Cisco Group Based Policy Platform and Capability Matrix Release 6.4

Transcription

1 Group d Policy Platform and Capability Matrix Release 6.4 (inclusive of TrustSec Software-Defined Segmentation) Group d Policy (also known as TrustSec Software-Defined Segmentation) uniquely builds upon your existing identity-aware infrastructure by enforcing segmentation and access control policies in a scalable manner using the capabilities detailed below. This document summarizes the platforms and that are validated in the Group d Policy testing. It is in current with the validation program for Release 6.4. Table 1 provides cross-platform group-based policy exchange interoperability testing results. Application Centric Infrastructure (ACI) and Group d Policy integration enables customers to apply consistent security policy across the enterprise- leveraging user roles and device type together with application context. The validated Open Source Open Daylight SDN use case included Nexus 7k SXPv3, ASA SXPv3, and OpenDaylight SXPv4 (Nitrogen and earlier releases) working together in the Data Center. Table 1. TrustSec Group-d Policy (GBP) Interoperability Platform Solution-Level Group Information Exchange Interoperability Platform & Propagation method Nexus 9000 Switches Application Policy Infrastructure Data Center Open Daylight SDN controller 9000 : Spine & Leaf APIC-DC ODL SDN NX-OS 11.3(2f) APIC-DC 2.3 Data Plane APIC-DC 1.3(1g) Policy plane; Lithium, Beryllium, Carbon EndPoint Group Mappings via TrustSec-ACI policy and data plane exchange via SXP v4 ISE 2.1, 2.2- ACI API ISE 2.1- SXP v4 Nexus SXP v3 ASA SXP v3 Open Daylight SDN controller ODL SDN Nitrogen IPv4, IPv6 SXP Peering ISE 2.4 ASR 1001-X IOS XE b CSR 1000v IOS XE Cat 6500 IOS 15.4(1)SY2 Cat 3850 IOS 3.6.8E In Tables 2 and 3, Platform Support Matrix, Dynamic classification includes IEEE 802.1X, MAC Authentication Bypass (MAB), Web Authentication (Web Auth), and Easy Connect. IP to, VLAN to, subnet to, port profile to, L2IF to, and L3IF to use the static classification method. DNA Premier is a simple and economical solution for deploying branch and campus switches and wireless access points. It offers an uncompromised user experience in a highly secure and feature-rich access infrastructure and simplify the licensing requirements for Group d Policy deployment. DNA Advantage Network Advantage hardware licenses and/or its affiliates. All rights reserved. This document is Public Information. Page 1 of 11

2 Solution-level validated versions listed in the tables below may not always represent the latest available platform version and feature set. Releases may encounter issues in other subsystems and be deferred. For latest platform firmware version and feature set, refer to product release notes. As an aid to deployment, products are grouped into Tier I, II, and III with regard to feedback on design and deployment. Tier I products have full Group d Policy functionality with few caveats, and they are common components in successful deployments. Tier II products have full Group d Policy functionality but there are some caveats involved in their deployment. Tier III do not have full Group d Policy functionality and and SXP based Propagation only. These products tend to be older with a less rich feature set and more caveats to consider when deploying. Security products are not listed in a tier. End of Sale Products are listed in Table 3. is ed on several platforms but not all are listed in the matrix pending review of solution test verification. Table 2. Group d Policy Platform Support Matrix Plus LAN K9 - IOS, VLAN to, Subnet to C LAN K9 - IOS, VLAN to, Subnet to CX LAN K9 - IOS 15.2(3)E, VLAN to, Subnet to X LAN K9 IOS 15.2(2)E IOS, VLAN to, Subnet to XR IP Lite K9 IOS 15.2(2)E IOS, VLAN to, Subnet to and 3850 ONE IOS XE 3.7.4E 3.6.8E 3.6.6E IOS XE 3.6.4E (v4,v6), VLAN to, Port to, Subnet to, L3IF to, over ; over MACsec ( ) (3.6.6E) Netflow 3650 and 3850 ONE & above IOS XE Denali IOS XE Denali (v4,v6), VLAN to, Port to, Subnet to, L3IF to, over ; over MACsec; over, XS ONE IOS XE IOS XE 3.7.4, VLAN to, Port to, Subnet to, L3IF to, over te5 ; over MACsec 2018 and/or its affiliates. All rights reserved. This document is Public Information. Page 2 of 11

3 CX IOS 15.2(3)E IOS 15.2(4)E (v4, v6), VLAN to, Subnet to, te C/CG IOS 15.0(1)SE2 IOS 15.2(2)E, VLAN to, Subnet to, E- Engine 8-E and 8L-E ONE IOS XE 3.7.1E IOS XE 3.6.0E 3.8.0E- (v4, v6), VLAN to, Port to, Subnet to (Src & Dst), L3IF to te12, over ; over MACsec (See note 2 for ed line cards) Netflow X ONE IOS XE 3.6.3E IOS XE 3.5.1E 3.8.0Elogging (v4,v6), VLAN to, Port to, Subnet to (Src & Dst), L3IF to te12, over ; over MACsec E- Engine 7-E and 7L-E ONE IOS XE 3.7.1E IOS XE 3.5.1E, VLAN to, Subnet to, L3IF to, Port to te12, over ; over MACsec (See note 2 for ed line cards) [3.8.0E] Netflow 4500 E- Engine 6-E and 6L-E; IOS 15.1(1)SG IOS 15.1(1)SG te12, Engine 2T & 6T 6807-XL 2T: IP K9 6T: IP K9 IOS 15.4(1)SY2 15.2(1)SY (1)SY0a Sup 6T IOS 15.4(1)SY1 IOS 15.2(1)SY0a Sup 6T IOS 15.4(1)SY1 (v4, v6), VLAN to, Port to, Subnet to (v4,v6), L3IF-to- (v4,v6), over & over MACsec ed on: WS-X69xx modules, C P10G/G- XL, C P10G/G- XL, C6800-8P10G/G-XL; over (IPv4, IPv6),, Caching Netflow 6880-X, 6840-X (incl 6816-X-LE), and 6800ia ONE IOS 15.2(2)SY2, 15.2(1)SY0a, 15.2(3a)E IOS 15.2(1)SY0a (v4, v6), VLAN to, Port to, Subnet to (v4,v6), L3IF-to- (v4,v6), over ; over MACsec (IPv4, IPv6),, Caching Netflow 6500 Engine 32 and 720 IOS 12.2(33)SXJ2 IOS 15.1(2)SY1, 2018 and/or its affiliates. All rights reserved. This document is Public Information. Page 3 of 11

4 Network Advantage IOS XE Everest SMU IOS XE Everest SMU (te 10) Dynamic, IP to, VLAN to, Port to, Subnet to, L3IF to, over over, _ Netflow Engine-1 & -1XL Network Advantage IOS XE , IOS XE Everest SMU (te 10) , VLAN to, Port to, Subnet to, L3IF to, over over, _ Caching Netflow Network Advantage IOS XE Everest SMU IOS XE Everest SMU (te 10), VLAN to, Port to, Subnet to, L3IF to, over over te13 _ Caching Netflow Connected Grid CGR IOS 15.5(2)T IOS 15.4(1)T Dynamic, IP to, VLAN to, over over IPsec VPN CGS 2500 Connected Grid Switch - IOS 15.2(3)EA IOS 15.0(2)EK1, VLAN to, Port to, Subnet to, Industrial Switches IE 2000 & 2000U IE 3000 LAN IOS 15.2(3)EA IE2000U: IOS 15.2(3)E3 IOS 15.2(1)EY IE2000U: IOS 15.2(3)E3, VLAN to, Subnet to, IE 4000 LAN ; IP for oe & IOS 15.2(4)EA, 15.2(5)E IOS 15.2(5)E, VLAN to, Subnet to te11 over te16 IE 5000 LAN ; IP for oe & IOS 15.2(2)EB1, 15.2(5)E IOS 15.2(5)E1, VLAN to, Subnet to te11 over on1g & 10G interfaces only te16 Access Points 1700, 2700, 3700, AP (Wave 1) - AireOS AireOS Dynamic, te6 over te6 1815, 1830, 1850, 2800, 3800 AP (Wave 2) - AireOS AireOS Dynamic, te6 over te and/or its affiliates. All rights reserved. This document is Public Information. Page 4 of 11

5 AireOS AireOS Dynamic v2 over AireOS AireOS Dynamic v2 over 3504 vwlc - AireOS - AireOS AireOS AireOS Dynamic v2 over (Centralized mode) Supports AP in Centralized and Flex Connect mode) Dynamic v2 Supports APs in Flex mode only 5500 (5508,5520) 2500 (2504) - AireOS , 30.0 AireOS 30.0 Dynamic V (8540,8510) - AireOS (pre 8.4) AireOS 8.1 Dynamic V2 Nexus 7000 Nexus 7000 with M3- modules License NX-OS 6.1 and NX-OS 8.1(2), 8.1(1), 8.0(1) (0)D1(1) [logging, monitor mode], 7.2(0)D1(1) NX-OS 8.0(1) IP to 1, Port Profile to, VLAN to 2, Port to 2 Subnet to 5 te14, over 5 ; over MACsec; over 5 : F3 interoperability M3 no propagatesgt l2 control command & logging Nexus 7000 with M2- modules License NX-OS 6.1 and NX-OS 8.1(1), 8.0(1) 7.3(0)D1(1) [ & limited logging], 7.2(0)D1(1) NX-OS 8.0(1) IP to 1, Port Profile to, VLAN to 2, Port to 2 Subnet to 5 te14 1 :FabricPath 6.2(10) or, over 5 ; over MACsec 5 : M2 cannot link to F3 module. & limited logging 2 VPC/VPC+ 7.2(0)D1(1) or 5 Subnet to 7.3(0)D1(1) or 2018 and/or its affiliates. All rights reserved. This document is Public Information. Page 5 of 11

6 Platform License Solution-Level Nexus 7000 Nexus 7700 F- te4 modules F3 modules do not tagging with other products unless these products the tagging exemption feature for Layer 2 protocols. M3 series this by enabling no propagate-sgt l2-control command. License NX-OS 6.1 and NX-OS 8.1(1), 8.0(1) 7.3(0)D1(1), 7.2(0)D1(1) NX-OS 8.0(1) IP to 1, Port Profile to, VLAN to 2, Port to 2 Subnet to 5 te14 1 :FabricPath 6.2(10) or 2 VPC/VPC+ 7.2(0)D1(1) or 5 Subnet to 7.3(0)D1(1) or, over 35 ; over MACsec 4 3 : F3 interfaces (L2 or L3) require 802.1Q or FabricPath 4 : F2e (Copper) all ports; F2e (SFP) & F3 (10G)- last 8 ports; All others- no 5 : t ed between F3 and either M2 or F2e Nexus 5000, 6000 Nexus 6000/5600 Nexus 5548P, 5548UP, and 5596UP - NX-OS 7.1(0)N1(1a) - NX-OS 7.0(5)N1(1) NX-OS 7.0(1)N1(1) NX-OS 6.0(2)N2(6) Port to Port to V1 V1 1 1 : FabricPath over over te16 te16 Nexus 1000 Nexus 1000V for VMware vsphere Advanced license for oe/ NX-OS 5.2(1)S(3.1) [] 5.2(1)S(1.3) NX-OS Dynamic (802.1x) 5.2(1)S (1.1) te15, IP to, Port Profile to, v4 v1 (prior to 5.2(1)S(3.1) over te9 Nexus 1000VE Virtual Edge Advanced license for NX-OS 5.2(1)SV5(1.1) NX-OS Port Profile to 5.2(1)SV5(1.1), IP to, v4 Integrated (ISR) 4000 ISR 4431, 4451-X, 4321, 4331, 4351 IP /K9 propagate, ; for SG FW enforcement IOS XE Denali , Everest IOS XE Denali IP to, Subnet to, L3IF to, over, over, or IPsec VPN & based Caching based ISRv IP /K9 propagate, IOS XE Denali IOS XE Denali IP to, Subnet to, L3IF to, over, over IPsec VPN, & 890, 1900, 2900, 3900 IP /K9 for SG FW enforcement 890: IOS 15.4(1)T1 IOS 15.4(3)M 1900/2900/390 0: IOS 15.5(1)20T IOS 15.4(3)M 890: IOS 15.4(3)M 1900/2900/39 00: IOS 15.6(1)T IP to, Subnet to, L3IF to, over (no on ISR G2-800 ), over, or IPsec VPN (890: services) based Caching based 2018 and/or its affiliates. All rights reserved. This document is Public Information. Page 6 of 11

7 Integrated (ISR) 4000 (ISR 4451-X validated) IP /K9 for SG FW enforcement IOS XE S IOS XE S IP to, Subnet to, L3IF to, over, over, or IPsec VPN based Caching based Netflow SM-X Layer 2/3 EtherSwitch Module IP /K9 IOS T IOS 15.2(2)E, VLAN to, over ; over MACsec Cloud CSR 1000V IP /K9 propagate, ; IOS XE Denali , Everest IOS XE Denali IP to, Subnet to, L3IF to, over, over IPsec VPN, & Cloud 1000V (CSR) IP /K9 for enforcement IOS XE S IOS XE S IP to, Subnet to, L3IF to, over, over IPsec VPN, based Caching Netflow Aggregation (ASR) ASR 1004, 1006, 1013, 1001-X, X,1002-HX, 1006-X, and 1009-X IP /K9 propagate, ; for SGFW enforcement IOS XE b Denali , Everest IOS XE Denali IP to, Subnet to, L3IF to, over, over, or IPsec VPN & based Caching based ASR 1000 Processor 1 or 2 (RP1, RP2); ASR 1001, 1002,1004, 1006 and 1013 with ESP (10,20, 40, 100, 200) and SIP (10/40) IP /K9 for enforcement IOS XE S IOS S IP to, Subnet to, L3IF to, over, over IPsec VPN, or based (1000 RP2) based Caching Netflow ASR X and 1002-X IP /K9 for enforcement IOS XE S IOS XE S IP to, Subnet to, L3IF to, over, over IPsec VPN, based based Caching Netflow Identity Engine ISE 3515, 3595, 3415, and 3495 Appliance & VMware Plus for pxgrid ISE 2.4, 2.3P1, 2.2, 2.1, 2.0, 1.4 ISE 2.2, Subnet to, pxgrid 2018 and/or its affiliates. All rights reserved. This document is Public Information. Page 7 of 11

8 Adaptive Security Appliance ASA ASA 9.0.1, ASDM ASA 9.0.1, ASDM 7.1.6, v2 ASA 5506-X, 5506H-X, 5506W-X, 5508-X, X - ASA ASA, over based ASA 5525-X, 5545-X, 5555-X with FirePower - ASA ASA, over based ASAv - ASA ADSM ASA ASDM, over based NGFW 2100 Threat Defense pxgrid over (src s only) based FP 4100 FP FXOS ASA FXOS ASA 9.6.1, over based Threat Threat Defense Defense 4100 & pxgrid over (src s only) based FTDv Threat & Apps (TA) pxgrid over (src s only) based Industrial Security Appliance ISA ASA ASA 9.6.1, over based 2018 and/or its affiliates. All rights reserved. This document is Public Information. Page 8 of 11

9 Table 3. End of Sale Group d Policy Platform Support Matrix ( ) EOS LAN S and 2960-SF K9 IOS 15.0(2)SE te1 15.2(2)E IOS, VLAN to, Subnet to te E and 3750-E IOS 15.0(2)SE5 IOS 15.0(2)SE5 Dynamic, IP to, VLAN to, V X and 3750-X IOS IOS 15.2(2)E1 (prefix must be 32), VLAN to, Port to (only on switch to switch links) over ; over MACsec (with C3KX-SM- 10G uplink); over te16 (maximum of 8 VLANs on a VLAN-trunk link) IOS 15.1(1)SG IOS 15.1(1)SG, Nexus 7000 Nexus 7000 F2- *** modules License NX-OS 6.1 and NX-OS 7.3(0)D1(1), 7.2(0)D1(1) NX-OS 7.3(0)D1(1) IP to 1, Port Profile to, VLAN to 2, Port to 2 Subnet to 5 1 :FabricPath 6.2(10) or, over ; over MACsec 4 4 : M & F2e (Copper-) all ports; F2e (SFP) - last 8 ports; All others- no 2 VPC/VPC+ 7.2(0)D1(1) or 5 Subnet to 7.3(0)D1(1) or 5760 IOS XE 3.7.1E IOS XE 3.3.1SE, VLAN to, Port to, Subnet to, over Module 2 (WiSM2) - AireOS , 30.0 AireOS 30.0 Dynamic V2 Flex AireOS , 30.0 AireOS 8.3 Dynamic V and/or its affiliates. All rights reserved. This document is Public Information. Page 9 of 11

10 EoS Aggregation (ASR) ASR 1001, 1002 IP /K9 for enforcement IOS XE S IOS S IP to, Subnet to, L3IF to, over, over IPsec VPN, or based (1000 RP2) based Caching Netflow Identity Engine ISE 3315, 3355, 3395, Appliance ISE 1.0, 1.1, 1.2 Adaptive Security Appliance ASA 5510, 5520, 5540, ASA 9.0.1, ASDM ASA 9.0.1, ASDM 7.1.6, v2 ASA 5505 te3, 5512, 5515, 5525, 5545, 5555, ASA 9.3.1, ASDM 7.3.1, CSM 4.8 ASA 9.3.1, ASDM 7.3.1, CSM 4.8, V2 over based ASA X, 5515-X, 5585-X with FirePower - ASA ASA, over based Fire POWER FirePOWER 7000 and 8000 Threat & Apps (TA) FireSIGHT , , , 6.2 FireSIGHT , , over - tes 1: 2960 S/SF Product management recommends 15.0(2)SE which s SXP v2. 2: Product part numbers of ed line cards for over and over MACsec on the 4500 Engine 7-E, 7L-E, 8-E, and 8L-E include the following: WS-X4712-SFP+E, WS-X4712- SFP-E, WS-X4748-UPOE+E, WS-X4748-RJ45V+E, WS-X4748-RJ45- E, WS-X4724-SFP-E, WS-X4748-SFP-E, and WS-X X48U+E. 3: ASA 5505 does not releases after : Nexus 7000 F1- modules do not TrustSec. 5: Use of inline tagging with LACP future IOS XE Denali or IOS 3.7 release (CSCva22545) 6: For SXP, AP must run in FlexConnect Mode 7: With IPv6, DGT can be IPv4. 8: Prior versions of this document listed 3750-X validated version, IOS 12.2(3)E1, and WLC AireOS 8.1. These releases have been deferred. 9: When inline tagging (oe) is enabled with the VIC 12xx and VIC 13xx, packet processing is handled at the processor level which will attribute to lower network I/O performance. An alternative solution is to use Intel adaptors. 10: IOS XE Everest SMU is required for ISE BYOD, Guest, and Posture. See ISE Compatibility Matrix: 11: The IE 4000 and IE 5000 platforms perform similarly to the 3560-X and 3750-X platforms in the reliance on IP Address, MAC Address, and physical port/vlan of the device, learned via dot1x or MAB or IP Device Tracking (IPDT). These devices cannot use information learned via SXP for either enforcement or tag propagation as the device is not directly attached. SXP v4 is ed in mode only and/or its affiliates. All rights reserved. This document is Public Information. Page 10 of 11

11 12: 4500 Release 3.9 and, with the introduction of VRF, an SVI is needed for L3 lookup to derive for switched traffic, and a SVI is also needed on the VLAN for the derivation of source group for L2 traffic. 13: C9500 as a border node does not currently transferring the tag from the header to the CMD field for inline tagging. C9500 outside the fabric s inline tagging 14: The N7K must have an SVI on the VLAN if the mappings reside in the VRF. If N7K is L2 only, create an SVI without IP to be able to utilize the mappings from the VRF. SVI is not required if entered into the VLAN. 15: Dynamic classification with IEEE 802.1x on Nexus 1000V 5.2(1)S(4.1). This is validated with VMware Horizon 7 VDI. 16: Port based platforms cannot do enforcement of policy for remote IP addresses, ie. they can only classify or enforce for IP addresses present in the IPDT table (hosts that are L2 adjacent). Printed in USA C v6.4c 1/ and/or its affiliates. All rights reserved. This document is Public Information. Page 11 of 11