BRKCRS-2824 (2020)

Intuitive Zero-Trust Design, Migration
and Innovation When Securing the

SD-Access Workplace
Fay-Ann Lee, Technical Marketing Engineer
BRKCRS-2824
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKCRS-2824 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
Cisco can help you secure the workplace in a dynamic
software-defined world
• Introduction
• What is meant by software-defined
• What is meant by ‘secure’ and why it matters
• What is Zero-Trust
• Zero-Trust: Eliminate network trust using SD-Access

• Zero-Trust: Segment Network Access
• SD-Access Policy Evolution
• Security Policy Across Domains
• Zero-Trust: Gain Network Visibility and Analytics

• Group-Based Policy Analytics
• Use case examples, Best Practices and Conclusions
Introduction
What is Meant by Software-Defined
Management, Administration and Orchestration Abstraction
SD-Access ACI
Cisco DNA Center Cisco APIC
Cisco ISE
Campus, ACI
Data Center Faster Policy Changes
Branch,
IoT Policy
governance
AC I Simplify Compliance
S D -WAN Any whe re
D y namic
Ap p -Aware
Ro u ting
What is Meant by Secure
before during after
Segmentation/Policy Threat Detection Rapid Threat

Containment
What is Meant by Secure Security Ecosystem
Threat Vulnerability
Cisco DNA Center ISE
Automation Analytics Policy
• Authenticate and Cognitive

Authorize users and Threat
B B ASA & 3rd
Analytics
endpoints (eliminate C party FWs
network trust)
• Macro and micro

segmentation Stealthwatch
FTD
• Security Ecosystem
integration
Lighting Cameras Employee Developer Contractor Supplier
SGT SGT SGT SGT SGT SGT
WSA AMP Cloud

IoT VN Corporate VN
Threat
Why it Matters
RANSOMWARE
ADVANCED PERSISTENT THREATS
SUPPLY CHAIN ATTACKS
UNPATCHED SOFTWARE
SPYWARE/MALWARE DATA/IP THEFT

MALVERTISING
WIPER ATTACKS
ROGUE SOFTWARE DRIVE BY DOWNLOADS
MAN IN THE MIDDLE
BOTNETS
CRYPTOMINING
DDOS
CREDENTIAL COMPROMISE
PHISHING
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
What is Cisco Zero-Trust
A zero-trust approach to securing all access across your applications
and environment, from any user, device and location.
Tetration/ACI for
Duo for Workforce SD-Access for Workplace
Workload
Establish trust level for Restrict access to Establish least privilege
users and their devices workloads based on risk, access control for all users
accessing applications and contextual policy and and devices, including IoT,
resources verified business need accessing your networks.
The Original Three Tenets of a Zero Trust Network
Internal
External
Eliminate Segment Gain network

network trust network access visibility and analytics
Assume all traffic, regardless Adopt a least privilege Continuously inspect and log
of location, is threat traffic strategy and strictly enforce all traffic internally as well as
until it is verified that it is access control only to the externally for malicious
authorised, inspected, resources users need to activity with real-time
and secured. perform their job. protection capabilities.
Zero-Trust:
Eliminate network
trust using SD-
Access
Internal
External

Cisco Software-Defined Access (SD-Access)
Intent-Based Networking at the Speed of Software
ISE Cisco DNA Center™
Identity-based
Policy Automation Analytics policy and segmentation
Security policy definition decoupled from
VLAN and IP address
Automated
network fabric
Single fabric for wired and wireless with
workflow-based automation
Insights
and telemetry
SD-Access
Extension User mobility Analytics and insights into user and
Policy stays with user application experience
IoT network Employee network
Simplified Operations to deliver Consistent Experience

ISE Integration
• Manage all campus and branch segmentation functions in Cisco DNA Center
• Leverage ISE distributed architecture for geo-resilience, HA and policy
distribution
ISE
SXP/pxGrid
ASA
FTD
WSA
Authentication
Authorization
Segmentation Policy
(SGACL)
RADIUS Accounting
AMP Cloud
Authenticate and Authorize Using ISE
SAML iDPs Single Sign-On
Native Supplicants /
Cisco AnyConnect
Certificate based Auth
Certificate
Authorities
APIs Passwords / Tokens
SCEP / CRL
External Identity Stores
ENTERPRISE Active Directory
802.1X
NETWORK
SQL Server
SD-Access LDAP / SQL
LDAP Servers
Built-in CA
Authentication Methods Authorization Options

PASSIVE  MAC Authentication Bypass  Downloadable / Named ACL
IDENTITY  Easy Connect  Air Space ACL
 VLAN Assignment
 IEEE 802.1X  Scalable Group Tags
ACTIVE  Web Authentication  URL-Redirection
IDENTITY  Central WebAuth
 Local WebAuth
Zero-Trust:
Segment Network
Access
Internal
External

Why: Simplifying Security Policy
ip access-list
ip access-list
ip access-list ip access-list
ip access-list
ip access-list
ip access-list ip access-list ip access-list
ip access-list
ip access-list
ip access-list
ip access-list
ip access-list
ip access-list ip access-list ip access-list

ip access-list
ip access-list
ip access-list
ip access-list
Why: Simplifying Security Policy
IoT IoT Internal

Devices Servers Services
Employees Guests
Can You See the Business Intent here?
Can You Spot the Business Intent here?
DMZ-Pod1#show cts role-based permissions

IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 4:Employees to group 12:Development_Servers:
Deny IP-00
IPv4 Role-based permissions from group 8:Developers to group 12:Development_Servers:
Permit IP-00
SD-Access Virtual Network (=VRF)
Virtual Network maintains a separate Routing & Switching instance for the
devices within it.
C
• Control Plane uses Instance ID to maintain
separate VRF topologies Known
B
Unknown
B
Networks Networks
• Nodes add VNID to the Fabric encapsulation
• Endpoint ID prefixes (Host Pools) are

VN VN VN
advertised within Virtual Networks “A” “B” “C”
• Uses standard “vrf definition” configuration, along
with RD & RT for remote advertisement (Border)
• Known as ‘Macro-Segmentation’
SD-Access Scalable Group (SGT)
Scalable Group is a logical ID object to “group” Users and/or Devices.
• “Scalable Groups” used to ID and assign a

C
unique Scalable Group Tag (SGT) to Endpoints
Known Unknown
• Nodes add SGT to the Fabric encapsulation

Networks
B B Networks
• SGTs used to manage address- SGT

independent “Group-Based Policies” SGT
7
4 SGT
8
SGT
25
SGT
19
• Edge or Border Nodes use SGT to enforce
SGT SGT SGT SGT SGT
3 23 11 12 6
local Scalable Group ACLs (SGACLs)
• Known as ‘Micro-Segmentation’
Segmentation Operation in SD-Access Fabric
Cisco DNA
Center Cisco ISE
• Classification: Dynamic/ISE
• Propagation: SGT in VXLAN
Policy
download
• Enforcement: Egress Fabric Edge
Authc/Authz
Policy
download
Destination
Egress Policy
Employee Contractor
Employee Permit All Deny All
Source
PLC Permit All Deny All
Contractor Deny All Permit All
Employee SGT (5) Contractor SGT (10)

10.1.100.1 10.2.200.6
Static Classifications Automated
Assign IP Pool in VN,
Provisions VLAN:SGT
Classification
Fabric Port Assignment,

Provisions Port:SGT
Classification
Static Classification Details / Use-Cases
If SGT chosen when assigning
IP Pool in VN, Provisions SD-Access
VLAN:SGT Classification: Fabric
If SGT chosen when
cts role-based sgt-map vlan-list <VLAN> sgt x assigning Fabric Port,
Provisions Port:SGT
Classification:
cts manual
policy static sgt x
Trunk
no propagate sgt
VLAN-A VLAN-D
Workstation
VLAN-B VLAN-C
Use-case Example:
Extended Node
Enforce on the Fabric Border or Propagate Outside
Cisco DNA Center SXP ASA
Use-Case:
Automation Analytics ISE
pxGrid Inter-VN Enforcement
VN2 FMC/FTD
VN1 SXP
Inline Tagging
ACI B B (CMD)
Use-Case:
Groups/Mappings
Learned from ACI,
Enforced on Border
Employee SGT (5)

10.1.100.1
VLAN/VN and SGT Assignment Workflow
Add SGT (default VN by default)
Option: Assign SGT to VN(s) Provisioned

into ISE
SGT
Assign Pool/VLAN to VN Drop-downs provided in ISE Authz Profile

Zero-Trust: SD-Access Policy
Segment Network Evolution
Access
New Policy Views
• New policy visualizations to

represent extensive sets of
policies
• More granular security
policy definition - avoids
need to use ISE for
advanced policy
capabilities
• Can edit policies and
contracts directly from
policy views
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Migration / Sync with ISE
Start Migration
Policy Migration / Sync with ISE
Policy Migration / Sync with ISE in Progress
Policy Migration / Sync with ISE Successful
Manage Policy in Cisco DNA Center or ISE
ISE: Segmentation UIs READ ONLY
(Security Groups, SGACLs, Policy)
ISE Read-Only Views
Cisco DNA Center Supporting VN Agnostic SGTs
Cisco DNA Center supports VN agnostic SGTs from release
1.3.1 (Groups can now officially reside in different VNs)
Use-Case: Different Industrial Control Systems segregated

at Macro/VN Level but have same SGT/Policy at Micro Level
x
VN:IACS VN:PLC
Same SGT,
Industrial Automation and Control Systems (IACS) SGT: IOT SGT: IOT
same policy
Programmable Logic Controller (PLC) IACS
Policy Extended Node
Similar to provision as
‘Extended Node’ but inline B
B
tagging enabled on uplink and Fabric
policy now handled by the
Policy Extended Node itself.
Site E
E
FE1 VXLAN FE2
Initially IE3400 and IE3400H
supported Inline tagging
SGT4 Employees
Host 2
Policy Extended Node
PLC-1
SGT19 PLC
HTTPS Download (capability being improved)
Cisco DNA Center
ISE 2.7
TLS 1.2 Server with REST/JSON API
Used for Env-Data & SGACL Download
Automation Analytics ISE
RADIUS: TLS/REST/JSON:
Env-Data/SGACL Request Env-Data/SGACL Request
RADIUS: RADIUS: TLS/REST/JSON:

RADIUS: Env-Data/SGACL Download
Env-Data/SGACL Download CoA
CoA
IOS-XE 17.1.1 (16.12.2)

TLS 1.2 Client for ISE Connectivity
Existing version New version Used for Env-Data & SGACL
with RADIUS with HTTPS JSON Parsing
large numbers of responses from devices
Reliable transport, avoids PAC mechanisms being needed
Policy Download occurs over RADIUS
Future versions will provide additional assurance capabilities
Unreliable UDP transport
Bulk changes fragmented over multiple packets
Uses PAC process with TLS 1.0
HTTPS Download (capability being improved)
Initial Release Caveats HTTPS servers (for policy download)
Server Name IP (IPv4)
• First release will not operate with ISE-PSN1 192.168.5.10
ISE Server Load Balancing ISE-PSN2 192.168.5.20
o Devices will send requests to ISE-PSN3 192.168.5.30
a single PSN! (but IOS-XE
will provide a randomization
option)
• First release will not support
ISE-PSN1
External CA
• First release will not
provide IPv6 server list
over HTTPS
ISE-PSN2
Load Balancer ISE-PAN
ISE-PSN3
3rd Party AAA
• Authentication and Authorization requests
directed to 3rd party Cisco DNA
• SGT and VN assignments must be coordinated Center
between 3rd party AAA and DNAC
3rd
Party
RADIUS ISE
Access Accept w/
server Cisco AV
cts:security-group-tag-
1 0001-01 + Vlan ID
2
Policy
Policy
Request
Download
802.1x/MAB 3 Sample configuration:

https://community.cisco.com/t5/networking-
documents/how-to-use-group-based-policies-
SGT
SRC:10.1.10.220
DST: 10.1.100.52 with-3rd-party-radius-using/ta-p/3930041
3rd Party NAC
pxGrid
connection
3rd
Party
NAC
1
Share active
session
information
1
Passive
Monitoring
3rd Party NAC
pxGrid
connection
3rd
Party
NAC
2
Share endpoint
classification
RADIUS CoA 3
Passive applies SGT &
VLAN Policy
Monitoring ASA
4 Download SXP/pxGrid FTD
WSA
Zero-Trust: Security Policy
Segment Network Across Domains
Access
NGFW FMC/FTD 6.5 Enhancements
• Learns IP/SGT via PxGrid, Expanded Use-Cases, Insert FTD anywhere in designs
• Flow processing Up to 2000 unique SGTs, 64K total

• If packet tagged, tag honored user identity entries per FMC
• If packet not tagged, lookup PxGrid information to derive tag
• If packet not tagged, no PxGrid info, no matching rules with tag
* Rel 6.5 supports destination SGT and Static IP:SGT Mappings

NGFW FMC/FTD Expanded Use-Case
• Most SDA deployments require an inter-VN firewall
• Policy enforcement, AVC, IPS, compliance logging
ISE
• Many Enterprise customers have to retrofit security later
• Full SGT support enables FTD/ASA for SDA insertion
• Acceptable: source SGT plus destination IP policies pxGrid
• Optimal: source SGT plus destination

SGT policies FMC
VRF1 Zone
• No support for IP space B /FTD
SGT in Ethernet CMD
overlap between
VNs in SDA today VRF2 Zone
ASA also supported

VN1 VN2
with CMD + SXP
Intuitive Networks Built in a Completely Different Way
Maintain that segmentation across multiple domains?
Data Center
Public
Users Cloud
SaaS
SD-Access SD-WAN
Campus/Branch Cloud
Edge
Devices Internet
Consistent Experience for Any User, Any Thing

Multi-site with Native SD-Access Transit
1 CONTROL PLANE
LISP LISP LISP

C C
C
B B
B B
Fabric Fabric
Site 1 SDA
Site 2
Transit
1 DATA + POLICY PLANE

VXLAN-GPO VXLAN-GPO VXLAN-GPO
VXLAN SGT (16 bits) VXLAN SGT (16 bits)

Header VNID (24 bits) VXLAN SGT (16 bits)
Header VNID (24 bits) Header VNID (24 bits)
Multi-site with IP-Based WAN Transit
1 CONTROL PLANE
LISP MP-BGP / Other LISP

SXP from ISE not orchestrated today
CMD on Cat9k physical intfc only today
C C
B SXP
B
B B
Fabric IP Transit
Fabric
Site 1 (traditional WAN)
Site 2
1 BGP DATA + POLICY PLANE

BGP
VXLAN-GPO VRF-Lite MP-BGP/Other VXLAN-GPO
VRF-Lite
VXLAN SGT (16 bits) 802.1Q MPLS 802.1Q VXLAN SGT (16 bits)
Header VNID (24 bits) VLAN ID (12 bits) Labels VNID (24 bits) VLAN ID (12 bits) Header VNID (24 bits)
SDA-SDWAN Integration Future
1 CONTROL PLANE
LISP OMP LISP
Cisco DNA Center

MANAGEMENT N.B. No current migration
&
POLICY from 2 to 1 box border.
vManage
C C
B
1 BOX B
Border
Fabric B SD-WAN B
Fabric
Site 1 Site 2
Transit
1 DATA + POLICY PLANE

VXLAN-GPO IPSec CMD/VPN VXLAN-GPO
VXLAN SGT (16 bits) IPSec CMD SGT MPLS VNID VXLAN SGT (16 bits)
Header VNID (24 bits) Header Header (16 bits) Labels (24 bits) Header VNID (24 bits)
SD-Access SGTs Provisioned in ACI
SD-Access Domain ISE ACI

ISE dynamically provisions
SGTs and IP mappings
(SXP service) into APIC-
DC
EXT- EXT-
EPG1 EPG3
Scalable Groups External (Outside Fabric) EPGs
Details: SDA Scalable Groups Used in ACI Policies
SDA Policy Domain ACI Policy Domain
ISE
ISE Exchanges:
SGT Name: Auditor Contract in ACI
SGT Binding = 10.1.10.220
referencing SGT
from ISE (EEPG)
Programs the
Border Leaf
ACI Spine (N9K)
ACI Border ACI Border PCI

Auditor Leaf (N9K) Leaf (N9K) 10.1.100.52
10.1.10.220
ACI EPGs Automatically Propagated into SD-Access
ACI
ISE
ISE dynamically learns
EPGs and VM Bindings
from ACI fabric – shared
to SXP
VM1
SD-Access Domain VM25
Scalable Group from APIC Internal (Inside Fabric) EPGs
Detail: ACI Groups used in SDA Domain
SDA Policy Domain ISE
ACI Policy Domain
Policy in FW ISE Retrieves:

referencing EPG EPG Name: PCI EPG
from ACI (SGT) Endpoint= 10.1.100.52
Propagated with SXP/pxGrid:

Auditor = 10.1.10.220
PCI EPG = 10.1.100.52
Fusion
Firewall ACI Spine (N9K)
ACI Border ACI Border PCI

Auditor Leaf (N9K)
Leaf (N9K) 10.1.100.52
10.1.10.220
Zero Trust: Gain
Network Visibility
and Analytics
Internal
External

SD-Access Assurance and Analytics
Monitoring as Enforcement is Enabled
• Group-Based Policies reduce SecOps effort – but works differently
• Ops understanding needed
• Dynamic security functions are audited differently – but easier and more accurate
• Some new functions should be monitored
• SXP connection traps and syslogs
• Possibly logging group membership
Monitoring as Enforcement is Enabled
• SGACL syslogs, NetFlow events and ASA logging all useful
Stealthwatch: Network Visibility & Anomaly Detection
Best Practice: Use Netflow for Visibility
172.168.134.2
10.1.8.3
NetFlow provides Internet

Flow Information Packets
• Trace of every conversation in your
network SOURCE ADDRESS 10.1.8.3 ISE
DESTINATION ADDRESS 172.168.134.2
• An ability to collect record everywhere in SOURCE PORT 47321
your network (switch, router, or firewall) DESTINATION PORT 443
• Network usage measurement INTERFACE Gi0/0/0
• An ability to find north-south as well as IP TOS 0x00
east-west communication IP PROTOCOL 6

pxGrid
• Light weight visibility compared to SPAN NEXT HOP 172.168.25.1
based traffic analysis TCP FLAGS 0x1A

CTS SOURCE GROUP TAG 100
• Indications of Compromise (IOC)
CTS DESTINATION GROUP TAG 50
: :
APPLICATION NAME NBAR SECURE-HTTP
Stealthwatch
Policy Traffic Monitoring in Stealthwatch
Where
What
Who
When Who
• Highly scalable (enterprise class) collection

• High compression => long term storage
• Months of data retention
More Context
Security Group
Model Policy in Stealthwatch
Generate a security event

when a flow condition based
on the SGT value is seen
Use Case: Rapid Threat Containment
Business Data
App / Storage Stealthwatch
Flow anomaly
detected from
Mary’s device
INET
Corp Network
ISE
• Assign SGT for quarantine or additional

inspection using behaviour-modelling
• Invoke different segmentation, firewall Joe Mary
and IPS policies Quarantine
Employee Finance
SGT SGT
Corporate VN
Zero Trust: Gain Group-Based
Network Visibility Policy Analytics
and Analytics
Group-Based Policy Analytics: Discovery (EFT)
Endpoint Group-Group
Activity
Services ?
Policy
Discovery
ISE
Profiles
Alerts
Policy
Identity
& SGTs Stealthwatch
Host Groups
Streaming
?
Modeling WEB
MAC/IP Address Cameras SSH Employees
Policy
Enforcement
Guests
Group-Based Policy Analytics: Modeling Future
Policy Modeling – With traffic patterns

Services ?
Policy Cameras RTP Syslog Any
Discovery
WWW
Unearth critical access that Alerts

must be allowed / denied
Policy
Observe and fine-tune for days/weeks
Streaming
?
Modeling WEB
Cameras SSH Employees
No policy on the network, yet

Policy
Enforcement
Guests
Group-Based Policy Analytics: Authoring Future
Group-based Policies – for segmentation

Services ?
Policy Cameras RTP Syslog Any

Discovery WWW
Activate
Alerts
?
Policy made available for download
Streaming
Policy
Modeling WEB
Cameras SSH Employees
No policy on the network, yet

Cameras RTP Syslog Any
Policy
WWW
Enforcement
Guests
Use-Case
Examples and
Best Practices
Typical Policy Starting Points / Use-Cases
Start Small  Select 1 use-case  prove value & provide operational understanding
Use-case examples Value or operation understanding

Reducing IP access list complexity Reduce errors & human resource impact
Reducing and simplifying Firewall rules Reduce errors & human resource impact
Segregating user groups Reduce lateral movement
Segregating IOT devices Protecting vulnerable systems
Reducing compliance scope PCI, HIPAA
Control Access to Crown Jewels IP protection, export controls, Prod / Dev segregation, etc
Approaching a Segmentation Design
Discuss Classification Policy Propagation

assets to Mechanisms Enforcement Methods
protect Points • Inline Tagging
Example:
Example: Dynamic, • DC virtual/ physical • VXLAN
Cardholder Data, IP-SGT, switches or Firewalls) • SXP
Medical Record, VLAN-SGT • User to DC access • DM-VPN
intellectual data SUBNET-SGT control • GET-VPN
etc. • User to User Access • IPSec
or Distribution • OTP etc..
Knowing the assets helps Your environment and Knowledge of classification

to determine the goals will determine the and enforcement device
classification methods, enforcement options and options leads to the
how and where to classify locations for the use case propagation methods to use
Segmentation Deployment Workflow
1) Discover and Classify Assets:
Profile with ISE, discover flows with
Netflow/Stealthwatch
5) Active Monitoring: 2) Understand Behavior:

Monitor SGT policy violations Applications
and events with Services
Stealthwatch, SIEM tools etc. Network Protocols
Time of Day etc.
Segmentation
4) Enforce Policy:
Create SGT-based policies 3) Deploy and Model Policy:
Enable timely enforcement in Based on Scalable Group
switches, WLAN, FWs, Routers, Classification
Web Security Appliances etc. Propagation
Monitor Mode
Design Best Practices
• Start with desired goals in mind (protect critical assets, reduce Malware propagation..)
• Solving problems where OpEx is high can give max RoI (measure OpEx etc first)
• Many use-cases can be localized (prove value & give operational understanding)
• Define the asset groups needed to meet the policy
• Unlike traditional segmentation/access control, adding groups later should be easy
• Keep groups as simple as possible whilst still meeting policy requirements
• Should not be necessary to transfer complexity, e.g. extensive AD groups, into
Security/Scalable Groups
• Consider if all roles need a tag assigned?
• Some new monitoring functions may be needed (e.g. SXP outside the fabric) but
moves, adds and changes effort dramatically reduced
Typical Deployment Approach • Authc Monitor mode (open auth)
allows SGT assignment & traffic
Cisco DNA Center
regardless of authentication
result
ISE Automation Analytics • Classified traffic traverses the
network allowing monitoring and
$ PCI Server validation
B • Initially use SGACLs with permit
HR Records and then deny logging enabled
(remove log later if not required).
Development Server SGACL Monitor Mode also
available
• Enforcement may be enabled
gradually per matrix ‘cell’
PCI User • Keep default policy as permit
Authc Monitor Mode and allow traffic ‘unknown SGT’
SRC \ DST PCI User (10) Dev Server (222) during deployment
Dev User(8) permit ip permit ip interface xx
source template DefaultWiredDot1xOpenAuth
PCI User (10) permit
deny ip
ip log permit ip
Guests (100) permit
deny ip
ip log permit ip
Conclusions
Conclusions
Cisco can help you secure the workplace in a dynamic
software-defined world
• Achieved by embracing zero—trust methodologies:

o Eliminating network trust through deploying SD-Access Solution
 Offering automation, dynamic security policy and assurance
o Embedding software defined network segmentation
 Macro and Micro segmentation
o Providing network visibility and Analytics
 Cisco DNA Center Assurance, Group-based policy Analytics and Stealthwatch
Additional Resources
Group- Based Access Control in Cisco DNA Center 1.3.1:
https://salesconnect.cisco.com/open.html?c=cbf45a8f-aac7-4f01-b3a7-7d134f0b339e
How to use Group-Based Policies with 3rd party RADIUS server and Cisco DNA Center 1.3.1:
https://community.cisco.com/t5/networking-documents/how-to-use-group-based-policies-
with-3rd-party-radius-using/ta-p/3930041
http://cs.co/sda-resources
SD-Access http://cs.co/sda-community http://cs.co/sda-youtube
ISE
http://cs.co/ise-resources
Identity Service Engine http://cs.co/ise-community http://cs.co/ise-videos
http://cs.co/dnac-resources
Cisco DNA Center http://cs.co/dnac-youtube
http://cs.co/dnac-community
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the
Walk-In Labs
Cisco Showcase
Meet the Engineer

Related sessions
1:1 meetings
Thank you

BRKCRS-2824 (2020)

Uploaded by

Copyright:

Available Formats

BRKCRS-2824 (2020)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCRS-2824 (2020)

Uploaded by

Copyright:

Available Formats

Intuitive Zero-Trust Design, Migration

and Innovation When Securing the

Fay-Ann Lee, Technical Marketing Engineer

• Zero-Trust: Eliminate network trust using SD-Access

• Zero-Trust: Gain Network Visibility and Analytics

• Use case examples, Best Practices and Conclusions

before during after

Segmentation/Policy Threat Detection Rapid Threat

Automation Analytics Policy

• Authenticate and Cognitive

• Macro and micro

WSA AMP Cloud

SPYWARE/MALWARE DATA/IP THEFT

ROGUE SOFTWARE DRIVE BY DOWNLOADS

MAN IN THE MIDDLE

Eliminate Segment Gain network

Eliminate Segment Gain network

IoT network Employee network

Simplified Operations to deliver Consistent Experience

Authentication Methods Authorization Options

Eliminate Segment Gain network

ip access-list ip access-list ip access-list

IoT IoT Internal

DMZ-Pod1#show cts role-based permissions

• Nodes add VNID to the Fabric encapsulation

• Endpoint ID prefixes (Host Pools) are

Scalable Group is a logical ID object to “group” Users and/or Devices.

• “Scalable Groups” used to ID and assign a

• Nodes add SGT to the Fabric encapsulation

• SGTs used to manage address- SGT

Employee Permit All Deny All

Contractor Deny All Permit All

Employee SGT (5) Contractor SGT (10)

Fabric Port Assignment,

Employee SGT (5)

Option: Assign SGT to VN(s) Provisioned

Assign Pool/VLAN to VN Drop-downs provided in ISE Authz Profile

• New policy visualizations to

Use-Case: Different Industrial Control Systems segregated

RADIUS: RADIUS: TLS/REST/JSON:

IOS-XE 17.1.1 (16.12.2)

802.1x/MAB 3 Sample configuration:

• Flow processing Up to 2000 unique SGTs, 64K total

* Rel 6.5 supports destination SGT and Static IP:SGT Mappings

• Optimal: source SGT plus destination

ASA also supported

Consistent Experience for Any User, Any Thing

Cisco DNA Center ISE

Automation Analytics Policy

1 DATA + POLICY PLANE

VXLAN SGT (16 bits) VXLAN SGT (16 bits)

Cisco DNA Center ISE

1 BGP DATA + POLICY PLANE

Cisco DNA Center

1 DATA + POLICY PLANE

SD-Access Domain ISE ACI

Scalable Groups External (Outside Fabric) EPGs

ACI Spine (N9K)

ACI Border ACI Border PCI

SD-Access Domain VM25