Deploying TrustSec - Security Group Tags in the Data Center
BRKSEC-3691
Shaun White - @trustsecshaun
Technical Solutions Architect
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Agenda
• Security Group Tag (SGT) Review
• Use Case Review
• DC Design Consideration and Implementation – Design Considerations – Configuration – Monitoring – DC Orchestration
• Summary
3
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Policy: Who, What, Where, When, and How?
5
SGT Review
Network Access Workflow
Identity Profiling
Wireless LAN Controller
DHCP
RADIUS
SNMP
NetFlow
HTTP
DNS
Cisco® ISE
Unified Access Management
IEEE 802.1x EAP User Authentication
1
HQ
2:38 p.m.
Profiling to Identify Device
2
6
Full or Partial Access Granted
Personal Asset
Company Asset
3
Posture of the Device
5
Enforce Policy in the Network
Corporate
Resources
Internet Only
Policy-governed Unified Access
Policy Decision
4
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Data Center Segmentation with TrustSec
6
Voice PCI Non-PCI
PCI Tag
NonPCI Tag
LOB1 Tag
LOB2 Tag Data Center
Firewall
Enterprise Core
Data Center
Enterprise
Campus/Branch
• Current Designs requite topology
for each zone/classification
Access Layer
SGT Review
SGT/DGT* PCI NonPCI LOB1 LOB2
PCI Permit DENY Permit DENY
NonPCI DENY Permit DENY Permit
LOB1 Permit DENY Permit DENY
LOB2 DENY Permit DENY Permit
LOB1 LOB2 PCI
• Regardless of topology or location,
policy (SGT) stays with users, devices,
and servers
• TrustSec simplifies policy management
for intra/inter-VLAN traffic
• * SGT sometimes is referred to as “Source Group Tag” as well
• * DGT stands for “Destination Group Tag”
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
“State” – Traditional Role Based Access
7
operator
network
management
physical network
The “Complexity Cube”
SGT Review
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
“State” – Desired End State
8
operator
network
management
physical network
The “Complexity Cube”
SGT Review
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
High OPEX Security Policy Maintenance
9
Adding destination Object
Adding source Object
ACL for 3 source objects & 3 destination objects
permit NY to SRV1 for HTTPS deny NY to SAP2 for SQL deny NY to SCM2 for SSH permit SF to SRV1 for HTTPS deny SF to SAP1 for SQL deny SF to SCM2 for SSH permit LA to SRV1 for HTTPS deny LA to SAP1 for SQL deny LA to SAP for SSH
Permit SJC to SRV1 for HTTPS deny SJC to SAP1 for SQL deny SJC to SCM2 for SSH permit NY to VDI for RDP deny SF to VDI for RDP deny LA to VDI for RDP deny SJC to VDI for RDP
A Global Bank dedicated 24 global resources
to manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACL/FW Rule
Source Destination
NY
SF
LA
DC-MTV (SRV1)
DC-MTV (SAP1)
DC-RTP (SCM2)
NY
10.2.34.0/24
10.2.35.0/24
10.2.36.0/24
10.3.102.0/24
10.3.152.0/24
10.4.111.0/24
…. SJC DC-RTP (VDI)
Production
Servers
SGT Review
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Reduced OPEX in Policy Maintenance
10
Source SGT: Employee (10)
BYOD (200)
Destination SGT: Production_Servers (50)
VDI (201) Permit Employee to Production_Servers eq HTTPS Permit Employee to Production_Servers eq SQL Permit Employee to Production_Servers eq SSH Permit Employee to VDI eq RDP Deny BYOD to Production_Servers Deny BYOD to VDI eq RDP
Policy Stays with Users / Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)
Simpler Security Operation (Resource Optimization)
(e.g. Bank now estimates 6 global resources)
Clear ROI in OPEX
Security Group
Filtering
NY
SF
LA
DC-MTV (SRV1)
DC-MTV (SAP1)
DC-RTP (SCM2) SJC DC-RTP (VDI)
Employee
Production
Servers
VDI Servers
BYOD
SGT Review
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
SGT Architecture Components
11
Identity Services Engine
Policy Management
WLAN LAN Remote Access
(roadmap)
Classification
Catalyst 3K
Catalyst 4K
Catalyst 6K
Nexus 7000
Nexus 6000
Nexus 5500 WLC (7.4)
5760
Nexus 1000v Catalyst 2K
Propagation
N7K (SXP/Inline)
N6K (SXP Speaker/Inline)
N5K (SXP Speaker/Inline)
N1Kv (SXP Speaker/Inline(beta))
ASR1K (SXP/Inline)
ISR G2 (SXP/Inline)
ASA (SXP/Inline(beta))
Cat 2K-S (SXP)
Cat 3K (SXP)
Cat 3K-X (SXP/Inline)
Cat 4K Sup7 (SXP/Inline)
Cat 6K Sup720 (SXP)
Cat 6K Sup2T (SXP/Inline)
Enforcement
N7K / N6K/N5K/N1KV
(SGACL)
Cat6K/4K
(SGACL)
Cat3K-X/3850
(SGACL)
ASA (SGFW) ASR1K/ISRG2
(SGFW)
SGT Review
ASR1K/ISRG2
(SGFW) ASA (SGFW)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
TrustSec Classification Functions
12
VLAN-SGT
IP-SGT
Port
Profile
Port-SGT
IPv4 Prefix
Learning
IPv6 Prefix
Learning IPv6 Prefix-
SGT
IPv4 Subnet-SGT
802.1X
MAB
Web
Auth
Profiling
SGT
SGT
SGT
Addr.Pool-SGT
VLAN-SGT
Data Center/
Virtualization
User/Device/Location
Cisco access layer
ISE
NX-OS/
Orchestration/
Hypervisors
IOS/Routing
Campus
& VPN Access
non-Cisco
& legacy env Business Partners & Supplier access controls
SGT Review
VPN
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
SGT Classification
13
Dynamic Classification
Static Classification
• IP Address
• VLANs
• Subnets
• L2 Interface
• L3 Interface
• Virtual Port Profile
• Layer 2 Port Lookup
• Prefix learned via
routing on port
Common Classification for Mobile Devices Common Classification for Servers, Topology-
based policy, etc.
802.1X/VPN Authentication
MAC Auth Bypass
Web Authentication
SGT
Process to map SGT to IP Address
SGT Review
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
SGT Propagation Mechanism
14
Wired
Access
Wireless
Access
DC Firewall
Enterprise
Backbone
DC
Virtual
Access Campus Core DC Core
DC
Distribution
Physical
Server
Physical
Server
VM
Server
PCI VM
Server
DC
Physical
Access
SGT 20
SGT 30
IP Address SGT SRC
10.1.100.98 50 Local
SXP IP-SGT Binding Table
SXP
SGT = 50
ASIC ASIC
Optionally Encrypted
Inline SGT Tagging
SGT=50
ASIC
L2 Ethernet Frame
SRC: 10.1.100.98
IP Address SGT
10.1.100.98 50 SXP
Non-SGT
capable
Inline Tagging (data plane):
If Device supports SGT in its ASIC
SXP (control plane):
Shared between devices that do not
have SGT-capable hardware
SGT Review
Tag When you can!
SXP when you have
to!
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
SGT Exchange Protocol
15
SGT Review
• Control plane protocol that conveys the IP-SGT map of users/hosts to enforcement point
• SXP uses TCP as the transport layer
• Eases and Accelerate deployment of TrustSec
• Support Single Hop SXP & Multi-Hop SXP (aggregation)
• Two roles: Speaker (initiator) and Listener (receiver)
SW
SW RT
SW
SXP
(Aggregation) SXP
SXP
Speaker Listener
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
SXP Versions
16
• Version 1, This is the initial SXP version supports IPv4 binding
propagation. (N7K, N6K, N5K, N1KV – as of June 14)
• This limits the NXOS platforms to only sharing unidirectional i.e.
from access to aggregation/firewalls.
• Design Impact shown later
• Version 2, includes support for IPv6 binding propagation and version
negotiation. (Older switch and router IOS, ASA, WLC – prior March 13)
• Version 3, adds support for Subnet/SGT bindings propagation and
expansion. (6K only). If speaking to a lower version listener will expand
the subnet
• Version 4, Loop Detection and Prevention, Capability Exchange, built-in
Keep Alive mechanism. (New switch and router IOS – After March 13)
• Allows for bidirectional IP/SGT sharing
• Allows for more flexible designs
SGT Review
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
SXP Informational Draft
17
SGT Review
• SXP now published as an Informational Draft to the IETF, based on customer requests
• Draft called ‘Source-Group Tag eXchange Protocol’ because of likely uses beyond security
• Specifies SXP v4 functionality with backwards compatibility to SXP v2 and v3
• http://www.ietf.org/id/draft-smith-kandula-sxp-00.txt
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Inline Security Group Tagging
18
SGT Review
• Faster, and most scalable way to propagate SGT within LAN or Data Center
• SGT embedded within Cisco Meta Data (CMD) in Layer 2 frame
• Capable switches understands and process SGT in line-rate
• Protected by enabling MACsec (IEEE802.1AE) – optional for capable hardware
• No impact to QoS, IP MTP/Fragmentation
• L2 Frame Impact: ~20 bytes
• 16 bits field gives ~ 64,000 tag space
• Non-capable device drops frame might drop frame. L3 processing will result in improper offset lookup for IP. L2 only may work
CRC
PAYLOAD
ETHTYPE
CMD
802.1Q
Source MAC
Destination MAC
Ethernet Frame
CMD EtherType
Version
Length
SGT Option Type
Cisco Meta Data
SGT Value
Other CMD Option
CRC
PAYLOAD
ETHTYPE
CMD
802.1Q
Source MAC
Destination MAC
MACsec Frame
802.1AE Header
802.1AE Header
AE
S-G
CM
12
8b
it
En
cry
ptio
n
ETHTYPE:0x88E5
ETHTYPE:0x8909
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
SGT Link Authentication and Authorization
19
SGT Review
Mode MACSEC MACSEC Pairwise
Master Key (PMK)
MACSEC Pairwise
Transient Key (PTK)
Encryption Cipher
Selection
(no-encap, null, GCM,
GMAC)
Trust/Propagation
Policy for Tags
cts dot1x Y Dynamic Dynamic Negotiated Dynamic from
ISE/configured
cts manual –
with encryption
Y Static Dynamic Static Static
cts manual – no
encryption
N N/A N/A N/A Static
• CTS Manual is strongly recommended configuration for SGT propagation
• “cts dot1x” takes link down with AAA down. Tight coupling of link state and AAA state
• Some platforms (ISRG2, ASR1K, N6K, N5K, N1KV, ASA) only support cts manual/no encryption
19
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
SAP – The Key Derivation
20
SGT Review
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Enforcement - Ease of Data Center Provisioning
Firewalls must be
manually updated
with new IP
address &
permissions
New workload is provisioned
Firewall applies the correct security policy based on security group membership
Manual
Automated
TrustSec policies
applied to
Switches and
Firewalls
Ease of Provisioning
Workload is provisioned with security group
attribute
SGT Review
21
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
End to End SGT/SGACL Enforcement
22
SGT Review
Cat3750X
WLC5508
Enterprise
Backbone
N2248 Cat6500/Sup2T Nexus 7000 N5600
PCI
SRC: 10.1.10.220
CRM
N2248
End user authenticated
Classified as Employee (5)
FIB Lookup
Destination MAC/Port SGT 20
Destination Classification
CRM: SGT 20
PCI: SGT 30
SGT 20
SRC\DST CRM (20) PCI (30)
Employee (5) SGACL-A Deny
BYOD (7) Deny Deny
5 SRC:10.1.10.220
DST: 10.1.100.52
SGT: 5
DST: 10.1.100.52
SGT: 20
DST: 10.1.200.100
SGT: 30
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Egress Policy Enforcement – TCAM scaling
Web_Server
(SGT=7)
Time_Stamp_Server
(SGT=10)
SG
T=
3
SG
T=
4
SG
T=
5
Enterprise
Backbone
SGACL
Enforcement
SGACL
Enforcement
Network devices download policies
• “only” when they have a device connected
• “only” for connected systems
• Egress filtering and dynamic download scales the
TCAM of switches
SGT Review
23
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Common SGT Use Cases
25
Use Cases
Resource Access
Control
Data Center
Server Segmentation
Secure
Wi-Fi
SGT10 SGT20 SGT30 SGT40
NW1
NW2
NW5
NW4
NW3
Wired
VMs Physical Servers
This
Session
Focuses
Here!
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
PCI Compliance: Use Case applicable to most compliance requirements
26
Use Cases
Register
Workstation
WAN
Data Center
Network
DATA CENTER
BRANCH
PCI Server
Server
SEGMENTATION
ACROSS COMPANY
PCI SCOPE
SEGMENTATION
ENFORCEMENT
Key
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
PCI Compliance
27
Use Cases
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/trustsec_pci_
validation.pdf
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Security Group Firewall (SGFW) – ASA Data Center
28
Use Cases
Campus /Branch
Network
Data Center
SXP IP Address SGT
10.1.10.1 Marketing
(10)
SGFW
SGACL
• Design Considerations
• Consistent Classification/enforcement between FW and switching.
• SGT Names sync’d ISE and CSM/ASDM
• Rich Logging requirements will be fulfilled on SGFW – URL logging, etc.
• Switch logging is best effort via syslog (N7K/N5K) or netflow (Cat6K Sup2T)
• Lower OpEx - Automation of Firewall Rules for Users “and” Servers
Enforcement on a
firewall
Enforcement on a
switch
Security group tags assigned based
on attributes (user, location, posture,
access type, device type)
ISE for SGACL
Policies
ASDM/CSM
Policies
SGT Name Download
SGT 10 = PCI_User
SGT 100 = PCI_Svr
SXP
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Financial
29
Use Cases
• Multiple phases and use-cases
• Currently enforcement on Catalyst switches
• User devices classified by 802.1X or MAB
• Servers defined by IP address or Nexus 1KV Port Profile
• Use-cases
• Controlled access to DC applications – for compliance
• User – User control
• DC segmentation
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Manufacturer
30
Use Cases
Large Manufacturing Company deploying Secure Wi-Fi
ACL needs to scale more than 64 lines of ACL (>1,500) on WLC
SGT solution within C6K chassis
WiSM2 aggregates AP traffic
Policy enforcement Sup2T based on SGT
Destination SGT values defined by IP & Subnet
Reduced IOS static ACL managing policy using Egress Matrix – e.g. about 500 lines of ACL allowing HTTPS is
now supported by single line of SGACL
– permit tcp dst eq 443
CAPWAP Tunnel
Internet
Cat6500VSS
System
Data Center
Branch Office
Access Points
ISE
Large Campus Wireless Deployment
VSS
Sup2T
WiSM2
Sup2T
WiSM2
WiSM2 WiSM2
SXP SXP
Campus C
Campus D
10.y.y.0/24 = SGT 6
10.x.x.0/24 = SGT 7
192.168.32.0/24 = SGT 10
10.z.z.0/24 = SGT 22
Non-Compliant
Mobile Device
Compliant
Corporate Asset
SGT 2: Limited Access SGT 3: Full Access
Corporate
Network 10.0.0.0/8 = SGT 100
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
SGT Classification for VPN Remote Access Session
ASA (v9.2.1) and ISE 1.2 (Patch 5) required
Why TrustSec?
Policy based on Remote Access user’s connection context
Enables consolidated policy for wired, wireless, and VPN RAS
Simplifies VPN RAS design and helps to scale as business grows
Simplifies VPN contractor (or employee) to DC access policy
Provides relatively simple deployment with security focused products
Provides local (ASA RAS) or distributed enforcement (ASA in DC, DC Switches, Campus Switches or Routers)
ASA VPN TrustSec Use Case:
Use Cases
31
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Remote Access Today
Wireless Wired
Internet SSL-VPN
ASA
Policy Policy
Policy Domain 1 Policy Domain 2
Access policies are separated
AD
LD
AP
ISE
Po
ol A
Po
ol B
Po
ol C
Pool A: 192.168.1.0/24
Pool B: 192.168.2.0/24
Pool C: 192.168.3.0/24
Partner
A
Partner
C
Partner
B
Policies mapped to Topology
Internet
Internet SSL-VPN
RAS1
DC1 DC2
NW1 NW2
Ingress Filtering Everywhere
RAS2
Use Cases
32
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Data Center
Firewall
VPN User to DC Access
Campus Core
Data Center
Regardless of topology or
location, policy (Security
Group Tag) stays with users,
devices, and servers
TrustSec simplifies VPN
Address / Filtering
management RAS-US RAS-EMEA
Internet
Pool-A Pool-B
PCI-User Employee Supplier-B
SSL-VPN Employee Tag
PCI User Tag
Supplier-B Tag
Employee
Supplier
Apps
PCI Apps
Source Destination Action
IP Sec Group IP Sec Group Service Action
Any Employee Any Supplier HTTP Allow
Any PCI-User Any PCI Apps HTTPS Allow
Any Supplier-B Any PCI Apps TCP Deny
Any Any Any Any Any Deny
Use Cases
33
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Use Cases
“Yellow” BU
WAN
Data Center
“Blue” BU
3rd-party supplier
“Yellow” BU
3rd-party supplier
“Blue” BU Branch Office
• DC has both shared apps and BU-specific apps
Core Network
(Transit)
“Yellow” BU Branch Office
“Blue” BU
WAN
Shared Apps
BU Apps
Multi-Tenant Data Center – Inside out classification
DC Router: Tag “Yellow” apps with “Yellow” Tag “Shared” apps with “Purple”
“Blue” BU Classification Allow “Blue” & “Purple”
“Yellow” BU Classification Allow “Yellow” & “Purple”
• BU routers accept their own SGT and the shared
application SGT values
34
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Multi-Tenant Data Center – Inside out classification
Use Cases
BU-level classifications
“Yellow” BU
WAN
Data Center
“Blue” BU
3rd-party supplier
“Yellow” BU
3rd-party supplier
“Blue” BU Branch Office
• Shared and BU-specific apps flow properly.
Standard SGACLs simplifies base policy
Core Network
(Transit)
“Yellow” BU Branch Office
“Blue” BU
WAN
“Yellow” BU Router: Allow “Yellow” & “Purple”
DC Router: Tag “Yellow” apps with “Yellow” Tag “Shared” apps with “Purple”
“Blue” BU Router: Allow “Blue” & “Purple”
Shared Apps
BU Apps
35
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
TrustSec Platform Support
36
Use Cases
Classification Propagation Enforcement
Catalyst 2960-S/-C/-Plus/-X/-XR
Catalyst 3560-E/-C/-X
Catalyst 3750-E/-X
Catalyst 4500E (Sup6E/7L-E)
Catalyst 4500E (Sup8E)
Catalyst 6500E (Sup720/2T), 6880X
Catalyst 3850, 3650
WLC 5760
Wireless LAN Controller
2500/5500/WiSM2
Nexus 7000
Nexus 5500
Nexus 1000v (Port Profile)
ISR G2 Router, CGR2000
Catalyst 2960-S/-C/-Plus/-X/-XR
Catalyst 3560-E/-C/, 3750-E
Catalyst 3560-X, 3750-X
Catalyst 3650, 3850
Catalyst 4500E (Sup6E)
Catalyst 4500E (Sup 7E)***, 4500X
Catalyst 4500 (Sup8E)***
Catalyst 6500E (Sup720)
Catalyst 6500E (Sup 2T)**** / 6880X
WLC 2500, 5500, WiSM2**
WLC 5760
Nexus 1000v
Nexus 5500/22xx FEX**
Nexus 7000/22xx FEX
ISRG2, CGR2000
ASR1000
ASA5500(X) Firewall, ASASM
SXP
SXP
IE2000/3000, CGS2000
ASA5500X, ASAv (VPN RAS)
SXP SGT
SXP
SXP SGT
SXP
SXP SGT
SXP
SGT
SXP
SXP SGT
SXP SGT
SXP SGT
SXP SGT
SGT Beta
SGT Beta
GETVPN
GETVPN
• All ISRG2 Inline SGT (except C800): Today
• ISRG2/ASR1K: DMVPN, FlexVPN: Q3CY14
Catalyst 3560-X
Catalyst 3750-X
Catalyst 4500E (Sup7E)
Catalyst 4500E (Sup8E)
Catalyst 6500E (Sup2T) / 6880X
Catalyst 3850, 3650
WLC 5760
Nexus 7000
Nexus 5500/5600
Nexus 1000v
ISR G2 Router, CGR2000
ASA 5500/5500X Firewal
ASAvl
Beta
SGFW
SGFW
SGFW ASR 1000 Router
SXP
SGT
SGACL
SGACL
SGACL
SGACL
SGACL
SGACL
Nexus 6000
Q3CY14
** WLC 2500, 5500, WiSM2, Nexus 5K only supports SXP Speaker role
*** 4500E (Sup7E/8E) requires 47XX Line cards for Inline SGT
**** 6500 (Sup2T) requires 69xx Line cards for Inline SGT
SGT
Q3CY14
SXP SGT
SXP SGT
SXP Q3CY14
IPSec
IPSec
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public 39
Cat4500 Cat4500 Cat4500
Cat6500/Sup2T
Cat6500/Sup2T
N7K N7K
N5K N5K
N2248
N2K
ASA RA-VPN
ASR1K
ASA ASA
ASR1K
ISR G2
Cat3750-X
5508 WLC
AP
Cat3850
ISE1.2
C800 (CVO)
Campus Access Block
Core Block
Internet Edge Block
DC Block
Branch Block
ISR G2
ISR G2
IPSec
DM-VPN
GET-VPN
All SGT-capable
SSL-VPN (RAS)
Cat6500/Sup2T Cat6500/Sup2T
5760 WLC DMZ Switch
Outside Switch
Internet
N1KV
SGT Transport 2014
UCS VDI Infra
Normal Link
In-line SGT Tagging
SXP
Nexus
6000
Cat3850
Web Security
Appliance
SXPv2
SXP
Cat3560-X Cat3560-X
AP
AP
Cat3750-X
5508 WLC
SXPv2
SXPv2
ASAv
CSR1KV
ASA+IPS+CX
39
Design Consideration
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public 40
Design Consideration
Cat4500 Cat4500 Cat4500
Cat6500/Sup2T
Cat6500/Sup2T
N7K N7K
N5K N6K
N2248
N2K
ASA RA-VPN
ASR1K
ASA ASA
ASR1K
ISR G2
Cat3750-X
5508 WLC
AP
Cat3850
ISE1.2
C800 (CVO)
Campus Access Block
Core Block
Internet Edge Block
DC Block
Branch Block
ISR G2
ISR G2
IPSec
DM-VPN
GET-VPN
All SGT-capable
SSL-VPN (RAS)
Cat6500/Sup2T Cat6500/Sup2T
5760 WLC DMZ Switch
Outside Switch
Internet
N1KV
SGT Enforcement Q3 2014
UCS VDI Infra
SGACL
ZBSGFW
ZBSGFW
SGACL
SGFW
SGACL
ZBSGFW
SGFW
Normal Link
In-line SGT Tagging
SGACL
Nexus
6000
Cat3850
Web Security
Appliance
Cat3560-X Cat3560-X
AP SGACL SGACL
AP
Cat3750-X
5508 WLC
SGACL
SGACL
ASAv
CSR1KV
ASA+IPS+CX
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Customer End State in the Data Center Design Considerations
ISE
PCI_Web PCI_App PCI_DB LOB2_DB
PCI_RAS Users
Business Partner/VPN Edge
LOB2_Business
Partner
SXP
Risk Level 1
SXP
Risk Level 2
PCI Users
LOB2 Users
Core Network
Branch/Campus
41
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Hardware Forwarding SGT/SGACL Today • Two Groupings of Hardware Forwarding for SGACL
• Port/VLAN based – Catalyst 3K-X – Nexus 5500
• IP/SGT Based – Nexus 7000 – M series and F series – Nexus 6000/5600 – Cat 6K/Sup2T – Cat 4K/Sup7E/Sup8E – Cat 3850/5760 – ASR1K
• Each type of hardware has different scaling limits – There are limits on the number of SGT/DGT as well as Access Control Entries (ACE) in TCAM – All hardware shares ACE entries when possible amongst SGT/DGT
• Each type of hardware has different logging and monitoring capabilities – Counters – ACE Logging – Netflow with SGT/DGT
42
Design Considerations
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Nexus 5500 SGT and DGT Derivation
DGT/SGT
SGACL
Ingress Path (SGT Derivation)
Vlan
table
From the
Packet
Static
Config
SGT
Egress Path (DGT derivation and SGACL)
Port DGT
Each Port
has one
DGT
(which is
also used
as SGT in
the
ingress)
associated
with it.
Ingress tagging is
done only if cts is
enforced on the vlan
Design Considerations
FIB Egress Table
43
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
N7K M series SGT and DGT Derivation
DGT/SGT
SGACL
Ingress Path (SGT Derivation)
L3/FIB table From the
Packet
Ingress port based
Static Config
SGT
Egress Path (DGT derivation and SGACL)
IP prefix DGT
L3/FIB Table,
each prefix
has an
associated
DGT
A number of SGT(DGT) assignment sources, e.g. SXP, VLAN-
SGT,, will be evaluated by TrustSec software against a priority
list, the winning result will be programmed into the L3/FIB table
DGT
Priority control
btw sources
Design Considerations
FIB Egress Table
44
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
N7K F series SGT and DGT Derivation
DGT/SGT
SGACL
Ingress Path (SGT Derivation)
IP/SGT CAM
table
From the
Packet
Ingress port based
Static Config
SGT
Egress Path (DGT derivation and SGACL)
IP prefix DGT
IP/SGT CAM
Table, each
prefix has an
associated
DGT
A number of SGT(DGT) assignment sources, e.g. SXP, VLAN-
SGT,, will be evaluated by TrustSec software against a priority
list, the winning result will be programmed into the L3/FIB table
DGT
Priority control
btw sources
Design Considerations
FIB Egress Table
45
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Implications of Hardware Forwarding Capabilities:
46
• Port/VLAN Based Hardware
• Limited SXP applicability due to the SGT derivation on mac/port
• Limited number of SGTs per port (one per vlan/port)
• IP/SGT Based Hardware
• Allows for bidirectional SXP - “However”, NXOS SXP code is v1 so it can’t support it in software until the it is upgraded to SXPv4 (roadmap item)
• Allows for multi-hop SXP coming into the switch due to FIB lookup for IP/SGT
• Tagging/Enforcement for incoming packet due to FIB lookup for IP/SGT
• Scale varies per platform. Think hundreds of groups with simple reused permissions (ACEs)
• N5K limited since it can’t find SGT via SXP.
• No N5K SXP listener - even for L2 adjacent hosts
• N5K can’t be a listener for an N1KV
• N6K ASIC is capable for SXP listener, but not supported in current code
• N1KV is software forwarding, “but” it is reliant on NXOS platform independent code from the N7K
so it can only be a speaker in current code
Design Considerations
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Business Partner and VPN Edge – Design Considerations • Is this really Data Center related? In Cisco’s experience these connections
“typically” are a block on the edge of the DC
• It is also the most common place Cisco is asked for the ability to classify based on the routes or the interface of a business partner/contractor/joint venture, etc.
• This has driven the need to be able to classify on routing aggregators and VPN devices.
Design Considerations
47
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Layer 3 Interface to SGT – L3IF • Route Prefix Monitoring on a specific Layer 3 Port with mapping to the associate SGT
• Can be applied to Layer 3 interfaces regardless of the underlying physical interface:
– Routed port, SVI (VLAN interface), Layer 3 subinterface of a Layer2 port , Tunnel interface
– Makes the prefixes available for export in SXP
• ISR/ASR1K/Cat6K
Business
Partners
DC Access
Hypervisor SW
EOR
ASR1K#show cts role-based sgt-map all
Active IP-SGT Bindings Information
IP Address SGT Source
========================================
11.1.1.2 2 INTERNAL
12.1.1.2 2 INTERNAL
13.1.1.2 2 INTERNAL
17.1.1.0/24 8 L3IF
43.1.1.0/24 9 L3IF
49.1.1.0/24 9 L3IF
Route Updates
17.1.1.0/24
Joint Ventures
Route Updates
43.1.1.0/24
49.1.1.0/24
SGT 8
SGT 9
Design Considerations
48
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Layer 3 Interface to SGT – Port/SGT mapping
• Port to Interface Mapping does not learn IP Prefixes via route learning
• All traffic coming into the interface is tagged with the SGT on the interface
• Will not make prefixes learned available in SXP
Business
Partners
DC Access
Hypervisor SW
EOR
Route Updates
17.1.1.0/24
Joint Ventures
Route Updates
43.1.1.0/24
49.1.1.0/24
SGT 8
Local Int – 14.1.1.1
ASR1K#show cts role-based sgt-map all
Active IP-SGT Bindings Information
IP Address SGT Source
========================================
11.1.1.2 2 INTERNAL
12.1.1.2 2 INTERNAL
13.1.1.2 2 INTERNAL
14.1.1.1/24 2 INTERNAL
14.1.1.0/24 8 L3IF
Design Considerations
49
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
RAS VPN – Considerations
• ASA supports SGT classification for RAS VPN – Mix and match classifications in the same subnet/DHCP pool if you’d like
• “Most” concentrators allow users/groups to be mapped to specific DHCP pools or VLANs.
• Older ASA and 3rd party VPN concentrators are supported via Subnet/SGT or L3IF on upstream router
50
Core
ISE
External Cloud
RAS VPN
Dynamic Classification DC ASA PCI_Web
LOB1_Web
SXP
3rd Party VPN Static Classification
Design Considerations
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
External Classification to Data Center Traffic Flow
• How do I handle an ASA on supporting SXP fronting DC resources?
• How do I handle 3rd party services sitting in front of the DC
– IPS
– SLB
– Firewall
• Two options
– Build SXP from access layer to DC
– Use Inline Tagging transport to DC services layer and use SGT Caching
Design Considerations
51
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
SGT Caching Overview
• While tagged packets arrive, SGT is removed and cached.
Untagged packets are sent to DPI services. Upon receipt from DPI
at the egress, packets are retagged with appropriate SGT
Design Considerations
52
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Services with SGT Caching
DC Access Layer
Security Group Firewalling Firewall rule automation
using ASA SG-Firewall functions
SGACL enabled Device
SG Firewall enabled Device
Physical Servers
SGT Caching on C6500/N7K Caches IP-SGT mappings from data plane
Sends IP-SGT mappings to ASA in SXP
Physical Servers SGT Tagged Traffic
Untagged Traffic
SXP
Service Chaining Possible 3rd party devices for Server
Load Balancing (SLB), Intrusion
Prevention Services (IPS), etc.
8 SRC:10.65.1.9
DST: 10.1.100.52
SGT: 8
IP Address SGT
10.65.1.9 8 (Employee_Full)
8
Design Considerations
53
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Nexus 5500 TrustSec Capabilities
WEB-ACL: permit tcp dst eq 443 permit tcp dst eq 80 deny ip
• No SXP listener – SXP speaker only
• Port/SGT only – No port profile supported in current code
• 128 SGACL TCAM entries available per bank of 8 ports
4 are default entries – effectively only 124 available for feature use
• The sum of the SGACL entries per 8 port bank cannot contain more than 124 permissions in total (3 + 9 in this example)
• SGACL can be reused extensively
• 2000+ SGT,DGT combinations on a N5500 reusing 124 lines of permissions
HR-DB-ACL: permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22
permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp des eq 139 deny ip
Design Considerations
54
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Nexus 6000 TrustSec Capabilities -
• Current Shipping Code is similar to N5500 platform
• 128 ACEs for configuration
• NO SXP Listener
• Only SXP Speaker
• Port/SGT definition only
• Logs are like Nexus 7000 Platform
• The ASIC is an L3 ASIC which allows us to permit future IP/SGT capabilities
55
Design Considerations
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Nexus 7000 TrustSec Capabilities -
• SGT/SGACL supported on M series, F1, F2, F2E cards as of 6.2(6a)
• SGT/SGACL support on F3 as of 6.2(10) ~ Q3CY14
• N7K does all enforcement via IP/SGT programming in ASICs. This creates an interesting design case.
• In the case where the N7K is performing intra-VLAN policy (within the same VLAN)
• The N7K MUST have an SVI on the VLAN
• If N7K is L2 only then create an SVI w/o IP to be able to snoop ARP/DHCP to discover the IP
• This allows the IP/SGT to be programmed properly for intra vlan filtering
56
Design Considerations
LOB1 PCI_DB
N7K-DST1# sho run int vlan 3207
interface Vlan3207
no shutdown
LOB2
L2 Only N7K
56
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
NX-OS Large Scale SGACL
• Large numbers of SGT/DGT cells and SGACLs on N7K/N6K/N5K require new handling of SGACLs.
• Large policies can also exceed a single RADIUS packet, so the below releases introduce RADIUS SGACL fragmentation to spread the SGACL policies across multiple packets.
– N7000 – 6.2(6) onwards
– N5600/6000 – 7.0
– N5500 – 6.0(2)N2 onwards
• N7000 and N5500 requires a batch programming command to scale SGACLs
N7K-DST1(config-vlan)# cts role-based policy batched-programming enable
Design Considerations
57
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
VLAN Designating Risk Levels / Security Zones
VLAN 100
Risk Level 1
ISE
• Often a VLAN is equal to a Risk Level/Security Zone
• In many cases ingress/egress ACLs are used to control
flows between VLANs
• VLAN/SGT can be used on the Nexus 7000 to reduce
TCAM usage substantially
• ACL conversion has shown 60% to 88% TCAM
reduction
• Distribution layer enforcement allows any compute
Does assume within a VLAN is permissible
• Flows to other risk levels/security zones still enforced on
firewall
• N7K – 6.2 release
Campus Network
PCI_Web PCI_App
LOB_App LOB_App
VLAN 200
Risk Level 1
N7K-DST1(config)# vlan 100
N7K-DST1(config-vlan)# cts role-based sgt 100
N7K-DST1# sho cts role-based sgt-map
IP ADDRESS SGT VRF/VLAN SGT CONFIGURATION
10.1.200.10 2000(PCI_Servers) vlan:200 Learnt through VLAN SGT configuration
10.1.200.77 2000(PCI_Servers) vlan:200 Learnt through VLAN SGT configuration
10.1.100.26 2000(PCI_Servers) vrf:1 CLI Configured
10.1.200.77 1000(Production_Servers)vrf:1 CLI Configured
Design Considerations
58
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
DC Traffic Segmentation with SGT
Configuration
LOB2 DB (333) LOB1 DB (222) PCI DB (111)
Data Center
Security Server
(444)
ISE
VMs/Baremetal
• Servers are assigned SGTs via
static port profile/port/IP-SGT Map
• Servers attempt to communicate
east-west
• Traffic hits the egress enforcement
point
• Only permitted traffic path (source
SGT to destination SGT) is allowed
• Traffic Enforcement is distributed
across 5K, 6K and 7K
• PCI-DB to LOB1-DB hits SGACL
PCI-LOB1-ACL on 5K
• PCI-DB to LOB1-DB hits SGACL
PCI-LOB1-ACL on 7K
SRC \ DST PCI DB(111) LOB1 DB
(222)
LOB2 DB
(333)
Security
Server (444)
PCI DB (111) Permit all PCI-LOB1-ACL PCI-LOB2-ACL Deny All
LOB1 DB
(222)
PCI-LOB1-
ACL Permit All Deny All Deny All
LOB2 DB
(333)
PCI-LOB2-
ACL Deny All Permit All Deny All
Security
Server (444) Deny All Deny All Deny All Deny All
Nexus 7000s
Nexus 55XXs
SGACL: PCI-
LOB1-ACL
SGACL: PCI-
LOB2-ACL
Core Network
60
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Simplified Data Center Topology - walkthrough
SXP – Security eXchange Protocol
SGT over Ethernet (SGToEthernet)
SXP
User/Server
VPN to Data Center – enforcement will occur on ASA
SGT from SXP from VPN ASA
DGT from N7K SXP
Business Partner to Data Center – enforcement will occur on ASA
SGT from frame
DGT from N7K SXP
LOB1 DB (222)
PCI DB (111)
N5K
N1KV
N7K w/SGT Caching
ASA
N6K
LOB2 DB (333)
Configuration
SXP
Ethernet
61
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Simplified Data Center Topology - walkthrough
SXP – Security eXchange Protocol
SGT over Ethernet (SGToEthernet)
SXP
Server/Server traffic enforced via SGACL
From PCI DB <-> LOB1 DB enforced on N5K
From N5K -> N1KV enforced N1KV
SGT from frame
IP/SGT from port profile
N1KV -> N5K enforced on N5K
SGT from frame
SGT from port definition
N1KV->N6K enforced on N6K
Same as N1KV->N5K
From Risk Level 1 -> Risk Level 2 enforced on ASA
Assumption is N7K doing SGT caching to
send SXP to ASA
LOB1 DB (222)
PCI DB (111)
N5K
N1KV
N7K w/SGT Caching
ASA
N6K
LOB2 DB (333)
Configuration
SXP
Ethernet
62
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Business Partner Router – Port Classification Options • For our topology we’re tagging from the router to the data center. We will use
configuration on the left
• If we had to put IP/SGT into SXP we would use configuration on the right
Configuration
interface GigabitEthernet0/0/0
ip address 10.1.47.2 255.255.255.0
cts manual
policy static sgt 2 trusted
interface GigabitEthernet0/0/2
ip address 8.8.8.1 255.255.255.0
cts manual
policy static sgt 50
no propagate-sgt
cdp enable
ASR1K-2#sho cts role-based sgt-map all
Active IP-SGT Bindings Information
IP Address SGT Source
============================================
8.8.8.0/24 50 L3IF
8.8.8.1 2 INTERNAL
interface GigabitEthernet0/0/2
ip address 8.8.8.1 255.255.255.0
cts role-based sgt-map sgt 50
ASR1K-2#sho cts role-based sgt-map all
Active IP-SGT Bindings Information
IP Address SGT Source
============================================
8.8.8.0/24 50 L3IF
8.8.8.1 2 INTERNAL
10.1.3.0/24 50 L3IF
10.1.47.2 2 INTERNAL
10.254.100.0/24 50 L3IF
Port/SGT – Tag only transport Prefix Learning – SXP subnet/SGT
63
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
ASA RAS VPN Configuration:
Configuration
• RAS VPN will assign a tag to the end user based on the authz policy matched in ISE when the user logs into the group.
• We then communicate the tag via SXP to the DC ASA.
• DC ASA will then use the SGT
aaa-server cts-mlist protocol radius
dynamic-authorization
aaa-server cts-mlist (inside) host 10.1.100.3
timeout 5
key trustsec
authentication-port 1812
accounting-port 1813
radius-common-pw trustsec
cts server-group cts-mlist
cts sxp enable
cts sxp default password trustsec
cts sxp default source-ip 10.1.100.20
cts sxp connection peer 10.3.99.2 source 10.1.100.20
password default mode local speaker
group-policy GroupPolicy_cts-local internal
group-policy GroupPolicy_cts-local attributes
wins-server none
dns-server value 10.1.100.100
vpn-tunnel-protocol ssl-client
default-domain value cts.local
tunnel-group cts-local general-attributes
address-pool test
authentication-server-group cts-mlist
accounting-server-group cts-mlist
default-group-policy GroupPolicy_cts-local
tunnel-group cts-local webvpn-attributes
group-alias cts-local enable
64
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
N7K – SGT Caching Config
65
N7K-DST1(config)# cts role-based sgt-caching ?
<CR>
with-enforcement SGT caching with RBACL enforcement
N7K-DST1(config)# cts role-based sgt-caching with-enforcement
SGT caching with enforcement will implicitly display syslogs for all the ACEs in RBACLs. Continue(yes/no)
[no] yes
N7K-DST1# sho cts role-based sgt-caching
-------------------------------- --------
Caching Modes Status
-------------------------------- --------
SGT caching Disabled
SGT caching with enforcement Enabled
N7K-DST2# sho cts role-based sgt-map cached
IP ADDRESS SGT VRF/VLAN SGT CONFIGURATION
10.1.50.1 1000(Production_Servers) vrf:1 Cached
10.1.51.2 2(Device_SGT) vrf:1 Cached
10.1.56.2 2(Device_SGT) vrf:1 Cached
10.1.100.1 1000(Production_Servers) vrf:1 Cached
10.1.100.82 1000(Production_Servers) vrf:1 Cached
Configuration
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
N7K – SGT Caching Notes
• SGT Caching enabled with and without enforcement – Without enforcement its just converting from data plane to control plane
at a mid point in the network
– Typically Deployed at an aggregation layer where there is no enforcement • Service chains to 3rd party devices that do not support SGT • Convert form native tagging to SXP for pre 9.3(1) ASA
– With enforcement is for when the N7K is the enforcement point and needs to convert from data plane to control plane. • Typically when the N7K is acting as a aggregated routing/service layer in the DC
• N7K will ask ISE for relevant policies of all it’s SGTs when it receives an IP/SGT update…… – Everytime time it receives an update……..
– Yes that is a lot of information filling ISE logs
66
Configuration
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
SGT Caching Configuration – Catalyst 6500 (Global CLI Commands)
• Enabling CTS SGT Caching globally in independent mode – cts role-based sgt-caching
• Enabling CTS SGT Caching on vlans in independent mode – cts role-based sgt-caching vlan-list <[all | vlan_id]>
• Enabling CTS SGT Caching globally in dependent mode
– cts role-based sgt-caching with-enforcement
• Enabling RBACL enforcement globally – cts role-based enforcement
• Enabling RBACL enforcement on vlans – cts role-based enforcement vlan-list <[all | vlan_id]>
Configuration
67
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
SGT Caching Show Commands – Catalyst 6500
• To display the SGT-IPv4 bindings – show cts role-based sgt-map all ipv4
– show cts role-based sgt-map vrf <vrf_name> all ipv4
• To display the SGT-IPv6 bindings – show cts role-based sgt-map all ipv6
– show cts role-based sgt-map vrf <vrf_name> all ipv6
• To display RBACL entires programmed in ACL TCAM – show platform hardware acl entry rbacl all
• To display the ACL result of RBACL entries programmed in ACL TCAM – show platform hardware acl tcam result <acl_entry_result>
Configuration
68
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
SGT Caching Debug Commands – Catalyst 6500
• [no] debug fm rbacl caching events
Detailed debugs:
• [no] debug rbm bindings
• [no] debug rbm api
• [no] debug fm rbacl caching packets
• [no] debug fm rbacl all
Note: “no logging console” is recommended before enabling these detailed debugging commands as they could potentially flood the console
Configuration
69
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Configure ISE for Nexus Switch Configuration
N55KAa# show cts environment-data
CTS Environment Data
==============================
Current State :
TS_ENV_DNLD_ST_ENV_DOWNLOAD_DONE
Last Status : CTS_ENV_SUCCESS
Local Device SGT : 0x0002
Transport Type : CTS_ENV_TRANSPORT_DIRECT
Data loaded from cache : FALSE
Env Data Lifetime : 86400 seconds after last
update
Last Update Time : Thu May 23 17:22:18 2013
Server List : CTSServerList1
AID:a6f054a3856a15221714bba63e968867 IP:
10.39.1.120 Port:1812
Administration->Network Resources->Network Devices->+Add
70
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Configure Nexus 7K: (Bootstrap) Configuration
N7K-DST1(config)# feature cts
N7K-DST1(config)# feature dot1x
N7K-DST1(config)# cts device-id N7K-DST1 password trustsec
N7K-DST1(config)# radius-server 10.39.1.120 key trustsec pac
N7K-DST1(config)# aaa group server ISE
N7K-DST1(config)# server 10.39.1.120
N7K-DST1(config)# aaa authentication dot1x default group ISE
N7K-DST1(config)# aaa authorization cts default group ISE
N7K-DST1(config)# aaa accounting dot1x default group ISE
Step 1: Configure Communications between Nexus and ISE
Step 2: Verify PAC is downloaded
Step 3: Enable Role based counter and enforcement N7K-DST1(config)# cts role-based counters enable
N7K-DST1(config)# cts role-based enforcement
N7K-DST1# show cts pacs
PAC Info :
==============================
PAC Type : TrustSec
AID : a6f054a3856a15221714bba63e968867
I-ID : N7K-DST1
AID Info : ise
Credential Lifetime : Sun Aug 3 16:56:29 2014
PAC Opaque :
000200a80003000100040010a6f054a3856a15221714bba63e9688670006008c000301005f22d715cffe37591f629bae3bcc3c9e0000001353641
81a00093a80bf65b034bb89456288e2863a540d797ab17d1593b354e4aa3b74835df48ed45fad79c744083420c96ceef74ea3e51490566967d9c8
dcfb191d2e8448a4de98b5578f83b526fb4d586ecc2510eefe1d90dee1746998fb1b77291aac4848ac2d4d5d3694e9d0e5fadbdaae5a7f
71
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Configure Nexus 5K/6K: (Bootstrap) Configuration
N55KA(config)# feature cts
N55KA(config)# feature dot1x
N55KA(config)# cts device-id N55KA password trustsec
N55KA(config)# radius-server 10.39.1.120 key trustsec pac
N55KA(config)# aaa group server ISE
N55KA(config)# server 10.39.1.120
N55KA(config)# use-vrf management
N55KA(config)# aaa authentication dot1x default group ISE
N55KA(config)# aaa authorization cts default group ISE
N55KA(config)# aaa accounting dot1x default group ISE
Step 1: Configure Communications between Nexus and ISE
Step 2: Verify PAC is downloaded
Step 3: Enable Role based counter and enforcement N55KA(config)# cts role-based counters enable
N55KA(config)# vlan 118
N55KA(config)# cts role-based enforcement
N55KA# show cts pacs
PAC Info :
==============================
PAC Type : TrustSec
AID : a6f054a3856a15221714bba63e968867
I-ID : N55KA
AID Info : ise
Credential Lifetime : Fri Jul 11 04:25:45 2014
PAC Opaque : 000200b00003000100040010a6f054a3856a15221714bba63e96886700060094000301000c629fc10ec7608000296933
d0b283e1000000135348689a00093a809914bbf46a3d8d8c81eab9e4819bde120047a2f28ca7181760c9b65015c3a851f5a9c99b6541d40b8d991114
9d045c1f7262b3a72e3b99b661733f92f71dcad42673a67549a5608611af2b1c0b18438a514178e98c7ed72f088d7b8db9cdbfba76b11c209f401ba8
c522f5fe5900e264a8ab02fd
72
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Nexus for Native tagging Up/DownStream:
Configuration
N7K-DST1(config)# int e1/30
N7K-DST1(config)# cts manual
N7K-DST1(config-if-cts-manual)# policy static sgt 0x0002 trusted
N7K-DST1(config-if)# shutdown
N7K-DST1(config-if)# no shutdown
• We MUST enable the physical ports to “trust” the neighboring device to send native tagged packets
• When enabling TrustSec on a switch the default behavior is to drop packets sent to it with a native tag.
• This is similar to QoS where we trust dscp on trunk links
• BEST PRACTICE: On All platforms it is best practice to manually shut/no shut the port after applying cts manual commands
• This guarantees that the control plane has fully programmed the port level PHY/ASIC
73
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Configure ISE SGACL Policy Matrix
Configuration
Best Practice:
NXOS can only
handle 1 SGACL.
Put implicit
deny/permit in the
SGACL
74
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Configure Nexus to Statically assign Tags: Configuration
N7K-DST1(config)# cts role-based sgt-map 10.39.1.223 17
• Static IP-SGT - There is an option to manage this in ISE via IP/SGT or DNS/SGT mappings
• Static SGT on Physical Port facing the server
N7K-DST1(config)# int e1/30
N7K-DST1(config-if)# cts manual
N7K-DST1(config-if-cts-manual)# policy static sgt 0X3
N7K-DST1(config-if-cts-manual)# no propagate-sgt
N7K-DST1(config)# port-profile type ethernet PCI-DB
N7K-DST1(config)# cts manual
N7K-DST1(config)# policy static sgt 0x17
N7K-DST1(config)# no propagate-sgt
N7K-DST1(config)# switchport
N7K-DST1(config)# switchport access vlan 100
• Port-Profile: NOTE: Port-Profile on N7K will only work on NON-FEX ports. 5K/6K don’t have support yet. N1KV supported
• VLAN to SGT
N7K-DST1(config)# (config)# vlan 100
N7K-DST1(config-vlan)# cts role-based sgt 17
NOTE: If you forget this command
your server will not be able to access
the network!!
75
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Verify Configuration Configuration
• Verify environmental data
• Verify SGACLs downloaded and look at counters:
N7K-DST1# show cts role-based access-list
rbacl:Deny IP
deny ip
rbacl:Permit IP
permit ip
rbacl:PCI_Web_Server
rbacl:shaun_deny
N7K-DST1# show cts role-based counters
RBACL policy counters enabled
Counters last cleared: 04/16/2014 at 06:28:11 PM
sgt:unknown dgt:19 [41677]
rbacl:Deny IP
deny ip [41677]
sgt:unknown dgt:24 [13269]
rbacl:Deny IP
deny ip [13269]
sgt:4 dgt:3 [0]
rbacl:Deny IP
deny ip [0]
sgt:6 dgt:12 [0]
rbacl:Deny IP
deny ip [0]
sgt:7 dgt:3 [53769]
rbacl:Deny IP
deny ip [53769]
76
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Nexus 5500 East-West Segmentation Configuration: Post Boot Strap
Configuration
N55KA(config)# cts role-based counters enable Turn on SGACL counters
N55KA(config)# vlan 118
N55KA(config-vlan)# cts role-based enforcement Enable Role Based enforcement on VLAN 118
N55KA(config-vlan)# int e 1/1
N55KA(config-vlan)# switchport trunk
N55KA(config-vlan)# switchport trunk native vlan 2
N55KA(config-vlan)# cts manual Go into CTS manual mode for the port (other int CLI clipped)
N55KA(config-if-cts-manual)# policy static sgt 0x2 trusted Set SGT and Trust for Trunk to N7K-DST1 (for screen real estate)
77
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Nexus 5500 East-West Segmentation Configuration
Configuration
N55KA(config-vlan)# int e102/1/1
N55KA(config-vlan)# switchport
N55KA(config-vlan)# switchport access vlan 118
N55KA(config-vlan)# cts manual Go into CTS manual mode for the port
N55KA(config-if-cts-manual)# policy static sgt 0x111 Set SGT on the FEX port e102/1/1 to SGT 111
N55KA(config-if-cts-manual)# no propagate-sgt “Don’t send the SGT to the server”
This would be bad.
N55KA(config-if-cts-manual)# no shut
N55KA(config-vlan)# int e102/1/2
N55KA(config-vlan)# switchport
N55KA(config-vlan)# switchport access vlan 118
N55KA(config-vlan)# cts manual Go into CTS manual mode for the port
N55KA(config-if-cts-manual)# policy static sgt 0x222 Set SGT on the FEX port e102/1/1 to SGT 222
N55KA(config-if-cts-manual)# no propagate-sgt “Don’t send the SGT to the server”
This would be bad.
N55KA(config-if-cts-manual)# no shut
N55KA(config)# cts sxp enable Enable SXP protocol for peering relationships
N55KA(config)# cts sxp connection peer 10.49.1.2 source 10.49.1.10 password none mode listener Peer with 7KA
N55KA(config)# cts sxp connection peer 10.49.1.3 source 10.49.1.10 password none mode listener Peer with 7KB
78
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Nexus 7000 East-West Configuration
Configuration
feature cts
feature dot1x
cts device-id N7K-DST1 password 7 wnyxlszh123
cts role-based counters enable
cts role-based sgt-map 10.39.1.30 17
…….
cts role-based sgt-map 10.87.109.72 3
cts role-based enforcement
vlan 87
cts role-based enforcement
vlan 118
cts role-based enforcement
interface Ethernet1/25
description N5K connection
cts manual
policy static sgt 0x0002 trusted
switchport
switchport mode trunk
switchport trunk allowed vlan 90,118-120,124
spanning-tree port type normal
channel-group 10 mode active
no shutdown
79
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
SGT Assignment on Nexus 1000v Use Case: Current Code
VM VM VM VM
Nexus
1000V
VEM
Server
VM VM VM VM
Nexus
1000V
VEM
Server
Hypervisor Hypervisor
Finance Application
TOR filters traffic based
on SG-ACLs
Nexus 1000V VSM
ISE
PAC
N1KV:
Assigns SGT based on
static Port-profile Assignments
Finance Application
SGT =
“Finance”
SGT =
“Employee”
SGT =
“Employee-
VDI”
Configuration
SXP comes from
VSM not VEM
SXP
80
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Nexus 1000v – Configuration – current code Configuration
CTS-N1K(config)# feature cts
CTS-N1K(config)# port-profile type vethernet LOB2-VDI
CTS-N1K(config-port-prof)# vmware port-group
CTS-N1K(config-port-prof)# switch mode access
CTS-N1K(config-port-prof)# switch acc vlan 118
CTS-N1K(config-port-prof)# cts sgt 16
CTS-N1K(config-port-prof)# no shut
CTS-N1K(config-port-prof)# state enabled
SXP:
CTS-N1K(config)# cts device tracking
CTS-N1K(config)# cts sxp enable
CTS-N1K(config)# cts sxp connection peer 10.39.1.2 source 10.87.109.191
password none mode listener vrf management
CTS-N1K(config)# cts sxp connection peer 10.39.1.3 source 10.87.109.191
password none mode listener vrf management
Existing Code: July Port-
Profile Commands will
change! (see following
Slides)
81
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Nexus 1000v - Verification
Configuration
CTS-N1K(config)# show cts sxp connection
PEER_IP_ADDR VRF PEER_SXP_MODE SELF_SXP_MODE CONNECTION
STATE
10.39.1.2 management listener speaker connected
10.39.1.3 management listener speaker connected
CTS-N1K(config)# show cts role-based sgt-map
Interface SGT IP ADDRESS VRF Learnt
-------------- ------ ---------------- ---------- ---------
Vethernet1 14 10.39.1.92 - Device Tracking
Vethernet2 16
Vethernet3 16 10.39.1.94 - Device Tracking
CTS-N1K(config)#
82
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
SGACL on Nexus 1000v Use Case: (BETA)
VM VM VM VM
Nexus
1000V
VEM
Server
VM VM VM VM
Nexus
1000V
VEM
Server
Hypervisor Hypervisor
Finance Application
TOR filters traffic based
on SG-ACLs Nexus 1000V VSM
ISE
PAC
N1KV:
Assigns SGT based on
static Port-profile Assignments
Finance Application
SGT = “PCI” SGT =
“Employee”
SGT =
“PCIVDI”
VEM filters traffic based
on SG-ACLs
Configuration
83
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Nexus 1000v – SGACL Configuration (Beta) Configuration
CTS-N1K(config)# feature cts
CTS-N1K(config)# cts device-id cts-n1k password 0 trustsec
CTS-N1K(config)# radius-server host 10.39.1.120 key 0 trustsec pac
authentication accounting
CTS-N1K(config)# aaa group server radius cts-ise
CTS-N1K(config)# server 10.39.1.120
CTS-N1K(config)# use-vrf management
CTS-N1K(config)# source-interface mgmt0
CTS-N1K(config)# aaa authentication cts default group cts-ise
CTS-N1K(config)# aaa authorization cts default group cts-ise
CTS-N1K(config)# cts role-based counters
84
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Nexus 1000V – Port Profile Setup (Beta)
85
Create UPLINK port-profile:
CTS-N1K(config)# port-profile type ethernet uplink-vem
CTS-N1K(config-port-prof)# switchport mode trunk
CTS-N1K(config-port-prof)# switchport trunk allowed vlan 1-4000
CTS-N1K(config-port-prof)# cts manual
CTS-N1K(config-port-prof)# policy static sgt 0x2 trusted ->Set tag to device SGT (2) and trust
CTS-N1K(config-port-prof)# propagate-sgt ->Propogate the SGT to neighbor
CTS-N1K(config-port-prof)# no shutdown
CTS-N1K(config-port-prof)# state enabled
CTS-N1K(config-port-prof)# vmware port-group
Create PCI-Server port-profile:
CTS-N1K(config)# port-profile type vethernet PCI_Servers
CTS-N1K(config-port-prof)# switchport mode access
CTS-N1K(config-port-prof)# switchport access vlan 200
CTS-N1K(config-port-prof)# cts manual
CTS-N1K(config-port-prof)# policy static sgt 0x7d0 ->Set the Tag to PCI-Servers
Hex 0x7d0 = 1000 Decimal
CTS-N1K(config-port-prof)# role-based enforcement ->Enable Role-based enforcement
CTS-N1K(config-port-prof)# no shutdown
CTS-N1K(config-port-prof)# state enabled
CTS-N1K(config-port-prof)# vmware port-group
Configuration
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Nexus 1000v – SGACL Verification (beta) Configuration
CTS-N1K# show cts role-based counters
RBACL policy counters enabled
Counters last cleared: 05/02/2014 at 04:41:47 AM
Counters last updated on 05/08/2014 at 06:30:03 PM:
rbacl:Permit IP
permit ip [129105]
rbacl:deny_log
deny icmp log [522997]
rbacl:permit_log
permit ip log [119029]
sampg-n1kv-vsm-1# show cts role-based access-list
rbacl:Permit IP
permit ip
rbacl:deny_log
deny icmp log
rbacl:permit_log
permit ip log
CTS-N1K#
86
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Configuration for ASA SGFW to Work
Configuration
N7K-DST1(config)# cts sxp enable
N7K-DST1 (config)# cts sxp connection peer 192.168.1.2 source 10.39.1.2 password
required trustsec123 mode listener
N7K-DST1(config)# cts sxp connection peer 192.168.1.2 source 10.39.1.3 password
required trustsec123 mode listener
N7K-DST1# sho cts sxp connection
PEER_IP_ADDR VRF PEER_SXP_MODE SELF_SXP_MODE CONNECTION STATE
172.16.1.20 default speaker listener connected
First the DC switches must be configured to speak SXP to the SXP listening ASA to
receive IP to Tag mappings.
87
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Configuration for ASA SGFW to Work – Cont.
Configuration
• Second Configure the ASA for SXP:
88
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Configuration for ASA SGFW to Work – Cont. (2)
Configuration
Finally configure your SGFW ACE entries
Add CTS
groups from
the left side
to the
selected side
89
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
ASA SGFW Verification
Configuration
• Check SXP peering on the DC switch side:
90
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
ASA SGFW Verification: Cont.
Configuration
Check SXP peering on the ASA side and verify IP-SGT Bindings:
Connection
to DC 7Ks is
UP
IP-SGTs
being
received from
DC Switches
91
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
ASA Native Tagging Configuration:
DC Design
• Native Tag configuration need only on the OUTSIDE interface – Firewall rules are written to permit traffic from the outside to the inside (SGT->DGT). To get tags to the firewall for DGT we must still utilize SXP.
ASA5515X-A(config)# int g0/0
ASA5515X-A(config-if)# nameif outside
ASA5515X-A(config-if)# cts manual
ASA5515X-A(config-if)# policy static sgt 2 trusted
ASA5515X-A(config-if)# ip address 10.3.99.2 255.255.255.0
92
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Logging from Nexus 7000
Monitoring
pghlab-N7K-DST1-n7k-shaun# show cts role-based policy
sgt:8
dgt:6 rbacl:PERMIT_MAIL
deny icmp log
permit tcp dst eq 110
permit tcp dst eq 143
permit tcp dst eq 25
permit tcp dst eq 465
permit tcp dst eq 585
permit tcp dst eq 993
permit tcp dst eq 995
deny all log
pghlab-N7K-DST1-n7k-shaun(config)# log level acllog 6 Recommended log levels
pghlab-N7K-DST1-n7k-shaun(config)# log level cts 5
pghlab-N7K-DST1-n7k-shaun(config)# log ip access-list include sgt
pghlab-N7K-DST1-n7k-shaun# show logging ip access-list cache detail
SGT Source IP Destination IP S-Port D-Port Interface Protocol Hits
------------------------------------------------------------------------------------------------
8 10.10.11.100 10.1.100.84 0 0 Ethernet2/15 (1)ICMP 8
------------------------------------------------------------------------------------------------
94
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
pghlab-55ka# show cts role-based policy
sgt:8
dgt:6 rbacl:PERMIT_MAIL
deny icmp log
permit tcp dst eq 110
permit tcp dst eq 143
permit tcp dst eq 25
permit tcp dst eq 465
permit tcp dst eq 585
permit tcp dst eq 993
permit tcp dst eq 995
deny all log
pghlab-55ka(config)# log level acllog 6 Log levels to make this work
pghlab-55ka(config)# log level cts 7
pghlab-55ka# show logging logfile duration 0:30:00
2013 Jun 6 12:27:06 pghlab-55ka last message repeated 6 times
2013 Jun 6 12:27:06 pghlab-55ka %CTS-6-CTS_RBACL_STAT_LOG: CTS ACE deny ip log, Threshold exceeded:
Hit count in 10s period = 11
2013 Jun 6 12:27:16 pghlab-55ka %CTS-6-CTS_RBACL_STAT_LOG: CTS ACE deny ip log, Threshold exceeded:
Hit count in 10s period = 10
2013 Jun 6 12:27:56 pghlab-55ka last message repeated 4 times
Logging from Nexus 5500
Monitoring
Threshold exceeded is a message about not overwhelming the CPU with log messages on the box.
95
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
N5500 - Monitoring SGACL drops
96
N55KA# show platform fwm info lif eth100/1/45 | grep good
Eth100/1/45 pd: rx frames: good 2755 drop 3; tx frames: good 2689 drop 106
N55KA# sho cts role-based counters RBACL policy counters enabled Counters last cleared: 11/16/2011 at 05:55:24 PM rbacl:ALLOW_SQL permit tcp dst eq 1433 [0] permit icmp [0] deny ip [0] rbacl:Deny IP deny ip [6730] rbacl:Deny_ICMP_Log deny icmp log [106] rbacl:Permit IP permit ip [85730] rbacl:test_deny deny icmp log [0]
Looking at the egress interface on the N5K protecting the server. It should show drops.
This correlated with counters increments shows what server and SGACL is being hit
Monitoring
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
ASA Firewall Logging
• Firewall logging will show the SGT/DGT in the logs if known by the firewall
97
Monitoring
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Nexus 5500 SGACL Logging
• Logging can be enabled for ACEs
• The log enabled ACEs will be polled periodically and a syslog of severity 6 printed on the console if it is hit in that period
• Current polling period is set at 10s
• Example
switch(config)# cts role-based access-list test
switch(config-rbacl)# permit all log
• Sample syslog
• 2011 Sep 27 18:35:34 swo2-273 %$ VDC-1 %$ %CTS-6-CTS_RBACL_STAT_LOG: CTS ACE permit all log, Threshold exceeded: Hit count in 10s period = 4
Monitoring
98
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Data Center Server SGT Design Considerations
• Server SGTs can be assigned either statically or dynamically (less preferred)
– Statically – Manual IP-SGT Binding must be entered onto the Data Center Switches
– Dynamically – Servers would have to run 802.1X to authenticate to the network and get assigned an SGT via ISE. Server admins do not like to run dot1x on their server platforms. Not all platforms support dot1x either
When Servers are decommissioned, Tags should be removed with the server during the decom process.
Orchestration
100
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
“Typical” Process Before SGT Orchestration
• Server Admin/LOB requests a new server.
• The network team, the server team and the security team meet and plan (sometimes multiple times) to plan VLAN, IP addressing, DNS, Security Profiles, etc.
– The server is turned up by the server team.
– Network Team must now go to the network devices add devices port to VLAN, etc.
– The firewall team adds the destination IP address to appropriate firewall rules or firewall groups.
• All adds and deletes are a manual process!
Orchestration
101
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Data Center Server SGT Orchestration
• Through the use of Data Center orchestration tools we can fully automate the provisioning of server IP-SGT/port profile bindings for VMs and bare-metal machines based on the selected service catalog in the automation provisioning portal
• We can also automate the removal of IP-SGT bindings when the server is decommissioned from the network
• In our use case example we will show how to use UCS Director (UCSD) orchestration suite to automate the server IP-SGT provisioning process
Orchestration
102
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Benefits of SGT Orchestration
• Lower OPEX and time to provision: When deploying a server we reduce the amount of people that need to touch the
– Network
– Server
– Security policies
• When a server is spun up from the provisioning portal, the IP-SGT binding is automatically provisioned to the network,
• Once a server has its SGT all SGACLs and SGFWs will begin enforcing without having to manually edit firewall rules every time a server comes on-line or goes offline.
Orchestration
103
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
UCS Director Portal Screen
Orchestration
104
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
UCS Director Custom Task for Server SGT Deployment
Orchestration
• This assumes some knowledge of UCSD and workflow editing.
• Create a workflow that
– IP address of the VM/Bare-metal machine
– Logs into the DC switches
– Adds the IP-SGT mapping based on the Service Catalog (IE: LOB1, LOB2, PCI)
105
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
How to Configure UCSD for Server SGT Deployment – Cont.
Orchestration
• Add this workflow to each service catalog we want and SGT deployed when ordering the VM/bare metal machine
106
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
SGT Automates the Firewall Rule Process!
Orchestration
A PCI DB servers example
When the server is provisioned the workflow runs
Assigns the PCI DB SGT to the DC switches.
The DC switches communicate via SXP to the firewall,
Immediately the firewall can now enforce with no rule changes
107
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
ASA SGFW in Action
Orchestration
• Firewall dynamically learns IP-SGT mapping via SXP from core N7Ks (after the UCSD workflow inserts the IP-SGT mapping on to the switches automatically), which then fit into already existing SGFW rules..
• Security admins no longer have to manually administer rules every time a server is spun up
108
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
ASA SGFW in Action (cont)
Orchestration
109
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Summary
• SGTs builds upon Dynamic and Static Classification Services to deliver software defined network security.
• SGTs provides a scalable role based access control model for the enterprise Data Center and Campus/Branch topologies
• SGTs has migration strategies allow customer to deploy with existing hardware
• SGT functions for the Data Center are deployable today
Summary
110
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Cisco ISE & TrustSec Sessions: Building Blocks
111
BRKSEC-2695 Building an Enterprise Access Control Architecture Using ISE and TrustSec
(Mon 10:00am)
BRKSEC-3697
Advanced ISE
Services, Tips and
Tricks
(Tue 12:30pm)
BRKSEC-3699
Designing ISE for
Scale & High
Availability
(Wed 1:30pm)
BRKSEC-3692
Deploying TrustSec
SGTs in the Branch
and Campus
(Wed 4:00pm)
BRKSEC-3691
Deploying TrustSec
SGTs in the Data
Center
(Wed 8:00am)
PSOSEC-2002 – Identity Services Engine (ISE 1.3 Update)
(Mon 2:00pm)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Links
• Secure Access, TrustSec, and ISE on Cisco.com
– http://www.cisco.com/go/trustsec
– http://www.cisco.com/go/ise
– http://www.cisco.com/go/isepartner
• TrustSec and ISE Deployment Guides:
– http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
• YouTube: Fundamentals of TrustSec:
– http://www.youtube.com/ciscocin#p/c/0/MJJ93N-3Iew
112
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
– Your favorite speaker’s Twitter handle @trustsecshaun
– Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could be a Winner
113
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Complete Your Online Session Evaluation
• Give us your feedback and you could win fabulous prizes. Winners announced daily.
• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
114
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
115
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public
Inline Security Group Tagging
118
SGT Review
CTS Meta Data
CMD
ETYPE
ICV
CRC
Version
Length
CMD EtherType
SGT Opt Type
SGT Value
Other CMD Options
DMAC SMAC
802.1AE Header
802.1Q
PAYLOAD
16 bit (64K SGTs)
Encrypted field by MACsec (Optional) ETHTYPE:0x88E5
• are the L2 802.1AE + TrustSec overhead
• Frame is always tagged at ingress port of SGT capable device
• Tagging process prior to other L2 service such as QoS
• No impact IP MTU/Fragmentation
• L2 Frame MTU Impact: ~ 40 bytes (~1600 bytes with 1552 bytes MTU)
• MACsec is optional for capable hardware
Ethernet Frame field
802.1AE Header
CMD
ICV
(ETHTYPE:0x8909)
ETHTYPE:0x88E5
11
8