Deploying TrustSec - Security Group Tags in the...

Deploying TrustSec - Security Group Tags in the Data Center

BRKSEC-3691

Shaun White - @trustsecshaun

Technical Solutions Architect

© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public

Agenda

• Security Group Tag (SGT) Review

• Use Case Review

• DC Design Consideration and Implementation – Design Considerations – Configuration – Monitoring – DC Orchestration

• Summary

3

Security Group Tag (SGT) Review


Policy: Who, What, Where, When, and How?

5

SGT Review

Network Access Workflow

Identity Profiling

Wireless LAN Controller

DHCP

RADIUS

SNMP

NetFlow

HTTP

DNS

Cisco® ISE

Unified Access Management

IEEE 802.1x EAP User Authentication

1

HQ

2:38 p.m.

Profiling to Identify Device

2

6

Full or Partial Access Granted

Personal Asset

Company Asset

3

Posture of the Device

5

Enforce Policy in the Network

Corporate

Resources

Internet Only

Policy-governed Unified Access

Policy Decision

4


Data Center Segmentation with TrustSec

6

Voice PCI Non-PCI

PCI Tag

NonPCI Tag

LOB1 Tag

LOB2 Tag Data Center

Firewall

Enterprise Core

Data Center

Enterprise

Campus/Branch

• Current Designs requite topology

for each zone/classification

Access Layer

SGT Review

SGT/DGT* PCI NonPCI LOB1 LOB2

PCI Permit DENY Permit DENY

NonPCI DENY Permit DENY Permit

LOB1 Permit DENY Permit DENY

LOB2 DENY Permit DENY Permit

LOB1 LOB2 PCI

• Regardless of topology or location,

policy (SGT) stays with users, devices,

and servers

• TrustSec simplifies policy management

for intra/inter-VLAN traffic

• * SGT sometimes is referred to as “Source Group Tag” as well

• * DGT stands for “Destination Group Tag”


“State” – Traditional Role Based Access

7

operator

network

management

physical network

The “Complexity Cube”

SGT Review


“State” – Desired End State

8

operator

network

management

physical network

The “Complexity Cube”

SGT Review


High OPEX Security Policy Maintenance

9

Adding destination Object

Adding source Object

ACL for 3 source objects & 3 destination objects

permit NY to SRV1 for HTTPS deny NY to SAP2 for SQL deny NY to SCM2 for SSH permit SF to SRV1 for HTTPS deny SF to SAP1 for SQL deny SF to SCM2 for SSH permit LA to SRV1 for HTTPS deny LA to SAP1 for SQL deny LA to SAP for SSH

Permit SJC to SRV1 for HTTPS deny SJC to SAP1 for SQL deny SJC to SCM2 for SSH permit NY to VDI for RDP deny SF to VDI for RDP deny LA to VDI for RDP deny SJC to VDI for RDP

A Global Bank dedicated 24 global resources

to manage Firewall rules currently

Complex Task and High OPEX continues

Traditional ACL/FW Rule

Source Destination

NY

SF

LA

DC-MTV (SRV1)

DC-MTV (SAP1)

DC-RTP (SCM2)

NY

10.2.34.0/24

10.2.35.0/24

10.2.36.0/24

10.3.102.0/24

10.3.152.0/24

10.4.111.0/24

…. SJC DC-RTP (VDI)

Production

Servers

SGT Review


Reduced OPEX in Policy Maintenance

10

Source SGT: Employee (10)

BYOD (200)

Destination SGT: Production_Servers (50)

VDI (201) Permit Employee to Production_Servers eq HTTPS Permit Employee to Production_Servers eq SQL Permit Employee to Production_Servers eq SSH Permit Employee to VDI eq RDP Deny BYOD to Production_Servers Deny BYOD to VDI eq RDP

Policy Stays with Users / Servers regardless of location or topology

Simpler Auditing Process (Low Opex Cost)

Simpler Security Operation (Resource Optimization)

(e.g. Bank now estimates 6 global resources)

Clear ROI in OPEX

Security Group

Filtering

NY

SF

LA

DC-MTV (SRV1)

DC-MTV (SAP1)

DC-RTP (SCM2) SJC DC-RTP (VDI)

Employee

Production

Servers

VDI Servers

BYOD

SGT Review


SGT Architecture Components

11

Identity Services Engine

Policy Management

WLAN LAN Remote Access

(roadmap)

Classification

Catalyst 3K

Catalyst 4K

Catalyst 6K

Nexus 7000

Nexus 6000

Nexus 5500 WLC (7.4)

5760

Nexus 1000v Catalyst 2K

Propagation

N7K (SXP/Inline)

N6K (SXP Speaker/Inline)

N5K (SXP Speaker/Inline)

N1Kv (SXP Speaker/Inline(beta))

ASR1K (SXP/Inline)

ISR G2 (SXP/Inline)

ASA (SXP/Inline(beta))

Cat 2K-S (SXP)

Cat 3K (SXP)

Cat 3K-X (SXP/Inline)

Cat 4K Sup7 (SXP/Inline)

Cat 6K Sup720 (SXP)

Cat 6K Sup2T (SXP/Inline)

Enforcement

N7K / N6K/N5K/N1KV

(SGACL)

Cat6K/4K

(SGACL)

Cat3K-X/3850

(SGACL)

ASA (SGFW) ASR1K/ISRG2

(SGFW)

SGT Review

ASR1K/ISRG2

(SGFW) ASA (SGFW)


TrustSec Classification Functions

12

VLAN-SGT

IP-SGT

Port

Profile

Port-SGT

IPv4 Prefix

Learning

IPv6 Prefix

Learning IPv6 Prefix-

SGT

IPv4 Subnet-SGT

802.1X

MAB

Web

Auth

Profiling

SGT

SGT

SGT

Addr.Pool-SGT

VLAN-SGT

Data Center/

Virtualization

User/Device/Location

Cisco access layer

ISE

NX-OS/

Orchestration/

Hypervisors

IOS/Routing

Campus

& VPN Access

non-Cisco

& legacy env Business Partners & Supplier access controls

SGT Review

VPN


SGT Classification

13

Dynamic Classification

Static Classification

• IP Address

• VLANs

• Subnets

• L2 Interface

• L3 Interface

• Virtual Port Profile

• Layer 2 Port Lookup

• Prefix learned via

routing on port

Common Classification for Mobile Devices Common Classification for Servers, Topology-

based policy, etc.

802.1X/VPN Authentication

MAC Auth Bypass

Web Authentication

SGT

Process to map SGT to IP Address

SGT Review


SGT Propagation Mechanism

14

Wired

Access

Wireless

Access

DC Firewall

Enterprise

Backbone

DC

Virtual

Access Campus Core DC Core

DC

Distribution

Physical

Server

Physical

Server

VM

Server

PCI VM

Server

DC

Physical

Access

SGT 20

SGT 30

IP Address SGT SRC

10.1.100.98 50 Local

SXP IP-SGT Binding Table

SXP

SGT = 50

ASIC ASIC

Optionally Encrypted

Inline SGT Tagging

SGT=50

ASIC

L2 Ethernet Frame

SRC: 10.1.100.98

IP Address SGT

10.1.100.98 50 SXP

Non-SGT

capable

Inline Tagging (data plane):

If Device supports SGT in its ASIC

SXP (control plane):

Shared between devices that do not

have SGT-capable hardware

SGT Review

Tag When you can!

SXP when you have

to!


SGT Exchange Protocol

15

SGT Review

• Control plane protocol that conveys the IP-SGT map of users/hosts to enforcement point

• SXP uses TCP as the transport layer

• Eases and Accelerate deployment of TrustSec

• Support Single Hop SXP & Multi-Hop SXP (aggregation)

• Two roles: Speaker (initiator) and Listener (receiver)

SW

SW RT

SW

SXP

(Aggregation) SXP

SXP

Speaker Listener


SXP Versions

16

• Version 1, This is the initial SXP version supports IPv4 binding

propagation. (N7K, N6K, N5K, N1KV – as of June 14)

• This limits the NXOS platforms to only sharing unidirectional i.e.

from access to aggregation/firewalls.

• Design Impact shown later

• Version 2, includes support for IPv6 binding propagation and version

negotiation. (Older switch and router IOS, ASA, WLC – prior March 13)

• Version 3, adds support for Subnet/SGT bindings propagation and

expansion. (6K only). If speaking to a lower version listener will expand

the subnet

• Version 4, Loop Detection and Prevention, Capability Exchange, built-in

Keep Alive mechanism. (New switch and router IOS – After March 13)

• Allows for bidirectional IP/SGT sharing

• Allows for more flexible designs

SGT Review


SXP Informational Draft

17

SGT Review

• SXP now published as an Informational Draft to the IETF, based on customer requests

• Draft called ‘Source-Group Tag eXchange Protocol’ because of likely uses beyond security

• Specifies SXP v4 functionality with backwards compatibility to SXP v2 and v3

• http://www.ietf.org/id/draft-smith-kandula-sxp-00.txt

http://www.ietf.org/id/draft-smith-kandula-sxp-00.txt










Inline Security Group Tagging

18

SGT Review

• Faster, and most scalable way to propagate SGT within LAN or Data Center

• SGT embedded within Cisco Meta Data (CMD) in Layer 2 frame

• Capable switches understands and process SGT in line-rate

• Protected by enabling MACsec (IEEE802.1AE) – optional for capable hardware

• No impact to QoS, IP MTP/Fragmentation

• L2 Frame Impact: ~20 bytes

• 16 bits field gives ~ 64,000 tag space

• Non-capable device drops frame might drop frame. L3 processing will result in improper offset lookup for IP. L2 only may work

CRC

PAYLOAD

ETHTYPE

CMD

802.1Q

Source MAC

Destination MAC

Ethernet Frame

CMD EtherType

Version

Length

SGT Option Type

Cisco Meta Data

SGT Value

Other CMD Option

CRC

PAYLOAD

ETHTYPE

CMD

802.1Q

Source MAC

Destination MAC

MACsec Frame

802.1AE Header

802.1AE Header

AE

S-G

CM

12

8b

it

En

cry

ptio

n

ETHTYPE:0x88E5

ETHTYPE:0x8909


SGT Link Authentication and Authorization

19

SGT Review

Mode MACSEC MACSEC Pairwise

Master Key (PMK)

MACSEC Pairwise

Transient Key (PTK)

Encryption Cipher

Selection

(no-encap, null, GCM,

GMAC)

Trust/Propagation

Policy for Tags

cts dot1x Y Dynamic Dynamic Negotiated Dynamic from

ISE/configured

cts manual –

with encryption

Y Static Dynamic Static Static

cts manual – no

encryption

N N/A N/A N/A Static

• CTS Manual is strongly recommended configuration for SGT propagation

• “cts dot1x” takes link down with AAA down. Tight coupling of link state and AAA state

• Some platforms (ISRG2, ASR1K, N6K, N5K, N1KV, ASA) only support cts manual/no encryption

19


SAP – The Key Derivation

20

SGT Review


Enforcement - Ease of Data Center Provisioning

Firewalls must be

manually updated

with new IP

address &

permissions

New workload is provisioned

Firewall applies the correct security policy based on security group membership

Manual

Automated

TrustSec policies

applied to

Switches and

Firewalls

Ease of Provisioning

Workload is provisioned with security group

attribute

SGT Review

21


End to End SGT/SGACL Enforcement

22

SGT Review

Cat3750X

WLC5508

Enterprise

Backbone

N2248 Cat6500/Sup2T Nexus 7000 N5600

PCI

SRC: 10.1.10.220

CRM

N2248

End user authenticated

Classified as Employee (5)

FIB Lookup

Destination MAC/Port SGT 20

Destination Classification

CRM: SGT 20

PCI: SGT 30

SGT 20

SRC\DST CRM (20) PCI (30)

Employee (5) SGACL-A Deny

BYOD (7) Deny Deny

5 SRC:10.1.10.220

DST: 10.1.100.52

SGT: 5

DST: 10.1.100.52

SGT: 20

DST: 10.1.200.100

SGT: 30


Egress Policy Enforcement – TCAM scaling

Web_Server

(SGT=7)

Time_Stamp_Server

(SGT=10)

SG

T=

3

SG

T=

4

SG

T=

5

Enterprise

Backbone

SGACL

Enforcement

SGACL

Enforcement

Network devices download policies

• “only” when they have a device connected

• “only” for connected systems

• Egress filtering and dynamic download scales the

TCAM of switches

SGT Review

23

Use Case Review


Common SGT Use Cases

25

Use Cases

Resource Access

Control

Data Center

Server Segmentation

Secure

Wi-Fi

SGT10 SGT20 SGT30 SGT40

NW1

NW2

NW5

NW4

NW3

Wired

VMs Physical Servers

This

Session

Focuses

Here!


PCI Compliance: Use Case applicable to most compliance requirements

26

Use Cases

Register

Workstation

WAN

Data Center

Network

DATA CENTER

BRANCH

PCI Server

Server

SEGMENTATION

ACROSS COMPANY

PCI SCOPE

SEGMENTATION

ENFORCEMENT

Key


PCI Compliance

27

Use Cases

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/trustsec_pci_

validation.pdf


Security Group Firewall (SGFW) – ASA Data Center

28

Use Cases

Campus /Branch

Network

Data Center

SXP IP Address SGT

10.1.10.1 Marketing

(10)

SGFW

SGACL

• Design Considerations

• Consistent Classification/enforcement between FW and switching.

• SGT Names sync’d ISE and CSM/ASDM

• Rich Logging requirements will be fulfilled on SGFW – URL logging, etc.

• Switch logging is best effort via syslog (N7K/N5K) or netflow (Cat6K Sup2T)

• Lower OpEx - Automation of Firewall Rules for Users “and” Servers

Enforcement on a

firewall

Enforcement on a

switch

Security group tags assigned based

on attributes (user, location, posture,

access type, device type)

ISE for SGACL

Policies

ASDM/CSM

Policies

SGT Name Download

SGT 10 = PCI_User

SGT 100 = PCI_Svr

SXP


Financial

29

Use Cases

• Multiple phases and use-cases

• Currently enforcement on Catalyst switches

• User devices classified by 802.1X or MAB

• Servers defined by IP address or Nexus 1KV Port Profile

• Use-cases

• Controlled access to DC applications – for compliance

• User – User control

• DC segmentation


Manufacturer

30

Use Cases

Large Manufacturing Company deploying Secure Wi-Fi

ACL needs to scale more than 64 lines of ACL (>1,500) on WLC

SGT solution within C6K chassis

WiSM2 aggregates AP traffic

Policy enforcement Sup2T based on SGT

Destination SGT values defined by IP & Subnet

Reduced IOS static ACL managing policy using Egress Matrix – e.g. about 500 lines of ACL allowing HTTPS is

now supported by single line of SGACL

– permit tcp dst eq 443

CAPWAP Tunnel

Internet

Cat6500VSS

System

Data Center

Branch Office

Access Points

ISE

Large Campus Wireless Deployment

VSS

Sup2T

WiSM2

Sup2T

WiSM2

WiSM2 WiSM2

SXP SXP

Campus C

Campus D

10.y.y.0/24 = SGT 6

10.x.x.0/24 = SGT 7

192.168.32.0/24 = SGT 10

10.z.z.0/24 = SGT 22

Non-Compliant

Mobile Device

Compliant

Corporate Asset

SGT 2: Limited Access SGT 3: Full Access

Corporate

Network 10.0.0.0/8 = SGT 100


SGT Classification for VPN Remote Access Session

ASA (v9.2.1) and ISE 1.2 (Patch 5) required

Why TrustSec?

Policy based on Remote Access user’s connection context

Enables consolidated policy for wired, wireless, and VPN RAS

Simplifies VPN RAS design and helps to scale as business grows

Simplifies VPN contractor (or employee) to DC access policy

Provides relatively simple deployment with security focused products

Provides local (ASA RAS) or distributed enforcement (ASA in DC, DC Switches, Campus Switches or Routers)

ASA VPN TrustSec Use Case:

Use Cases

31


Remote Access Today

Wireless Wired

Internet SSL-VPN

ASA

Policy Policy

Policy Domain 1 Policy Domain 2

Access policies are separated

AD

LD

AP

ISE

Po

ol A

Po

ol B

Po

ol C

Pool A: 192.168.1.0/24

Pool B: 192.168.2.0/24

Pool C: 192.168.3.0/24

Partner

A

Partner

C

Partner

B

Policies mapped to Topology

Internet

Internet SSL-VPN

RAS1

DC1 DC2

NW1 NW2

Ingress Filtering Everywhere

RAS2

Use Cases

32


Data Center

Firewall

VPN User to DC Access

Campus Core

Data Center

Regardless of topology or

location, policy (Security

Group Tag) stays with users,

devices, and servers

TrustSec simplifies VPN

Address / Filtering

management RAS-US RAS-EMEA

Internet

Pool-A Pool-B

PCI-User Employee Supplier-B

SSL-VPN Employee Tag

PCI User Tag

Supplier-B Tag

Employee

Supplier

Apps

PCI Apps

Source Destination Action

IP Sec Group IP Sec Group Service Action

Any Employee Any Supplier HTTP Allow

Any PCI-User Any PCI Apps HTTPS Allow

Any Supplier-B Any PCI Apps TCP Deny

Any Any Any Any Any Deny

Use Cases

33


Use Cases

“Yellow” BU

WAN

Data Center

“Blue” BU

3rd-party supplier

“Yellow” BU

3rd-party supplier

“Blue” BU Branch Office

• DC has both shared apps and BU-specific apps

Core Network

(Transit)

“Yellow” BU Branch Office

“Blue” BU

WAN

Shared Apps

BU Apps

Multi-Tenant Data Center – Inside out classification

DC Router: Tag “Yellow” apps with “Yellow” Tag “Shared” apps with “Purple”

“Blue” BU Classification Allow “Blue” & “Purple”

“Yellow” BU Classification Allow “Yellow” & “Purple”

• BU routers accept their own SGT and the shared

application SGT values

34


Multi-Tenant Data Center – Inside out classification

Use Cases

BU-level classifications

“Yellow” BU

WAN

Data Center

“Blue” BU

3rd-party supplier

“Yellow” BU

3rd-party supplier

“Blue” BU Branch Office

• Shared and BU-specific apps flow properly.

Standard SGACLs simplifies base policy

Core Network

(Transit)

“Yellow” BU Branch Office

“Blue” BU

WAN

“Yellow” BU Router: Allow “Yellow” & “Purple”

DC Router: Tag “Yellow” apps with “Yellow” Tag “Shared” apps with “Purple”

“Blue” BU Router: Allow “Blue” & “Purple”

Shared Apps

BU Apps

35


TrustSec Platform Support

36

Use Cases

Classification Propagation Enforcement

Catalyst 2960-S/-C/-Plus/-X/-XR

Catalyst 3560-E/-C/-X

Catalyst 3750-E/-X

Catalyst 4500E (Sup6E/7L-E)

Catalyst 4500E (Sup8E)

Catalyst 6500E (Sup720/2T), 6880X

Catalyst 3850, 3650

WLC 5760

Wireless LAN Controller

2500/5500/WiSM2

Nexus 7000

Nexus 5500

Nexus 1000v (Port Profile)

ISR G2 Router, CGR2000

Catalyst 2960-S/-C/-Plus/-X/-XR

Catalyst 3560-E/-C/, 3750-E

Catalyst 3560-X, 3750-X

Catalyst 3650, 3850


Catalyst 4500E (Sup 7E)***, 4500X

Catalyst 4500 (Sup8E)***

Catalyst 6500E (Sup720)

Catalyst 6500E (Sup 2T)**** / 6880X

WLC 2500, 5500, WiSM2**

WLC 5760

Nexus 1000v

Nexus 5500/22xx FEX**

Nexus 7000/22xx FEX

ISRG2, CGR2000

ASR1000

ASA5500(X) Firewall, ASASM

SXP

SXP

IE2000/3000, CGS2000

ASA5500X, ASAv (VPN RAS)

SXP SGT

SXP

SXP SGT

SXP

SXP SGT

SXP

SGT

SXP

SXP SGT

SXP SGT

SXP SGT

SXP SGT

SGT Beta

SGT Beta

GETVPN

GETVPN

• All ISRG2 Inline SGT (except C800): Today

• ISRG2/ASR1K: DMVPN, FlexVPN: Q3CY14

Catalyst 3560-X

Catalyst 3750-X



Catalyst 6500E (Sup2T) / 6880X

Catalyst 3850, 3650

WLC 5760

Nexus 7000

Nexus 5500/5600

Nexus 1000v

ISR G2 Router, CGR2000

ASA 5500/5500X Firewal

ASAvl

Beta

SGFW

SGFW

SGFW ASR 1000 Router

SXP

SGT

SGACL

SGACL

SGACL

SGACL

SGACL

SGACL

Nexus 6000

Q3CY14

** WLC 2500, 5500, WiSM2, Nexus 5K only supports SXP Speaker role

*** 4500E (Sup7E/8E) requires 47XX Line cards for Inline SGT

**** 6500 (Sup2T) requires 69xx Line cards for Inline SGT

SGT

Q3CY14

SXP SGT

SXP SGT

SXP Q3CY14

IPSec

IPSec

DC Design Consideration and Implementation

DC Design Consideration

© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public 39

Cat4500 Cat4500 Cat4500

Cat6500/Sup2T

Cat6500/Sup2T

N7K N7K

N5K N5K

N2248

N2K

ASA RA-VPN

ASR1K

ASA ASA

ASR1K

ISR G2

Cat3750-X

5508 WLC

AP

Cat3850

ISE1.2

C800 (CVO)

Campus Access Block

Core Block

Internet Edge Block

DC Block

Branch Block

ISR G2

ISR G2

IPSec

DM-VPN

GET-VPN

All SGT-capable

SSL-VPN (RAS)

Cat6500/Sup2T Cat6500/Sup2T

5760 WLC DMZ Switch

Outside Switch

Internet

N1KV

SGT Transport 2014

UCS VDI Infra

Normal Link

In-line SGT Tagging

SXP

Nexus

6000

Cat3850

Web Security

Appliance

SXPv2

SXP

Cat3560-X Cat3560-X

AP

AP

Cat3750-X

5508 WLC

SXPv2

SXPv2

ASAv

CSR1KV

ASA+IPS+CX

39

Design Consideration

© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3691 Cisco Public 40

Design Consideration

Cat4500 Cat4500 Cat4500

Cat6500/Sup2T

Cat6500/Sup2T

N7K N7K

N5K N6K

N2248

N2K

ASA RA-VPN

ASR1K

ASA ASA

ASR1K

ISR G2

Cat3750-X

5508 WLC

AP

Cat3850

ISE1.2

C800 (CVO)

Campus Access Block

Core Block

Internet Edge Block

DC Block

Branch Block

ISR G2

ISR G2

IPSec

DM-VPN

GET-VPN

All SGT-capable

SSL-VPN (RAS)

Cat6500/Sup2T Cat6500/Sup2T

5760 WLC DMZ Switch

Outside Switch

Internet

N1KV

SGT Enforcement Q3 2014

UCS VDI Infra

SGACL

ZBSGFW

ZBSGFW

SGACL

SGFW

SGACL

ZBSGFW

SGFW

Normal Link

In-line SGT Tagging

SGACL

Nexus

6000

Cat3850

Web Security

Appliance

Cat3560-X Cat3560-X

AP SGACL SGACL

AP

Cat3750-X

5508 WLC

SGACL

SGACL

ASAv

CSR1KV

ASA+IPS+CX


Customer End State in the Data Center Design Considerations

ISE

PCI_Web PCI_App PCI_DB LOB2_DB

PCI_RAS Users

Business Partner/VPN Edge

LOB2_Business

Partner

SXP

Risk Level 1

SXP

Risk Level 2

PCI Users

LOB2 Users

Core Network

Branch/Campus

41


Hardware Forwarding SGT/SGACL Today • Two Groupings of Hardware Forwarding for SGACL

• Port/VLAN based – Catalyst 3K-X – Nexus 5500

• IP/SGT Based – Nexus 7000 – M series and F series – Nexus 6000/5600 – Cat 6K/Sup2T – Cat 4K/Sup7E/Sup8E – Cat 3850/5760 – ASR1K

• Each type of hardware has different scaling limits – There are limits on the number of SGT/DGT as well as Access Control Entries (ACE) in TCAM – All hardware shares ACE entries when possible amongst SGT/DGT

• Each type of hardware has different logging and monitoring capabilities – Counters – ACE Logging – Netflow with SGT/DGT

42

Design Considerations


Nexus 5500 SGT and DGT Derivation

DGT/SGT

SGACL

Ingress Path (SGT Derivation)

Vlan

table

From the

Packet

Static

Config

SGT

Egress Path (DGT derivation and SGACL)

Port DGT

Each Port

has one

DGT

(which is

also used

as SGT in

the

ingress)

associated

with it.

Ingress tagging is

done only if cts is

enforced on the vlan


FIB Egress Table

43


N7K M series SGT and DGT Derivation

DGT/SGT

SGACL


L3/FIB table From the

Packet

Ingress port based

Static Config

SGT


IP prefix DGT

L3/FIB Table,

each prefix

has an

associated

DGT

A number of SGT(DGT) assignment sources, e.g. SXP, VLAN-

SGT,, will be evaluated by TrustSec software against a priority

list, the winning result will be programmed into the L3/FIB table

DGT

Priority control

btw sources


FIB Egress Table

44


N7K F series SGT and DGT Derivation

DGT/SGT

SGACL


IP/SGT CAM

table

From the

Packet

Ingress port based

Static Config

SGT


IP prefix DGT

IP/SGT CAM

Table, each

prefix has an

associated

DGT

A number of SGT(DGT) assignment sources, e.g. SXP, VLAN-

SGT,, will be evaluated by TrustSec software against a priority

list, the winning result will be programmed into the L3/FIB table

DGT

Priority control

btw sources


FIB Egress Table

45


Implications of Hardware Forwarding Capabilities:

46

• Port/VLAN Based Hardware

• Limited SXP applicability due to the SGT derivation on mac/port

• Limited number of SGTs per port (one per vlan/port)

• IP/SGT Based Hardware

• Allows for bidirectional SXP - “However”, NXOS SXP code is v1 so it can’t support it in software until the it is upgraded to SXPv4 (roadmap item)

• Allows for multi-hop SXP coming into the switch due to FIB lookup for IP/SGT

• Tagging/Enforcement for incoming packet due to FIB lookup for IP/SGT

• Scale varies per platform. Think hundreds of groups with simple reused permissions (ACEs)

• N5K limited since it can’t find SGT via SXP.

• No N5K SXP listener - even for L2 adjacent hosts

• N5K can’t be a listener for an N1KV

• N6K ASIC is capable for SXP listener, but not supported in current code

• N1KV is software forwarding, “but” it is reliant on NXOS platform independent code from the N7K

so it can only be a speaker in current code



Business Partner and VPN Edge – Design Considerations • Is this really Data Center related? In Cisco’s experience these connections

“typically” are a block on the edge of the DC

• It is also the most common place Cisco is asked for the ability to classify based on the routes or the interface of a business partner/contractor/joint venture, etc.

• This has driven the need to be able to classify on routing aggregators and VPN devices.


47


Layer 3 Interface to SGT – L3IF • Route Prefix Monitoring on a specific Layer 3 Port with mapping to the associate SGT

• Can be applied to Layer 3 interfaces regardless of the underlying physical interface:

– Routed port, SVI (VLAN interface), Layer 3 subinterface of a Layer2 port , Tunnel interface

– Makes the prefixes available for export in SXP

• ISR/ASR1K/Cat6K

Business

Partners

DC Access

Hypervisor SW

EOR

ASR1K#show cts role-based sgt-map all

Active IP-SGT Bindings Information

IP Address SGT Source

========================================

11.1.1.2 2 INTERNAL

12.1.1.2 2 INTERNAL

13.1.1.2 2 INTERNAL

17.1.1.0/24 8 L3IF

43.1.1.0/24 9 L3IF

49.1.1.0/24 9 L3IF

Route Updates

17.1.1.0/24

Joint Ventures

Route Updates

43.1.1.0/24

49.1.1.0/24

SGT 8

SGT 9


48


Layer 3 Interface to SGT – Port/SGT mapping

• Port to Interface Mapping does not learn IP Prefixes via route learning

• All traffic coming into the interface is tagged with the SGT on the interface

• Will not make prefixes learned available in SXP

Business

Partners

DC Access

Hypervisor SW

EOR

Route Updates

17.1.1.0/24

Joint Ventures

Route Updates

43.1.1.0/24

49.1.1.0/24

SGT 8

Local Int – 14.1.1.1

ASR1K#show cts role-based sgt-map all



========================================

11.1.1.2 2 INTERNAL

12.1.1.2 2 INTERNAL

13.1.1.2 2 INTERNAL

14.1.1.1/24 2 INTERNAL

14.1.1.0/24 8 L3IF


49


RAS VPN – Considerations

• ASA supports SGT classification for RAS VPN – Mix and match classifications in the same subnet/DHCP pool if you’d like

• “Most” concentrators allow users/groups to be mapped to specific DHCP pools or VLANs.

• Older ASA and 3rd party VPN concentrators are supported via Subnet/SGT or L3IF on upstream router

50

Core

ISE

External Cloud

RAS VPN

Dynamic Classification DC ASA PCI_Web

LOB1_Web

SXP

3rd Party VPN Static Classification



External Classification to Data Center Traffic Flow

• How do I handle an ASA on supporting SXP fronting DC resources?

• How do I handle 3rd party services sitting in front of the DC

– IPS

– SLB

– Firewall

• Two options

– Build SXP from access layer to DC

– Use Inline Tagging transport to DC services layer and use SGT Caching


51


SGT Caching Overview

• While tagged packets arrive, SGT is removed and cached.

Untagged packets are sent to DPI services. Upon receipt from DPI

at the egress, packets are retagged with appropriate SGT


52


Services with SGT Caching

DC Access Layer

Security Group Firewalling Firewall rule automation

using ASA SG-Firewall functions

SGACL enabled Device

SG Firewall enabled Device

Physical Servers

SGT Caching on C6500/N7K Caches IP-SGT mappings from data plane

Sends IP-SGT mappings to ASA in SXP

Physical Servers SGT Tagged Traffic

Untagged Traffic

SXP

Service Chaining Possible 3rd party devices for Server

Load Balancing (SLB), Intrusion

Prevention Services (IPS), etc.

8 SRC:10.65.1.9

DST: 10.1.100.52

SGT: 8

IP Address SGT

10.65.1.9 8 (Employee_Full)

8


53


Nexus 5500 TrustSec Capabilities

WEB-ACL: permit tcp dst eq 443 permit tcp dst eq 80 deny ip

• No SXP listener – SXP speaker only

• Port/SGT only – No port profile supported in current code

• 128 SGACL TCAM entries available per bank of 8 ports

4 are default entries – effectively only 124 available for feature use

• The sum of the SGACL entries per 8 port bank cannot contain more than 124 permissions in total (3 + 9 in this example)

• SGACL can be reused extensively

• 2000+ SGT,DGT combinations on a N5500 reusing 124 lines of permissions

HR-DB-ACL: permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22

permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp des eq 139 deny ip


54


Nexus 6000 TrustSec Capabilities -

• Current Shipping Code is similar to N5500 platform

• 128 ACEs for configuration

• NO SXP Listener

• Only SXP Speaker

• Port/SGT definition only

• Logs are like Nexus 7000 Platform

• The ASIC is an L3 ASIC which allows us to permit future IP/SGT capabilities

55



Nexus 7000 TrustSec Capabilities -

• SGT/SGACL supported on M series, F1, F2, F2E cards as of 6.2(6a)

• SGT/SGACL support on F3 as of 6.2(10) ~ Q3CY14

• N7K does all enforcement via IP/SGT programming in ASICs. This creates an interesting design case.

• In the case where the N7K is performing intra-VLAN policy (within the same VLAN)

• The N7K MUST have an SVI on the VLAN

• If N7K is L2 only then create an SVI w/o IP to be able to snoop ARP/DHCP to discover the IP

• This allows the IP/SGT to be programmed properly for intra vlan filtering

56


LOB1 PCI_DB

N7K-DST1# sho run int vlan 3207

interface Vlan3207

no shutdown

LOB2

L2 Only N7K

56


NX-OS Large Scale SGACL

• Large numbers of SGT/DGT cells and SGACLs on N7K/N6K/N5K require new handling of SGACLs.

• Large policies can also exceed a single RADIUS packet, so the below releases introduce RADIUS SGACL fragmentation to spread the SGACL policies across multiple packets.

– N7000 – 6.2(6) onwards

– N5600/6000 – 7.0

– N5500 – 6.0(2)N2 onwards

• N7000 and N5500 requires a batch programming command to scale SGACLs

N7K-DST1(config-vlan)# cts role-based policy batched-programming enable


57


VLAN Designating Risk Levels / Security Zones

VLAN 100

Risk Level 1

ISE

• Often a VLAN is equal to a Risk Level/Security Zone

• In many cases ingress/egress ACLs are used to control

flows between VLANs

• VLAN/SGT can be used on the Nexus 7000 to reduce

TCAM usage substantially

• ACL conversion has shown 60% to 88% TCAM

reduction

• Distribution layer enforcement allows any compute

Does assume within a VLAN is permissible

• Flows to other risk levels/security zones still enforced on

firewall

• N7K – 6.2 release

Campus Network

PCI_Web PCI_App

LOB_App LOB_App

VLAN 200

Risk Level 1

N7K-DST1(config)# vlan 100

N7K-DST1(config-vlan)# cts role-based sgt 100

N7K-DST1# sho cts role-based sgt-map

IP ADDRESS SGT VRF/VLAN SGT CONFIGURATION

10.1.200.10 2000(PCI_Servers) vlan:200 Learnt through VLAN SGT configuration

10.1.200.77 2000(PCI_Servers) vlan:200 Learnt through VLAN SGT configuration

10.1.100.26 2000(PCI_Servers) vrf:1 CLI Configured

10.1.200.77 1000(Production_Servers)vrf:1 CLI Configured


58

Data Center Configuration


DC Traffic Segmentation with SGT

Configuration

LOB2 DB (333) LOB1 DB (222) PCI DB (111)

Data Center

Security Server

(444)

ISE

VMs/Baremetal

• Servers are assigned SGTs via

static port profile/port/IP-SGT Map

• Servers attempt to communicate

east-west

• Traffic hits the egress enforcement

point

• Only permitted traffic path (source

SGT to destination SGT) is allowed

• Traffic Enforcement is distributed

across 5K, 6K and 7K

• PCI-DB to LOB1-DB hits SGACL

PCI-LOB1-ACL on 5K

• PCI-DB to LOB1-DB hits SGACL

PCI-LOB1-ACL on 7K

SRC \ DST PCI DB(111) LOB1 DB

(222)

LOB2 DB

(333)

Security

Server (444)

PCI DB (111) Permit all PCI-LOB1-ACL PCI-LOB2-ACL Deny All

LOB1 DB

(222)

PCI-LOB1-

ACL Permit All Deny All Deny All

LOB2 DB

(333)

PCI-LOB2-

ACL Deny All Permit All Deny All

Security

Server (444) Deny All Deny All Deny All Deny All

Nexus 7000s

Nexus 55XXs

SGACL: PCI-

LOB1-ACL

SGACL: PCI-

LOB2-ACL

Core Network

60


Simplified Data Center Topology - walkthrough

SXP – Security eXchange Protocol

SGT over Ethernet (SGToEthernet)

SXP

User/Server

VPN to Data Center – enforcement will occur on ASA

SGT from SXP from VPN ASA

DGT from N7K SXP

Business Partner to Data Center – enforcement will occur on ASA

SGT from frame

DGT from N7K SXP

LOB1 DB (222)

PCI DB (111)

N5K

N1KV

N7K w/SGT Caching

ASA

N6K

LOB2 DB (333)

Configuration

SXP

Ethernet

61


Simplified Data Center Topology - walkthrough

SXP – Security eXchange Protocol

SGT over Ethernet (SGToEthernet)

SXP

Server/Server traffic enforced via SGACL

From PCI DB <-> LOB1 DB enforced on N5K

From N5K -> N1KV enforced N1KV

SGT from frame

IP/SGT from port profile

N1KV -> N5K enforced on N5K

SGT from frame

SGT from port definition

N1KV->N6K enforced on N6K

Same as N1KV->N5K

From Risk Level 1 -> Risk Level 2 enforced on ASA

Assumption is N7K doing SGT caching to

send SXP to ASA

LOB1 DB (222)

PCI DB (111)

N5K

N1KV

N7K w/SGT Caching

ASA

N6K

LOB2 DB (333)

Configuration

SXP

Ethernet

62


Business Partner Router – Port Classification Options • For our topology we’re tagging from the router to the data center. We will use

configuration on the left

• If we had to put IP/SGT into SXP we would use configuration on the right

Configuration

interface GigabitEthernet0/0/0

ip address 10.1.47.2 255.255.255.0

cts manual

policy static sgt 2 trusted


ip address 8.8.8.1 255.255.255.0

cts manual

policy static sgt 50

no propagate-sgt

cdp enable

ASR1K-2#sho cts role-based sgt-map all



============================================

8.8.8.0/24 50 L3IF

8.8.8.1 2 INTERNAL


ip address 8.8.8.1 255.255.255.0

cts role-based sgt-map sgt 50

ASR1K-2#sho cts role-based sgt-map all



============================================

8.8.8.0/24 50 L3IF

8.8.8.1 2 INTERNAL

10.1.3.0/24 50 L3IF

10.1.47.2 2 INTERNAL

10.254.100.0/24 50 L3IF

Port/SGT – Tag only transport Prefix Learning – SXP subnet/SGT

63


ASA RAS VPN Configuration:

Configuration

• RAS VPN will assign a tag to the end user based on the authz policy matched in ISE when the user logs into the group.

• We then communicate the tag via SXP to the DC ASA.

• DC ASA will then use the SGT

aaa-server cts-mlist protocol radius

dynamic-authorization

aaa-server cts-mlist (inside) host 10.1.100.3

timeout 5

key trustsec

authentication-port 1812

accounting-port 1813

radius-common-pw trustsec

cts server-group cts-mlist

cts sxp enable

cts sxp default password trustsec

cts sxp default source-ip 10.1.100.20

cts sxp connection peer 10.3.99.2 source 10.1.100.20

password default mode local speaker

group-policy GroupPolicy_cts-local internal

group-policy GroupPolicy_cts-local attributes

wins-server none

dns-server value 10.1.100.100

vpn-tunnel-protocol ssl-client

default-domain value cts.local

tunnel-group cts-local general-attributes

address-pool test

authentication-server-group cts-mlist

accounting-server-group cts-mlist

default-group-policy GroupPolicy_cts-local

tunnel-group cts-local webvpn-attributes

group-alias cts-local enable

64


N7K – SGT Caching Config

65

N7K-DST1(config)# cts role-based sgt-caching ?

<CR>

with-enforcement SGT caching with RBACL enforcement

N7K-DST1(config)# cts role-based sgt-caching with-enforcement

SGT caching with enforcement will implicitly display syslogs for all the ACEs in RBACLs. Continue(yes/no)

[no] yes

N7K-DST1# sho cts role-based sgt-caching

-------------------------------- --------

Caching Modes Status

-------------------------------- --------

SGT caching Disabled

SGT caching with enforcement Enabled

N7K-DST2# sho cts role-based sgt-map cached

IP ADDRESS SGT VRF/VLAN SGT CONFIGURATION

10.1.50.1 1000(Production_Servers) vrf:1 Cached

10.1.51.2 2(Device_SGT) vrf:1 Cached

10.1.56.2 2(Device_SGT) vrf:1 Cached



Configuration


N7K – SGT Caching Notes

• SGT Caching enabled with and without enforcement – Without enforcement its just converting from data plane to control plane

at a mid point in the network

– Typically Deployed at an aggregation layer where there is no enforcement • Service chains to 3rd party devices that do not support SGT • Convert form native tagging to SXP for pre 9.3(1) ASA

– With enforcement is for when the N7K is the enforcement point and needs to convert from data plane to control plane. • Typically when the N7K is acting as a aggregated routing/service layer in the DC

• N7K will ask ISE for relevant policies of all it’s SGTs when it receives an IP/SGT update…… – Everytime time it receives an update……..

– Yes that is a lot of information filling ISE logs

66

Configuration


SGT Caching Configuration – Catalyst 6500 (Global CLI Commands)

• Enabling CTS SGT Caching globally in independent mode – cts role-based sgt-caching

• Enabling CTS SGT Caching on vlans in independent mode – cts role-based sgt-caching vlan-list <[all | vlan_id]>

• Enabling CTS SGT Caching globally in dependent mode

– cts role-based sgt-caching with-enforcement

• Enabling RBACL enforcement globally – cts role-based enforcement

• Enabling RBACL enforcement on vlans – cts role-based enforcement vlan-list <[all | vlan_id]>

Configuration

67


SGT Caching Show Commands – Catalyst 6500

• To display the SGT-IPv4 bindings – show cts role-based sgt-map all ipv4

– show cts role-based sgt-map vrf <vrf_name> all ipv4

• To display the SGT-IPv6 bindings – show cts role-based sgt-map all ipv6

– show cts role-based sgt-map vrf <vrf_name> all ipv6

• To display RBACL entires programmed in ACL TCAM – show platform hardware acl entry rbacl all

• To display the ACL result of RBACL entries programmed in ACL TCAM – show platform hardware acl tcam result <acl_entry_result>

Configuration

68


SGT Caching Debug Commands – Catalyst 6500

• [no] debug fm rbacl caching events

Detailed debugs:

• [no] debug rbm bindings

• [no] debug rbm api

• [no] debug fm rbacl caching packets

• [no] debug fm rbacl all

Note: “no logging console” is recommended before enabling these detailed debugging commands as they could potentially flood the console

Configuration

69


Configure ISE for Nexus Switch Configuration

N55KAa# show cts environment-data

CTS Environment Data

==============================

Current State :

TS_ENV_DNLD_ST_ENV_DOWNLOAD_DONE

Last Status : CTS_ENV_SUCCESS

Local Device SGT : 0x0002

Transport Type : CTS_ENV_TRANSPORT_DIRECT

Data loaded from cache : FALSE

Env Data Lifetime : 86400 seconds after last

update

Last Update Time : Thu May 23 17:22:18 2013

Server List : CTSServerList1

AID:a6f054a3856a15221714bba63e968867 IP:

10.39.1.120 Port:1812

Administration->Network Resources->Network Devices->+Add

70


Configure Nexus 7K: (Bootstrap) Configuration

N7K-DST1(config)# feature cts

N7K-DST1(config)# feature dot1x

N7K-DST1(config)# cts device-id N7K-DST1 password trustsec

N7K-DST1(config)# radius-server 10.39.1.120 key trustsec pac

N7K-DST1(config)# aaa group server ISE

N7K-DST1(config)# server 10.39.1.120

N7K-DST1(config)# aaa authentication dot1x default group ISE

N7K-DST1(config)# aaa authorization cts default group ISE

N7K-DST1(config)# aaa accounting dot1x default group ISE

Step 1: Configure Communications between Nexus and ISE

Step 2: Verify PAC is downloaded

Step 3: Enable Role based counter and enforcement N7K-DST1(config)# cts role-based counters enable

N7K-DST1(config)# cts role-based enforcement

N7K-DST1# show cts pacs

PAC Info :

==============================

PAC Type : TrustSec

AID : a6f054a3856a15221714bba63e968867

I-ID : N7K-DST1

AID Info : ise

Credential Lifetime : Sun Aug 3 16:56:29 2014

PAC Opaque :

000200a80003000100040010a6f054a3856a15221714bba63e9688670006008c000301005f22d715cffe37591f629bae3bcc3c9e0000001353641

81a00093a80bf65b034bb89456288e2863a540d797ab17d1593b354e4aa3b74835df48ed45fad79c744083420c96ceef74ea3e51490566967d9c8

dcfb191d2e8448a4de98b5578f83b526fb4d586ecc2510eefe1d90dee1746998fb1b77291aac4848ac2d4d5d3694e9d0e5fadbdaae5a7f

71


Configure Nexus 5K/6K: (Bootstrap) Configuration

N55KA(config)# feature cts

N55KA(config)# feature dot1x

N55KA(config)# cts device-id N55KA password trustsec

N55KA(config)# radius-server 10.39.1.120 key trustsec pac

N55KA(config)# aaa group server ISE

N55KA(config)# server 10.39.1.120

N55KA(config)# use-vrf management

N55KA(config)# aaa authentication dot1x default group ISE

N55KA(config)# aaa authorization cts default group ISE

N55KA(config)# aaa accounting dot1x default group ISE

Step 1: Configure Communications between Nexus and ISE

Step 2: Verify PAC is downloaded

Step 3: Enable Role based counter and enforcement N55KA(config)# cts role-based counters enable

N55KA(config)# vlan 118

N55KA(config)# cts role-based enforcement

N55KA# show cts pacs

PAC Info :

==============================

PAC Type : TrustSec

AID : a6f054a3856a15221714bba63e968867

I-ID : N55KA

AID Info : ise

Credential Lifetime : Fri Jul 11 04:25:45 2014

PAC Opaque : 000200b00003000100040010a6f054a3856a15221714bba63e96886700060094000301000c629fc10ec7608000296933

d0b283e1000000135348689a00093a809914bbf46a3d8d8c81eab9e4819bde120047a2f28ca7181760c9b65015c3a851f5a9c99b6541d40b8d991114

9d045c1f7262b3a72e3b99b661733f92f71dcad42673a67549a5608611af2b1c0b18438a514178e98c7ed72f088d7b8db9cdbfba76b11c209f401ba8

c522f5fe5900e264a8ab02fd

72


Nexus for Native tagging Up/DownStream:

Configuration

N7K-DST1(config)# int e1/30

N7K-DST1(config)# cts manual

N7K-DST1(config-if-cts-manual)# policy static sgt 0x0002 trusted

N7K-DST1(config-if)# shutdown

N7K-DST1(config-if)# no shutdown

• We MUST enable the physical ports to “trust” the neighboring device to send native tagged packets

• When enabling TrustSec on a switch the default behavior is to drop packets sent to it with a native tag.

• This is similar to QoS where we trust dscp on trunk links

• BEST PRACTICE: On All platforms it is best practice to manually shut/no shut the port after applying cts manual commands

• This guarantees that the control plane has fully programmed the port level PHY/ASIC

73


Configure ISE SGACL Policy Matrix

Configuration

Best Practice:

NXOS can only

handle 1 SGACL.

Put implicit

deny/permit in the

SGACL

74


Configure Nexus to Statically assign Tags: Configuration

N7K-DST1(config)# cts role-based sgt-map 10.39.1.223 17

• Static IP-SGT - There is an option to manage this in ISE via IP/SGT or DNS/SGT mappings

• Static SGT on Physical Port facing the server

N7K-DST1(config)# int e1/30

N7K-DST1(config-if)# cts manual

N7K-DST1(config-if-cts-manual)# policy static sgt 0X3

N7K-DST1(config-if-cts-manual)# no propagate-sgt

N7K-DST1(config)# port-profile type ethernet PCI-DB

N7K-DST1(config)# cts manual

N7K-DST1(config)# policy static sgt 0x17

N7K-DST1(config)# no propagate-sgt

N7K-DST1(config)# switchport

N7K-DST1(config)# switchport access vlan 100

• Port-Profile: NOTE: Port-Profile on N7K will only work on NON-FEX ports. 5K/6K don’t have support yet. N1KV supported

• VLAN to SGT

N7K-DST1(config)# (config)# vlan 100

N7K-DST1(config-vlan)# cts role-based sgt 17

NOTE: If you forget this command

your server will not be able to access

the network!!

75


Verify Configuration Configuration

• Verify environmental data

• Verify SGACLs downloaded and look at counters:

N7K-DST1# show cts role-based access-list

rbacl:Deny IP

deny ip

rbacl:Permit IP

permit ip

rbacl:PCI_Web_Server

rbacl:shaun_deny

N7K-DST1# show cts role-based counters

RBACL policy counters enabled

Counters last cleared: 04/16/2014 at 06:28:11 PM

sgt:unknown dgt:19 [41677]

rbacl:Deny IP

deny ip [41677]

sgt:unknown dgt:24 [13269]

rbacl:Deny IP

deny ip [13269]

sgt:4 dgt:3 [0]

rbacl:Deny IP

deny ip [0]

sgt:6 dgt:12 [0]

rbacl:Deny IP

deny ip [0]

sgt:7 dgt:3 [53769]

rbacl:Deny IP

deny ip [53769]

76


Nexus 5500 East-West Segmentation Configuration: Post Boot Strap

Configuration

N55KA(config)# cts role-based counters enable Turn on SGACL counters

N55KA(config)# vlan 118

N55KA(config-vlan)# cts role-based enforcement Enable Role Based enforcement on VLAN 118

N55KA(config-vlan)# int e 1/1

N55KA(config-vlan)# switchport trunk

N55KA(config-vlan)# switchport trunk native vlan 2

N55KA(config-vlan)# cts manual Go into CTS manual mode for the port (other int CLI clipped)

N55KA(config-if-cts-manual)# policy static sgt 0x2 trusted Set SGT and Trust for Trunk to N7K-DST1 (for screen real estate)

77


Nexus 5500 East-West Segmentation Configuration

Configuration

N55KA(config-vlan)# int e102/1/1

N55KA(config-vlan)# switchport

N55KA(config-vlan)# switchport access vlan 118

N55KA(config-vlan)# cts manual Go into CTS manual mode for the port

N55KA(config-if-cts-manual)# policy static sgt 0x111 Set SGT on the FEX port e102/1/1 to SGT 111

N55KA(config-if-cts-manual)# no propagate-sgt “Don’t send the SGT to the server”

This would be bad.

N55KA(config-if-cts-manual)# no shut

N55KA(config-vlan)# int e102/1/2

N55KA(config-vlan)# switchport

N55KA(config-vlan)# switchport access vlan 118

N55KA(config-vlan)# cts manual Go into CTS manual mode for the port

N55KA(config-if-cts-manual)# policy static sgt 0x222 Set SGT on the FEX port e102/1/1 to SGT 222

N55KA(config-if-cts-manual)# no propagate-sgt “Don’t send the SGT to the server”

This would be bad.

N55KA(config-if-cts-manual)# no shut

N55KA(config)# cts sxp enable Enable SXP protocol for peering relationships

N55KA(config)# cts sxp connection peer 10.49.1.2 source 10.49.1.10 password none mode listener Peer with 7KA

N55KA(config)# cts sxp connection peer 10.49.1.3 source 10.49.1.10 password none mode listener Peer with 7KB

78


Nexus 7000 East-West Configuration

Configuration

feature cts

feature dot1x

cts device-id N7K-DST1 password 7 wnyxlszh123

cts role-based counters enable

cts role-based sgt-map 10.39.1.30 17

…….

cts role-based sgt-map 10.87.109.72 3

cts role-based enforcement

vlan 87


vlan 118


interface Ethernet1/25

description N5K connection

cts manual

policy static sgt 0x0002 trusted

switchport

switchport mode trunk

switchport trunk allowed vlan 90,118-120,124

spanning-tree port type normal

channel-group 10 mode active

no shutdown

79


SGT Assignment on Nexus 1000v Use Case: Current Code

VM VM VM VM

Nexus

1000V

VEM

Server

VM VM VM VM

Nexus

1000V

VEM

Server

Hypervisor Hypervisor

Finance Application

TOR filters traffic based

on SG-ACLs

Nexus 1000V VSM

ISE

PAC

N1KV:

Assigns SGT based on

static Port-profile Assignments

Finance Application

SGT =

“Finance”

SGT =

“Employee”

SGT =

“Employee-

VDI”

Configuration

SXP comes from

VSM not VEM

SXP

80


Nexus 1000v – Configuration – current code Configuration

CTS-N1K(config)# feature cts

CTS-N1K(config)# port-profile type vethernet LOB2-VDI

CTS-N1K(config-port-prof)# vmware port-group

CTS-N1K(config-port-prof)# switch mode access

CTS-N1K(config-port-prof)# switch acc vlan 118

CTS-N1K(config-port-prof)# cts sgt 16

CTS-N1K(config-port-prof)# no shut

CTS-N1K(config-port-prof)# state enabled

SXP:

CTS-N1K(config)# cts device tracking

CTS-N1K(config)# cts sxp enable

CTS-N1K(config)# cts sxp connection peer 10.39.1.2 source 10.87.109.191

password none mode listener vrf management

CTS-N1K(config)# cts sxp connection peer 10.39.1.3 source 10.87.109.191

password none mode listener vrf management

Existing Code: July Port-

Profile Commands will

change! (see following

Slides)

81


Nexus 1000v - Verification

Configuration

CTS-N1K(config)# show cts sxp connection

PEER_IP_ADDR VRF PEER_SXP_MODE SELF_SXP_MODE CONNECTION

STATE

10.39.1.2 management listener speaker connected

10.39.1.3 management listener speaker connected

CTS-N1K(config)# show cts role-based sgt-map

Interface SGT IP ADDRESS VRF Learnt

-------------- ------ ---------------- ---------- ---------

Vethernet1 14 10.39.1.92 - Device Tracking

Vethernet2 16

Vethernet3 16 10.39.1.94 - Device Tracking

CTS-N1K(config)#

82


SGACL on Nexus 1000v Use Case: (BETA)

VM VM VM VM

Nexus

1000V

VEM

Server

VM VM VM VM

Nexus

1000V

VEM

Server

Hypervisor Hypervisor

Finance Application

TOR filters traffic based

on SG-ACLs Nexus 1000V VSM

ISE

PAC

N1KV:

Assigns SGT based on

static Port-profile Assignments

Finance Application

SGT = “PCI” SGT =

“Employee”

SGT =

“PCIVDI”

VEM filters traffic based

on SG-ACLs

Configuration

83


Nexus 1000v – SGACL Configuration (Beta) Configuration

CTS-N1K(config)# feature cts

CTS-N1K(config)# cts device-id cts-n1k password 0 trustsec

CTS-N1K(config)# radius-server host 10.39.1.120 key 0 trustsec pac

authentication accounting

CTS-N1K(config)# aaa group server radius cts-ise

CTS-N1K(config)# server 10.39.1.120

CTS-N1K(config)# use-vrf management

CTS-N1K(config)# source-interface mgmt0

CTS-N1K(config)# aaa authentication cts default group cts-ise

CTS-N1K(config)# aaa authorization cts default group cts-ise

CTS-N1K(config)# cts role-based counters

84


Nexus 1000V – Port Profile Setup (Beta)

85

Create UPLINK port-profile:

CTS-N1K(config)# port-profile type ethernet uplink-vem

CTS-N1K(config-port-prof)# switchport mode trunk

CTS-N1K(config-port-prof)# switchport trunk allowed vlan 1-4000

CTS-N1K(config-port-prof)# cts manual

CTS-N1K(config-port-prof)# policy static sgt 0x2 trusted ->Set tag to device SGT (2) and trust

CTS-N1K(config-port-prof)# propagate-sgt ->Propogate the SGT to neighbor

CTS-N1K(config-port-prof)# no shutdown



Create PCI-Server port-profile:

CTS-N1K(config)# port-profile type vethernet PCI_Servers

CTS-N1K(config-port-prof)# switchport mode access

CTS-N1K(config-port-prof)# switchport access vlan 200

CTS-N1K(config-port-prof)# cts manual

CTS-N1K(config-port-prof)# policy static sgt 0x7d0 ->Set the Tag to PCI-Servers

Hex 0x7d0 = 1000 Decimal

CTS-N1K(config-port-prof)# role-based enforcement ->Enable Role-based enforcement

CTS-N1K(config-port-prof)# no shutdown



Configuration


Nexus 1000v – SGACL Verification (beta) Configuration

CTS-N1K# show cts role-based counters

RBACL policy counters enabled

Counters last cleared: 05/02/2014 at 04:41:47 AM

Counters last updated on 05/08/2014 at 06:30:03 PM:

rbacl:Permit IP

permit ip [129105]

rbacl:deny_log

deny icmp log [522997]

rbacl:permit_log

permit ip log [119029]

sampg-n1kv-vsm-1# show cts role-based access-list

rbacl:Permit IP

permit ip

rbacl:deny_log

deny icmp log

rbacl:permit_log

permit ip log

CTS-N1K#

86


Configuration for ASA SGFW to Work

Configuration

N7K-DST1(config)# cts sxp enable

N7K-DST1 (config)# cts sxp connection peer 192.168.1.2 source 10.39.1.2 password

required trustsec123 mode listener

N7K-DST1(config)# cts sxp connection peer 192.168.1.2 source 10.39.1.3 password

required trustsec123 mode listener

N7K-DST1# sho cts sxp connection

PEER_IP_ADDR VRF PEER_SXP_MODE SELF_SXP_MODE CONNECTION STATE

172.16.1.20 default speaker listener connected

First the DC switches must be configured to speak SXP to the SXP listening ASA to

receive IP to Tag mappings.

87


Configuration for ASA SGFW to Work – Cont.

Configuration

• Second Configure the ASA for SXP:

88


Configuration for ASA SGFW to Work – Cont. (2)

Configuration

Finally configure your SGFW ACE entries

Add CTS

groups from

the left side

to the

selected side

89


ASA SGFW Verification

Configuration

• Check SXP peering on the DC switch side:

90


ASA SGFW Verification: Cont.

Configuration

Check SXP peering on the ASA side and verify IP-SGT Bindings:

Connection

to DC 7Ks is

UP

IP-SGTs

being

received from

DC Switches

91


ASA Native Tagging Configuration:

DC Design

• Native Tag configuration need only on the OUTSIDE interface – Firewall rules are written to permit traffic from the outside to the inside (SGT->DGT). To get tags to the firewall for DGT we must still utilize SXP.

ASA5515X-A(config)# int g0/0

ASA5515X-A(config-if)# nameif outside

ASA5515X-A(config-if)# cts manual

ASA5515X-A(config-if)# policy static sgt 2 trusted

ASA5515X-A(config-if)# ip address 10.3.99.2 255.255.255.0

92

Data Center Monitoring


Logging from Nexus 7000

Monitoring

pghlab-N7K-DST1-n7k-shaun# show cts role-based policy

sgt:8

dgt:6 rbacl:PERMIT_MAIL

deny icmp log

permit tcp dst eq 110







deny all log

pghlab-N7K-DST1-n7k-shaun(config)# log level acllog 6 Recommended log levels

pghlab-N7K-DST1-n7k-shaun(config)# log level cts 5

pghlab-N7K-DST1-n7k-shaun(config)# log ip access-list include sgt

pghlab-N7K-DST1-n7k-shaun# show logging ip access-list cache detail

SGT Source IP Destination IP S-Port D-Port Interface Protocol Hits

------------------------------------------------------------------------------------------------

8 10.10.11.100 10.1.100.84 0 0 Ethernet2/15 (1)ICMP 8

------------------------------------------------------------------------------------------------

94


pghlab-55ka# show cts role-based policy

sgt:8

dgt:6 rbacl:PERMIT_MAIL

deny icmp log








deny all log

pghlab-55ka(config)# log level acllog 6 Log levels to make this work

pghlab-55ka(config)# log level cts 7

pghlab-55ka# show logging logfile duration 0:30:00

2013 Jun 6 12:27:06 pghlab-55ka last message repeated 6 times

2013 Jun 6 12:27:06 pghlab-55ka %CTS-6-CTS_RBACL_STAT_LOG: CTS ACE deny ip log, Threshold exceeded:

Hit count in 10s period = 11

2013 Jun 6 12:27:16 pghlab-55ka %CTS-6-CTS_RBACL_STAT_LOG: CTS ACE deny ip log, Threshold exceeded:

Hit count in 10s period = 10

2013 Jun 6 12:27:56 pghlab-55ka last message repeated 4 times

Logging from Nexus 5500

Monitoring

Threshold exceeded is a message about not overwhelming the CPU with log messages on the box.

95


N5500 - Monitoring SGACL drops

96

N55KA# show platform fwm info lif eth100/1/45 | grep good

Eth100/1/45 pd: rx frames: good 2755 drop 3; tx frames: good 2689 drop 106

N55KA# sho cts role-based counters RBACL policy counters enabled Counters last cleared: 11/16/2011 at 05:55:24 PM rbacl:ALLOW_SQL permit tcp dst eq 1433 [0] permit icmp [0] deny ip [0] rbacl:Deny IP deny ip [6730] rbacl:Deny_ICMP_Log deny icmp log [106] rbacl:Permit IP permit ip [85730] rbacl:test_deny deny icmp log [0]

Looking at the egress interface on the N5K protecting the server. It should show drops.

This correlated with counters increments shows what server and SGACL is being hit

Monitoring


ASA Firewall Logging

• Firewall logging will show the SGT/DGT in the logs if known by the firewall

97

Monitoring


Nexus 5500 SGACL Logging

• Logging can be enabled for ACEs

• The log enabled ACEs will be polled periodically and a syslog of severity 6 printed on the console if it is hit in that period

• Current polling period is set at 10s

• Example

switch(config)# cts role-based access-list test

switch(config-rbacl)# permit all log

• Sample syslog

• 2011 Sep 27 18:35:34 swo2-273 %$ VDC-1 %$ %CTS-6-CTS_RBACL_STAT_LOG: CTS ACE permit all log, Threshold exceeded: Hit count in 10s period = 4

Monitoring

98

Data Center Server SGT Orchestration


Data Center Server SGT Design Considerations

• Server SGTs can be assigned either statically or dynamically (less preferred)

– Statically – Manual IP-SGT Binding must be entered onto the Data Center Switches

– Dynamically – Servers would have to run 802.1X to authenticate to the network and get assigned an SGT via ISE. Server admins do not like to run dot1x on their server platforms. Not all platforms support dot1x either

When Servers are decommissioned, Tags should be removed with the server during the decom process.

Orchestration

100


“Typical” Process Before SGT Orchestration

• Server Admin/LOB requests a new server.

• The network team, the server team and the security team meet and plan (sometimes multiple times) to plan VLAN, IP addressing, DNS, Security Profiles, etc.

– The server is turned up by the server team.

– Network Team must now go to the network devices add devices port to VLAN, etc.

– The firewall team adds the destination IP address to appropriate firewall rules or firewall groups.

• All adds and deletes are a manual process!

Orchestration

101


Data Center Server SGT Orchestration

• Through the use of Data Center orchestration tools we can fully automate the provisioning of server IP-SGT/port profile bindings for VMs and bare-metal machines based on the selected service catalog in the automation provisioning portal

• We can also automate the removal of IP-SGT bindings when the server is decommissioned from the network

• In our use case example we will show how to use UCS Director (UCSD) orchestration suite to automate the server IP-SGT provisioning process

Orchestration

102


Benefits of SGT Orchestration

• Lower OPEX and time to provision: When deploying a server we reduce the amount of people that need to touch the

– Network

– Server

– Security policies

• When a server is spun up from the provisioning portal, the IP-SGT binding is automatically provisioned to the network,

• Once a server has its SGT all SGACLs and SGFWs will begin enforcing without having to manually edit firewall rules every time a server comes on-line or goes offline.

Orchestration

103


UCS Director Portal Screen

Orchestration

104


UCS Director Custom Task for Server SGT Deployment

Orchestration

• This assumes some knowledge of UCSD and workflow editing.

• Create a workflow that

– IP address of the VM/Bare-metal machine

– Logs into the DC switches

– Adds the IP-SGT mapping based on the Service Catalog (IE: LOB1, LOB2, PCI)

105


How to Configure UCSD for Server SGT Deployment – Cont.

Orchestration

• Add this workflow to each service catalog we want and SGT deployed when ordering the VM/bare metal machine

106


SGT Automates the Firewall Rule Process!

Orchestration

A PCI DB servers example

When the server is provisioned the workflow runs

Assigns the PCI DB SGT to the DC switches.

The DC switches communicate via SXP to the firewall,

Immediately the firewall can now enforce with no rule changes

107


ASA SGFW in Action

Orchestration

• Firewall dynamically learns IP-SGT mapping via SXP from core N7Ks (after the UCSD workflow inserts the IP-SGT mapping on to the switches automatically), which then fit into already existing SGFW rules..

• Security admins no longer have to manually administer rules every time a server is spun up

108


ASA SGFW in Action (cont)

Orchestration

109


Summary

• SGTs builds upon Dynamic and Static Classification Services to deliver software defined network security.

• SGTs provides a scalable role based access control model for the enterprise Data Center and Campus/Branch topologies

• SGTs has migration strategies allow customer to deploy with existing hardware

• SGT functions for the Data Center are deployable today

Summary

110


Cisco ISE & TrustSec Sessions: Building Blocks

111

BRKSEC-2695 Building an Enterprise Access Control Architecture Using ISE and TrustSec

(Mon 10:00am)

BRKSEC-3697

Advanced ISE

Services, Tips and

Tricks

(Tue 12:30pm)

BRKSEC-3699

Designing ISE for

Scale & High

Availability

(Wed 1:30pm)

BRKSEC-3692

Deploying TrustSec

SGTs in the Branch

and Campus

(Wed 4:00pm)

BRKSEC-3691

Deploying TrustSec

SGTs in the Data

Center

(Wed 8:00am)

PSOSEC-2002 – Identity Services Engine (ISE 1.3 Update)

(Mon 2:00pm)


Links

• Secure Access, TrustSec, and ISE on Cisco.com

– http://www.cisco.com/go/trustsec

– http://www.cisco.com/go/ise

– http://www.cisco.com/go/isepartner

• TrustSec and ISE Deployment Guides:

– http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

• YouTube: Fundamentals of TrustSec:

– http://www.youtube.com/ciscocin#p/c/0/MJJ93N-3Iew

112

http://www.cisco.com/go/trustsec

http://www.cisco.com/go/ise

http://www.cisco.com/go/isepartner

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

http://www.youtube.com/ciscocin




Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include

– Your favorite speaker’s Twitter handle @trustsecshaun

– Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could be a Winner

113

http://bit.ly/CLUSwin


Complete Your Online Session Evaluation

• Give us your feedback and you could win fabulous prizes. Winners announced daily.

• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

114

https://www.ciscolive.com/online


Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

115


Inline Security Group Tagging

118

SGT Review

CTS Meta Data

CMD

ETYPE

ICV

CRC

Version

Length

CMD EtherType

SGT Opt Type

SGT Value

Other CMD Options

DMAC SMAC

802.1AE Header

802.1Q

PAYLOAD

16 bit (64K SGTs)

Encrypted field by MACsec (Optional) ETHTYPE:0x88E5

• are the L2 802.1AE + TrustSec overhead

• Frame is always tagged at ingress port of SGT capable device

• Tagging process prior to other L2 service such as QoS

• No impact IP MTU/Fragmentation

• L2 Frame MTU Impact: ~ 40 bytes (~1600 bytes with 1552 bytes MTU)

• MACsec is optional for capable hardware

Ethernet Frame field

802.1AE Header

CMD

ICV

(ETHTYPE:0x8909)

ETHTYPE:0x88E5

11

8

Date post:	31-Jul-2018
Category:	Documents
Upload:	dokhue
View:	242 times
Download:	0 times

Deploying TrustSec - Security Group Tags in the...

Documents