGACL Matrix Download
SGACLs matching
destination
downloaded
SGACLs
downloaded
Cisco TrustSec Supported L2 Ethernet
Frame Types
MAC Payload
Ethernet Preamble
MAC DA MAC SA
46 – 1500 bytes
CRC
8 octets 6 octets 6 octets 4 octets
Cisco Meta Data (SGT)

(gmac, propogate SGT) MAC Payload 42-
MAC DA MAC SA .1Q CMD CRC
Preamble 1500 bytes
No encryption
8 octets 6 octets 6 octets 4 octets 8 – 64 4 octets
octets
MACsec only (gcm- MAC Payload 42-

encrypt) (SEC Tag) MAC DA MAC SA SEC Tag .1Q ICV CRC
Preamble 1500 bytes
8 octets 6 octets 6 octets 8 or 16 4 octets 8 to 16 4 octets
octets octets
MACsec with Cisco Meta MAC Payload 42-

(gcm-encrypt, propogate SGT) MAC DA MAC SA SEC Tag .1Q CMD ICV CRC
Preamble 1500 bytes
Data (SGT) 8 octets 6 octets 6 octets 8 or 16 8 – 64
4 octets 8 to 16 4 octets
octets octets octets
SGA Deployment Use Cases
SGA Deployment Use Cases
User A User B
Access
Campus Reference Design
Cat4500
Cat3750-X
 Access, Distribution & Core
 Data Centre
Dist
Cat6500 Cat6500
Core
Deployment Modes Cat6500 Cat6500
 802.1X based SGT Assignment Nexus 7010
Data Center
 Statically configured SGT
N5K
Assignment
Directory
Service
 Migration Scenarios
File Server WEB Server SQL Server
ISE 1.1
Campus LAN Deployment User A User B
Campus Access
Use Case
Campus users accessing resources in Data Centre Cat3750/X

Cat3750/X
Requirement Cat6500 Cat6500
 User A should be able to access File

Server & Web Server Cat6500 Cat6500
 User B should be denied access to Data Centre
File Server Nexus 7010
N5K
Directory
Service
File Server WEB Server SQL Server ISE 1.1

1.1.1.1 2.1.1.1
Campus LAN Deployment User A
VLAN 10
User B
VLAN 20
How is it done today without SGA Campus Access
Assigned/Downloaded VLAN,
Use Case ACL via 802.1X, MAB

Cat3750/X
Access Layer
 User VLAN statically defined or assigned Enforced Cat6500 Cat6500
during 802.1X or MAB Authentication
 ACL statically defined or downloaded
Cat6500 Cat6500
during Authentication Data Center
Downloaded or Statically Defined ACL Nexus 7010

!
Permit tcp any 1.1.1.1 eq 20
Permit tcp any 2.1.1.1 eq http
Permit tcp any 2.1.1.1 eq https
Deny ip any any
N5K
Directory
Service
Statically Defined VLAN or Assignment from RADIUS
!
Vlan 10, 20
1.1.1.1 2.1.1.1
Campus LAN Deployment User A User B
How is it done with SGA Campus Access 10 20
SGT Assignment via 802.1X, MAB,

Web Auth
Use Case

Cat3750/X
 User traffic SGTagged at access via 802.1X, MAB,

or Web Authentication Access Layer Tagging
Cat6500 Cat6500
 Server SGT assigned via static mapping

 SGTag propagated thru access, distribution to data
centre Cat6500 Cat6500
Data Center
 SGACL enforcement at data centre egress switch
Nexus 7010
Data Centre Enforcement
SRC \ DST File Server (111) Web Server (222) N5K

Directory
User A (10) Permit all SGACL-B Service
User B (20) Deny all SGACL-C
111 222 SGACL Enforcement

Platform Release
Cat3Kx 15.0(2)SE
Cat4K Indus*
Access Layer Enforcement User A User B Guest
Campus Access 10 20 30
SGT Assignment via 802.1X, MAB,

Use Case Web Auth
Cat3750-X
Segmentation between users/resources in campus Cat3750-X
 User traffic SGTagged at access via 802.1X, Access Layer Tagging

Cat6500 Cat6500
MAB, or Web Authentication
 Resource SGTagged via 802.1X, MAB, or static Access Layer Enforcement
mapping
Cat6500 Cat6500
Data Center
 SGACL enforcement at egress access switch
Nexus 7010
SRC \ DST User A (10) User B (20) Guest (30)

User A (10) Permit all Deny all Deny all N5K
Directory
User B (20) Deny all Permit all Deny all Service
Guest (30) Deny all Deny all Permit all

Platform Release
Cat3Kx 15.0(2)SE
Cat4K Indus*
Campus Migration Path
Challenges Migrating to a TrustSec
Network
 End device authentication
‒ Different authentication mechanisms for device types
‒ Multiple devices per per port
 Network device authentication

‒ Prevent malicious or accidental changes in the network
 Partial support of TrustSec features in network devices

‒ Many features require new or specific hardware
SGA with Monitor Mode ISE
Zero Enforcement Egress Enforcement
 Security Group ACL
HR Server
SGT SGT
Campus ACME Server
Network
Users, Catalyst® Catalyst® Catalyst®

Switches 6K 6K Nexus® 7000
Endpoints
(3K/4K)
AUTH=OK ACME Server
Monitor Mode
SGT=8
authentication port-control auto
SRC \ DST HR Server (111) ACME Server (222)
authentication open ACME-User(8) Permit all Permit all
dot1x pae authenticator
HR-User (10) Permit all Permit all
Unknown (0) Permit all Permit all
1. User connects to network

2. Monitor mode allows traffic from endpoint before authentication
3. Authentication is performed and results are logged by ISE
4. Traffic traverses to Data Centre and hits SGACL at egress enforcement point
5. All traffics are permitted with SGACL. No impact to the user traffic
SGA with Monitor Mode ISE
SGACL Enforcement Egress Enforcement
 Security Group ACL
HR Server
SGT SGT
Campus ACME Server
Network
Users, Catalyst® Catalyst® Catalyst®

Switches 6K Nexus® 7000
Endpoints 6K
(3K/4K)
AUTH=OK ACME Server
Monitor Mode
SGT=8
authentication port-control auto
SRC \ DST HR Server (111) ACME Server (222)
authentication open ACME-User(8) Deny all Permit all
dot1x pae authenticator
HR-User (10) Permit all Permit all
Unknown (0) Deny all Deny all
1. User connects to network

2. Monitor mode allows traffic from endpoint before authentication
3. Authentication is performed and results are logged by ISE
4. Traffic traverses to Data Centre and hits SGACL at egress enforcement point
5. Only permitted traffic path (source SGT to destination SGT) is allowed
VLAN-to-SGT Mapping 10 20 30 Campus Access
Partners Guest
SGT Assignment via VLAN-to-SGT Employees
mapping VLAN 20 VLAN 30
VLAN 10
Use Case
Migration path – VLAN-to-SGT mapping Cat3750-X Cat3750-X
 Source SGT assigned via VLAN-to-SGT mapping Access Layer

Tagging
 Server SGT assigned via static mapping Cat6500 Cat6500
 SGACL enforcement at access switch & data centre

TrustSec Access Layer
Enforcement
egress switch Domain

Cat6500 Cat6500
Data Centre
 IP Device Tracking must be enabled
Data Centre Nexus 7010
Enforcement
SRC(SGT) / File Server Public Partners

Guest (30)
DST(DGT) (111) Portal (222) (20)
N5K
Emp (10) Permit all Permit Web SGACL-A Deny all Directory
Service
Prtnr (20) Permit Web Permit Web Deny all Deny all
Guest (30) Deny all Permit Web Deny all SGACL-B
File Server Public Portal SQL Server ISE 1.1

Platform Release
Cat3Kx 15.0(2)SE
Cat4K Indus*
BRKCRS-2662 © 2013 Cisco and/or its affiliates.
Cat6KAll rights reserved.
15.0(1)SY Cisco Public 41
VLAN-to-SGT Mapping Company A
10 20
Company Mergers Campus Access Campus Access
Employees Guest Employees Guest

SGT Assignment via VLAN-to-SGT
VLAN 10 VLAN 20
mapping
VLAN 30 VLAN 40
30
Cat3750-X Cat3750-X
Cat3750-X
Access Layer
Tagging
Cat6500 Cat6500
Company B Cat6500 Cat6500
TrustSec
Data Centre Cat6500
Cat6500 Domain Cat6500 Cat6500
Data Centre
Nexus 7010 Data Centre Enforcement Nexus 7010
SRC(SGT)
SRC(SGT) / FileFile
Server
Server Public
Public Portal File Server
/ Guest (30)
Guest (20)(211)
DST(DGT) (111)
(111) Portal (222)
(222)
DST(DGT)
N5K
Emp(10) Permit all Permit Web Deny all SGACL_E Directory
Emp (10) Permit all Permit Web Deny all Service
Guest(20) Deny all Permit Web SGACL-B Permit Web
Guest (20) Deny all Permit Web SGACL-B 211
Emp_B(30) Deny all Deny all Deny all Permit all
File Server Public Portal File Server Public Portal SQL Server ISE 1.1
Platform Release
Cat3Kx 15.0(2)SE
Cat4K Indus*
Cat6K All rights reserved.
Campus Access
Subnet-to-SGT Mapping
SGT Assignment via Subnet-to-SGT Employees Partners Guest
mapping
1.1.1.0 2.1.1.0 3.1.1.0
Use Case
Cat3750
Migration path – Subnet-to-SGT mapping Cat4500
 Source SGT assigned via Subnet-to-SGT mapping

1.1.1.0 = 10 Cat6500 Cat6500
 Subnet bindings are static, no learning of active hosts
 Prefixes can be exported directly with SXPv3
2.1.1.0 = 20
TrustSec Cat6500
Cat6500
 Server SGT assigned via static mapping 3.1.1.0 = 30 Domain Data Centre
 SGACL enforcement at Dist switch & data centre egress Nexus 7010
switch
SRC(SGT)
File Server Public Partners
/ Guest (30)
(111) Portal (222) (20)
DST(DGT) N5K
Directory
Emp (10) Permit all Permit Web SGACL-A Deny all Service
Prtnr (20) Permit Web Permit Web Deny all Deny all
Guest (30) Deny all Permit Web Deny all SGACL-B
Platform Release
Cat4K Indus*
Cat6K 15.0(1)SY
10 20
IP-to-SGT Mapping
Campus Access
31
SGT Assignment via IP-to-SGT
mapping Employees Partners
10.1.1.1
VLAN 10 VLAN 20
Use Case
10.1.1.2
Cat3750-X
IP-to-SGT mapping
Cat3750-X
32
 Source SGT assigned via IP-to-SGT mapping
 IP Device Tracking must be enabled 10.1.1.1 = 31
TrustSec
Cat6500 Cat6500
 Typically used for statically assigned IP devices 10.1.1.2 = 32 Domain

Cat6500
 Server SGT assigned via static mapping Cat6500
Data Centre
 SGACL enforcement at access switch & data centre
egress switch Nexus 7010
SRC(SGT) File Public

Partners Guest IPSVC Printer
/ Server Portal
(20) (30) (31) (32)
DST(DGT) (111) (222)
Permit Permit N5K

Emp (10) SGACL-A Deny all Permit all Permit all Directory
all Web
Service
Permit Permit
Prtnr (20) Deny all Deny all Deny all Permit all
Web Web
Permit
Guest (30) Deny all Deny all SGACL-B Deny all Permit all
Web Platform Release 111 222 SGACL Enforcement
Cat3Kx 15.0(2)SE
Cat4K Indus*

Cat6KAll rights reserved.
Port-to-SGT Mapping Partner 1 Partner 2 Partner 3
SGT Assignment via Port-to-SGT

mapping
G1/2
Use Case
Cat3750-X
Port-to-SGT mapping
 Source SGT assigned via Port-to-SGT

mapping Int G1/1 = 10
TrustSec
Cat6500 Cat6500
 Typically used when connected to untrusted

switches
Int G1/2 = 20 Domain
Cat6500
Cat6500
 Server SGT assigned via static mapping Int G1/3
= 30 Data Centre
 SGACL enforcement at data centre switch

Nexus 7010
File
SRC(SGT) / File Server File Server Public
Server
DST(DGT) (112) (113) Portal (222)
(111)
Prtnr1 (10) Permit all Deny all Deny all Permit Web N5K
Directory
Service
Prtnr2 (20) Deny all Permit all Deny all Permit Web
Prtnr3 (30) Deny all Deny all Permit all Permit Web
File Servers Public Portal SQL Server ISE 1.1
Platform Release 111 222 SGACL Enforcement

112 113
Cat3Kx 15.0(2)SE
Cat4K Indus*
BRKCRS-2662 © 2013 Cisco and/orCat6K

its affiliates. All15.0(1)SY
rights reserved. Cisco Public 45
What if Scenarios
What if my Access Switch isn’t capable of
SGTagging
Locally Learned
IP Address SGT Source
10.1.10.102 5 LOCAL
10.1.10.110 14 LOCAL
10.1.99.100 12 LOCAL
IT Portal (SGT 4)
Users, 10.1.100.10
SXP
Endpoints
Catalyst® 2960S Active

802.1X ISE 1.1
N7K Directory
Speaker Cat6500 Sup2T
Distribution/Core
Listener
If the switch supports SXP, switch can send IP-to-SGT binding table to
SGT capable device (e.g. Catalyst 6500 with Sup2T)
SGTagging based on SXP
Doctor (SGT 7)
IP-to-SGT Binding Table
IT Admin (SGT 5) 10.1.10.102 5 SXP

SGT=5
10.1.10.110 14 SXP
SGT=7 SGT Enforcement
10.1.99.100 12 SXP
IT Portal (SGT 4)
Users, 10.1.100.10
Endpoints
SXP
LWA
SRC=10.1.10.102 VLAN100
Campus Network
Active
802.1X Catalyst® 2960S N7K ISE 1.1 Directory
Cat6500 Sup2T
MAB Distribution/Core
Agent-less Device Untagged Frame Tagged Frame
When SGT capable device receives packet, it looks up SGT

value in table, insert SGT tag to frame when it exits egress
port
What if my Dist/Core Switch isn’t Capable of
SGTagging
Locally Learned
Doctor (SGT 7)
10.1.10.102 5 LOCAL
IT Admin (SGT 5) 10.1.10.110 14 LOCAL

10.1.99.100 12 LOCAL
SGT=7
IT Portal (SGT 4)
Users, 10.1.100.10
SXP
Endpoints
LWA VLAN100
Campus Network
Active
802.1X Catalyst® 2960S ISE 1.1 Directory
Cat6500 Sup720 N7K
MAB Distribution/Core
Speaker
Agent-less Device Listener
Untagged Frame Tagged Frame

If the switch supports SXP, switch can send IP-to-SGT
binding table to SGT capable device (e.g. Nexus 7K)
What if I Received Multiple SGT Assignments
SGT Assignment Priorities
The current priority enforcement order, from highest to lowest:
INTERNAL—Bindings between locally configured IP addresses and the device own SGT
LOCAL—Bindings of authenticated hosts which are learned via IPM and device tracking. This type of binding also
include individual hosts that are learned via ARP snooping on L2 [I]PM configured ports.
IP_ARP—Bindings learned when tagged ARP packets are received on a CTS capable link.
SXP—Bindings learned from SXP peers.
New
Layer 3 Interface—(L3IF) Bindings added due to FIB forwarding entries that have paths through one or more
interfaces with consistent L3IF-SGT mapping or Identity Port Mapping on routed ports.
CLI— Address bindings configured using the IP-SGT form of the cts role-based sgt-map global
configuration command. (Hosts and subnets)
VLAN—Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping configured.
SGT Transport over non-TrustSec Domain
Cisco
Use Case TrustSec Domain
Connecting TrustSec Domains – L3 SGT Transport

Challenge
 Partial TrustSec infrastructure support
Solution
 Encap/Decap traffic in IP ESP header between sites SGT L3 Non-
Transport TrustSec
Payload
 SGT is carried in the ESP Payload Domain
IP Network or
ESP SGT
 No Payload Encryption WAN
IP Header
Original Packet
SGT IP Header Payload Cisco

TrustSec Domain
IP Header ESP SGT Payload

ESP overhead (42-45 bytes) impacts IP MTU/Fragmentation
ESP – Encapsulating Security Payload
Platform Release
Cat6K (Sup2T) 15.0(1)SY

BRKCRS-2662 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sup2T SGT L3 Transport
Configure L3 Transport on the interface
Router(config)# interface TenGigabitEthernet 6/1
 Configure policy with explicit list of Router(config-if)# cts layer3 ipv4 trustsec forwarding
addresses in CTS domain to determine
which packets need L3 CTS processing
 Packets sent with “transport mode” ESP Policy for allowed Traffic
to carry SGT without encryption or data ip access-list extended l3-cts-policy
permit ip any 171.71.0.0/16
authentication permit ip any 171.72.0.0/16
 Simple H/W operations: encap/decap of !
ESP with NULL transform cts policy layer3 ipv4 traffic l3-cts-policy
Policy to for exception traffic

ip access-list extended l3-cts-exception
!
cts policy layer3 ipv4 exception l3-cts-policy
Orig IP
Header ESP CMD Original Payload ESP TL
TrustSec: Best Practices
SGA and Monitor Mode
Ingress Enforcement TrustSec™ Domain Egress Enforcement

 VLAN Assignment  Security Group ACL
 Downloadable ACL
Campus
Network
Users, Catalyst® Switches Nexus® 7000
Endpoints (3K/4K/6K)
Monitor Mode
ISE 1.1
MACSec and SGA
SGT SGT SGT SGT SGT
Cisco
Service
Engine
MACSec Enabled
SGA and RADIUS COA
Why Radius COA
SGT SGT SGT SGT SGT
SGACL Enforcement
cts role-based
cts role-based permissions
permissions from
from 10
10 to
to 222
222
permit tcp
permit tcp dst
dst eq 443
deny iptcp dst eq 80
permit
deny ip
Cisco
Service
Engine
SRC \ DST Server A (111) Server B (222)

User A (10) Permit all SGACL-A
SGACL-C
User B (20) Deny all SGACL-B
SGA and RADIUS COA
With Radius COA
SGT SGT SGT SGT SGT
SGACL Enforcement
10 to
222
deny iptcp dst eq 80
permit
deny ip
Cisco
Service
Engine
SRC \ DST Server A (111) Server B (222)

User A (10) Permit all SGACL-A
SGACL-C
User B (20) Deny all SGACL-B

How to Deploy SGA
How To Deploy NDAC
NDAC – Seed Device Switch Configurations
Configuration Commands:
aaa new-model
radius server ise
address ipv4 <ip address> auth-port 1812 acct-port 1813
pac key <password>
aaa authentication dot1x default group radius Seed device includes
aaa authorization network cts group radius RADIUS info
aaa session-id common

cts authorization list cts
dot1x system-auth-control
!
Interface t5/1
switchport mode trunk
cts dot1x
!
<exec mode> cts credentials id <userid> password <password>
How To Deploy NDAC
NDAC – Non-Seed Device Switch Configurations
Configuration Commands:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
dot1x system-auth-control
!
Interface t5/1  Non-Seed device need not include RADIUS info
switchport mode trunk  Dynamically learns RADIUS info from Seed Device
cts dot1x
!
<exec mode> cts credentials id <userid> password <password>
Configuring Network Device Admission Control (NDAC) on ISE
Administration > Network Resources >

Network Devices
SGT Assignment for Roles
Doctor (SGT 7)
Static
SGT Assignment
IT Admin (SGT 6) For
SGT=7 SGT Enforcement
Servers
IT Portal (SGT 4)
Users,
Endpoints SXP 10.1.100.10
LWA VLAN100
Campus Network
Active
802.1X, MAB, LWA Catalyst® 3750-X Catalyst 6K Nexus® 7000 Catalyst® 4948 ISE 1.1 Directory
Core Distribution
MAB
Agent-less Device
Dynamic Public Portal (SGT 8)

10.1.200.10
Internal Portal (SGT 9)
10.1.200.200
SGT Assignment
Untagged Frame Tagged Frame
For
Patient Record DB (SGT 10) VLAN200
Endpoint 10.1.200.100
VLAN to SGT Mapping
VLAN to SGT mapping uses IP
Device Tracking mechanism to ip device tracking
!
cts role-based sgt-map vlan-list 10 sgt 10
dynamically create IP to SGT cts role-based sgt-map vlan-list 20 sgt 20
cts role-based sgt-map vlan-list 30 sgt 30
bindings per VLAN cts role-based sgt-map
cts role-based sgt-map
vlan-list
vlan-list
40 sgt 40
200 sgt 200
Once bindings are created IP device

SJC01#show cts role-based sgt-map summary
tracking uses periodic ARP Probe IP-SGT Active Bindings Summary
messages to keep IP to SGT ============================================
Total number of VLAN bindings = 1012
Total number of CLI bindings = 1
bindings active Total number of active bindings = 1013
VLAN 10
IP Subnet to SGT Mapping
Layer 3 interface mapping to SGT (L3IF) is supported on the
following L3 logical or physical interfaces:
SGT-MAP CLI Example
Routed port cts role-based sgt-map 192.168.10.0/24 sgt 10
cts role-based sgt-map 192.168.20.0/24 sgt 20
SVI (VLAN interface) cts role-based sgt-map 192.168.30.0/24 sgt 30
L3 subinterface of L2 port
Tunnel interface
• Dynamically adds Destination Group Tag (DGT) to the FIB entries matching the SGT-MAP
configured prefixes
SJC01#show platform hardware cef 192.168.10.10 detail
Codes: M - mask entry, V - value entry, A - adjacency index, NR- no_route bit
LS - load sharing count, RI - router_ip bit, DF: default bit
CP - copy_to_cpu bit, AS: dest_AS_number, DGTv - dgt_valid bit
DGT: dgt/others value
Format:IPV4 (valid class vpn prefix)

M(682 ): 1 F 3FFF 255.255.255.255
V(682 ): 1 0 0 192.168.10.10
(A:147497, LS:0, NR:0, RI:0, DF:0 CP:0 DGTv:1, DGT:10)
SJC01#
Sup2T SGT L3 Transport
Configure L3 Transport on the interface
Router(config)# interface TenGigabitEthernet 6/1
Router(config-if)# cts layer3 ipv4 trustsec forwarding
 Configure policy with explicit list of addresses in
CTS domain to determine which packets need
L3 CTS processing
 Packets sent with “transport mode” ESP to carry Policy for allowed traffic
SGT without encryption or data authentication ip access-list extended l3-cts-policy
 Simple H/W operations: encap/decap of ESP permit ip any 171.72.0.0/16
with NULL transform permit ip any 171.73.0.0/16
!
cts policy layer3 ipv4 traffic l3-cts-policy
Orig IP Policy for exception traffic

ESP CMD Original Payload ESP TL
Header ip access-list extended l3-cts-exception
!
cts policy layer3 ipv4 exception l3-cts-policy
Monitoring SGT Mapping
SJC01#show cts role-based sgt-map all
Active IP-SGT Bindings Information

============================================
192.168.10.0/24 10 CLI
192.168.20.0/24 20 CLI
192.168.30.0/24 30 CLI
192.168.40.0/24 40 CLI
192.168.200.0/24 200 CLI
SJC01#show cts role-based sgt-map all
IP-SGT Active Bindings Summary Active IP-SGT Bindings Information
============================================
Total number of CLI bindings = 5 IP Address SGT Source
Total number of active bindings = 5 ============================================
192.168.10.2 10 VLAN
SJC01# 192.168.10.3 10 VLAN
192.168.10.4 10 VLAN
192.168.10.5 10 VLAN
192.168.10.6 10 VLAN
192.168.10.7 10 VLAN
192.168.10.8 10 VLAN
192.168.10.9 10 VLAN
192.168.10.10 10 VLAN
192.168.10.11 10 VLAN
……
Monitoring SGACL Packet Drops with CLI
SJC01#show cts role-based permissions
IPv4 Role-based permissions from group 10 to group 200 (configured):
rbac1
rbac1
rbac1
rbac1
SJC01#
SJC01#show ip access-lists rbac1

Role-based IP access list rbac1
10 deny tcp dst eq www (104366 matches)
20 deny tcp dst eq ftp (36402 matches)
30 deny tcp dst eq ftp-data (232 matches)
SJC01#
Monitoring SGACL Packet Drops with
Flexible Netflow
flow record cts-v4 Interface vlan 10
match ipv4 protocol ip flow monitor cts-mon input
match ipv4 source address ip flow monitor cts-mon output
match ipv4 destination address
match transport source-port
match transport destination-port
Interface vlan 20
match flow direction ip flow monitor cts-mon input
match flow cts source group-tag ip flow monitor cts-mon output
match flow cts destination group-tag
collect counter bytes Interface vlan 30
collect counter packets ip flow monitor cts-mon input
ip flow monitor cts-mon output
flow exporter EXP1
destination 10.2.44.15
Interface vlan 40
source GigabitEthernet3/1
ip flow monitor cts-mon input
flow monitor cts-mon ip flow monitor cts-mon output
record cts-v4
exporter EXP1
cts role-based ip flow mon cts-mon dropped
*Optional – will create flows for only Role-based ACL drops
Monitoring SGACL Packet Drops with
Flexible Netflow SJC01#show flow mon cts-mon cache
Cache type:
Cache size:
Normal
4096
Current entries: 1438
High Watermark: 1632
Flows added: 33831
Flows aged: 32393
- Active timeout ( 1800 secs) 0
- Inactive timeout ( 15 secs) 32393
- Event aged 0
- Watermark aged 0
- Emergency aged 0
IPV4 SOURCE ADDRESS: 192.168.30.209

IPV4 DESTINATION ADDRESS: 192.168.200.156
TRNS SOURCE PORT: 60952
TRNS DESTINATION PORT: 80
FLOW DIRECTION: Output
FLOW CTS SOURCE GROUP TAG: 30
FLOW CTS DESTINATION GROUP TAG: 200
IP PROTOCOL: 6
counter bytes: 56
counter packets: 1
IPV4 SOURCE ADDRESS: 192.168.20.140

IPV4 DESTINATION ADDRESS: 192.168.200.104
TRNS SOURCE PORT: 8233
TRNS DESTINATION PORT: 80
FLOW DIRECTION: Output
FLOW CTS SOURCE GROUP TAG: 20
FLOW CTS DESTINATION GROUP TAG: 200
IP PROTOCOL: 6
counter bytes: 56
counter packets: 1
Monitoring SGT Traffic with Netflow
Plixer collector displays SGT information
http://www.plixer.com/blog/netflow/cisco-trustsec-netflow-support/
How To Create SGA Policy
Destination
SGT
Source Public Portal Internal Portal IT Portal Patient Record DB

SGT (SGT 8) (SGT 9) (SGT 4) (SGT 10)
Web
Web Web No Access
File Share
Doctor (SGT 7)
IT Maintenance ACL
Webpermit tcp dstWebeq 443 SSH
SSHpermit tcp dstSSH
eq 80
Full Access
permit tcp dst eq 22 RDP
RDPpermit tcp dstRDPeq 3389
IT Admin (SGT 6) permit tcp dst eq 135 File Share
File Share
deny ip File Share
Configuring Security Group ACLs on ISE
Security Group based Access Control
How Enforcement Works
Access-3K#show cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00 CTS7K-DC# show cts role-based counters sgt 5
IPv4 Role-based permissions from group 11:CTS_Devices to group
11:CTS_Devices: RBACL policy counters enabled
Permit_IP-30 Counters last cleared: 04/20/2010 at 11:20:58 PM
IPv4 Role-based permissions from group 2:MS_Users to group
3:SB_Users: sgt:5 dgt:4 [1555]
deny_ip rbacl:Permit IP
SGT=7103 (configured):
IPv4 Role-based permissions from group 10 to group permit ip [1555]
permit_web
IT Portal (SGT 4)
Users, Access-3K# sgt:5 dgt:8 [1483] 10.1.100.10
Endpoints rbacl:Permit IP
permit ip [1483] VLAN100
Campus Network
sgt:5 dgt:9 [1541]
rbacl:Permit IP
permit ip [1541] Active
802.1X
Access-3K#show Catalyst® 3750-X
cts environment-data Catalyst 6K Nexus® 7000 ACS v5.1 Directory
CTS Environment Data Core Distribution
sgt:5 dgt:10 [1804]
====================
<snip> Web
rbacl:IT_Maintenance_ACL
permit tcp dst eq 20 log [0]
Security Group Name Table:
0001-30 :
0-7f:Unknown Public Portal (SGT 8) Internal Portal (SGT 9)
2-7f:MS_Users 10.1.200.10 10.1.200.200
3-7f:SB_Users
Untagged Frame Tagged Frame permit tcp dst eq 136 log [0]
4-7f:IT_Portal
5-7f:MS_Servers
6-7f:IT_Admin
permit tcp dst eq 138 log
permit Record
Patient tcp dst eqDB139 log10)
(SGT
[0]
[0]
VLAN200
7-7f:Guest
permit tcp dst eq 3389 log
10.1.200.100 [251]
9-7f:Internal_Portal
permit icmp log [1547]
11-7f:CTS_Devices 73
BRKCRS-2662 © 2013 Cisco and/or its affiliates. All rights reserved.
denyCisco
ip [0]Public
Key Takeaways
Key Takeaways
 SGA provides easy way to manage and enforce policy in your

networks
 Various mapping features enable SGA to be enabled without
802.1X
 Monitor Mode can be used with SGA for easy SGA
deployment with Identity
 SGA can be deployed end-to-end today in Campus Networks
References
Cisco TrustSec
http://www.cisco.com/go/trustsec
Cisco Catalyst 6500 Series Switches
http://www.cisco.com/go/6500
Cisco Catalyst 4500 Series Switches
http://www.cisco.com/go/4500
Cisco Catalyst 3750X Series Switches
http://www.cisco.com/go/3750x
Cisco TechWise TV – Fundamentals of TrustSec
http://youtu.be/78-GV7Pz18I
Q&A
Complete Your Online Session
Evaluation
Give us your feedback and receive
a Cisco Live 2013 Polo Shirt!
Complete your Overall Event Survey and 5
Session Evaluations.
 Directly from your mobile device on the
Cisco Live Mobile App
 By visiting the Cisco Live Mobile Site
www.ciscoliveaustralia.com/mobile
 Visit any Cisco Live Internet Station located
Don’t forget to activate your
throughout the venue
Cisco Live 365 account for
Polo Shirts can be collected in the World of access to all session material,
Solutions on Friday 8 March 12:00pm-2:00pm communities, and on-demand and live activities throughout
the year. Log into your Cisco Live portal and click the
"Enter Cisco Live 365" button.
www.ciscoliveaustralia.com/portal/login.ww
BRKCRS-2662 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public

BRKCRS-2662 (2013)

Uploaded by

Copyright:

Available Formats

BRKCRS-2662 (2013)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCRS-2662 (2013)

Uploaded by

Copyright:

Available Formats

Deploying Campus Security Group Tags

 BYOD, IPv6 and Internet of Things require

TrustSec is ready to be deployed in campus networks today.

At the end of the session, the participants should be able to:

 Basic IEEE 802.1X concepts

IT Finance Doctor WLC

permit tcp any 150.1.1.1 eq https • Topology-based

Context-Aware Protect Network

Cisco Catalyst Switch

Tablets IP Phones Network Guests

802.1X MAB WebAuth

Identify Devices and set Device-based policies with Device Sensor

Device 1 Corp PC Doctor

Security Group Access IDENTITY

Distribution Data Centre • Network wide enforcement

Switch3 Switch2 Switch1

SGT SGT SGT SGT SGT

Everything is sent in clear therefore you can see everything on wire

SGT SGT SGT SGT SGT

Can Forward Existing

Device- Identity- Security

1 Corp PC Doctor Doctor

1 Personal PC Doctor Doctor

• via 802.1X Authentication

Data Centre/ Servers

• via Manual IP-to-SGT binding on TrustSec device

SRC \ DST Server A (20)

802.1X User A (6) SGACL-A

SRC \ DST Server A (20)

8 octets 6 octets 6 octets 4 octets

Cisco Meta Data (SGT)

MACsec only (gcm- MAC Payload 42-

MACsec with Cisco Meta MAC Payload 42-

 802.1X based SGT Assignment Nexus 7010

Campus users accessing resources in Data Centre Cat3750/X

Requirement Cat6500 Cat6500

 User A should be able to access File

 User B should be denied access to Data Centre

File Server Nexus 7010

File Server WEB Server SQL Server ISE 1.1

Campus users accessing resources in Data Centre Cat3750/X

Downloaded or Statically Defined ACL Nexus 7010

How is it done with SGA Campus Access 10 20

SGT Assignment via 802.1X, MAB,

Campus users accessing resources in Data Centre Cat3750/X

 User traffic SGTagged at access via 802.1X, MAB,

 Server SGT assigned via static mapping

SRC \ DST File Server (111) Web Server (222) N5K

User B (20) Deny all SGACL-C

File Server WEB Server SQL Server ISE 1.1

111 222 SGACL Enforcement

SGT Assignment via 802.1X, MAB,

 User traffic SGTagged at access via 802.1X, Access Layer Tagging

SRC \ DST User A (10) User B (20) Guest (30)

File Server WEB Server SQL Server ISE 1.1

 Network device authentication

 Partial support of TrustSec features in network devices

Users, Catalyst® Catalyst® Catalyst®

Unknown (0) Permit all Permit all

1. User connects to network