Deploying TrustSec - Security Group Tags in the Data Center

Transcription

1

2 Deploying TrustSec - Security Group Tags in the Data Center Shaun White Technical Solutions Architect

3 Agenda Security Group Tag (SGT) Review Use Case Review DC Design Consideration and Implementation Design Considerations Configuration Monitoring DC Orchestration Summary 3

4 Security Group Tag (SGT) Review

5 Policy: Who, What, Where, When, and How? SGT Review Network Access Workflow Policy-governed Unified Access Identity 1 IEEE 802.1x EAP User Authentication Cisco ISE Profiling HTTP NetFlow SNMP HQ Company Asset 2 Profiling to Identify Device 4 Corporate Resources DNS RADIUS DHCP 2:38 p.m. Wireless LAN Controller Policy Decision Internet Only Personal Asset 3 Posture of the Device Unified Access Management 5 Enforce Policy in the Network 6 Full or Partial Access Granted 5

6 Data Center Segmentation with TrustSec Current Designs requite topology for each zone/classification Regardless of topology or location, policy (SGT) stays with users, devices, and servers TrustSec simplifies policy management for intra/inter-vlan traffic SGT/DGT* PCI NonPCI LOB1 LOB2 PCI Permit DENY Permit DENY NonPCI DENY Permit DENY Permit LOB1 Permit DENY Permit DENY LOB2 DENY Permit DENY Permit Data Center Firewall PCI LOB1 LOB2 Access Layer Enterprise Core SGT Review Data Center PCI Tag NonPCI Tag LOB1 Tag LOB2 Tag Enterprise Campus/Branch * SGT sometimes is referred to as Source Group Tag as well * DGT stands for Destination Group Tag Voice PCI Non-PCI 6

7 State Traditional Role Based Access SGT Review operator network management physical network The Complexity Cube 7

8 State Desired End State SGT Review operator network management physical network The Complexity Cube 8

9 High OPEX Security Policy Maintenance SGT Review NY SF LA SJC NY / / / / / /24. DC-MTV (SRV1) DC-MTV (SAP1) DC-RTP (SCM2) DC-RTP (VDI) Production Servers Traditional ACL/FW Rule Source Destination permit NY to SRV1 for HTTPS deny NY to SAP2 for SQL deny NY to SCM2 for SSH permit SF to SRV1 for HTTPS deny SF to SAP1 for SQL ACL for 3 source objects & 3 destination objects deny SF to SCM2 for SSH permit LA to to manage SRV1 for HTTPS Firewall rules currently deny LA to SAP1 for SQL deny LA to SAP for SSH Permit SJC to SRV1 for HTTPS deny SJC to SAP1 for SQL Complex Task and High Adding source OPEX Object continues deny SJC to SCM2 for SSH permit NY to VDI for RDP deny SF to VDI for RDP Adding destination Object deny LA to VDI for RDP deny SJC to VDI for RDP A Global Bank dedicated 24 global resources 9

10 Reduced OPEX in Policy Maintenance SGT Review Employee BYOD NY SF LA SJC Source SGT: Employee (10) Security Group Filtering Destination SGT: Production_Servers (50) Policy Stays with BYOD Users (200) / Servers regardless VDI (201) of location or topology Permit Employee to Production_Servers eq Simpler Auditing Process (Low Opex Cost) HTTPS Simpler Permit Security Employee Operation to (Resource Production_Servers Optimization) eq SQL Permit Employee to Production_Servers eq SSH (e.g. Bank now estimates 6 global resources) Permit Employee to VDI eq RDP Deny BYOD to Production_Servers Deny BYOD to VDI eq RDP Clear ROI in OPEX DC-MTV (SRV1) DC-MTV (SAP1) DC-RTP (SCM2) DC-RTP (VDI) Production Servers VDI Servers 10

11 SGT Architecture Components SGT Review Classification Policy Management Catalyst 2K Catalyst 3K Catalyst 4K Catalyst 6K WLC (7.4) 5760 Nexus 7000 Nexus 6000 Nexus 5500 Nexus 1000v ASR1K/ISRG2 (SGFW) ASA (SGFW) Identity Services Engine Propagation WLAN LAN Remote Access (roadmap) Cat 2K-S (SXP) Cat 3K (SXP) Cat 3K-X (SXP/Inline) Cat 4K Sup7 (SXP/Inline) Cat 6K Sup720 (SXP) Cat 6K Sup2T (SXP/Inline) N7K (SXP/Inline) N6K (SXP Speaker/Inline) N5K (SXP Speaker/Inline) N1Kv (SXP Speaker/Inline(beta)) ASR1K (SXP/Inline) ISR G2 (SXP/Inline) ASA (SXP/Inline(beta)) Enforcement N7K / N6K/N5K/N1KV (SGACL) Cat6K/4K (SGACL) Cat3K-X/3850 (SGACL) ASA (SGFW) ASR1K/ISRG2 (SGFW) 11

12 TrustSec Classification Functions SGT Review User/Device/Location Cisco access layer Profiling Web Auth MAB ISE IP-SGT NX-OS/ Orchestration/ Hypervisors SGT VLAN-SGT Port-SGT Data Center/ Virtualization 802.1X VPN SGT IOS/Routing Port Profile Campus & VPN Access non-cisco & legacy env VLAN-SGT IPv4 Prefix Addr.Pool-SGT Learning IPv6 Prefix IPv4 Subnet-SGT Learning IPv6 Prefix- SGT 12 SGT Business Partners & Supplier access controls

13 SGT Classification Process to map SGT to IP Address Dynamic Classification 802.1X/VPN Authentication Web Authentication MAC Auth Bypass Static Classification IP Address VLANs Subnets L2 Interface L3 Interface Virtual Port Profile Layer 2 Port Lookup Prefix learned via routing on port SGT Review SGT Common Classification for Mobile Devices Common Classification for Servers, Topologybased policy, etc.

14 SGT Propagation Mechanism Inline SGT Tagging SXP IP-SGT Binding Table IP Address SGT SRC SGT = 50 SGT Review Tag When you can! SXP when you have to! Wired Access Local SXP Non-SGT capable Wireless Access L2 Ethernet Frame SRC: SXP Campus Core ASIC IP Address Enterprise Backbone SGT=50 SGT ASIC DC Firewall Optionally Encrypted DC Core DC Distribution ASIC DC Virtual Access DC Physical Access SGT 20 VM Server PCI VM Server SGT 30 Physical Server Physical Server Inline Tagging (data plane): If Device supports SGT in its ASIC SXP (control plane): Shared between devices that do not have SGT-capable hardware

15 SGT Exchange Protocol SGT Review Control plane protocol that conveys the IP- SGT map of users/hosts to enforcement point SXP uses TCP as the transport layer Eases and Accelerate deployment of TrustSec Speaker SXP Listener SW SXP (Aggregation) RT Support Single Hop SXP & Multi-Hop SXP (aggregation) SW SXP Two roles: Speaker (initiator) and Listener (receiver) SW 15

16 SXP Versions Version 1, This is the initial SXP version supports IPv4 binding propagation. (N7K, N6K, N5K, N1KV as of June 14) This limits the NXOS platforms to only sharing unidirectional i.e. from access to aggregation/firewalls. Design Impact shown later Version 2, includes support for IPv6 binding propagation and version negotiation. (Older switch and router IOS, ASA, WLC prior March 13) Version 3, adds support for Subnet/SGT bindings propagation and expansion. (6K only). If speaking to a lower version listener will expand the subnet Version 4, Loop Detection and Prevention, Capability Exchange, built-in Keep Alive mechanism. (New switch and router IOS After March 13) Allows for bidirectional IP/SGT sharing Allows for more flexible designs SGT Review 16

17 SXP Informational Draft SGT Review SXP now published as an Informational Draft to the IETF, based on customer requests Draft called Source-Group Tag exchange Protocol because of likely uses beyond security Specifies SXP v4 functionality with backwards compatibility to SXP v2 and v3 17

18 AES-GCM 128bit Encryption Inline Security Group Tagging SGT Review Faster, and most scalable way to propagate SGT within LAN or Data Center Ethernet Frame Cisco Meta Data MACsec Frame SGT embedded within Cisco Meta Data (CMD) in Layer 2 frame Capable switches understands and process SGT in line-rate Protected by enabling MACsec (IEEE802.1AE) optional for capable hardware Destination MAC Source MAC 802.1Q CMD ETHTYPE PAYLOAD CMD EtherType Version Length SGT Option Type SGT Value Other CMD Option Destination MAC Source MAC 802.1AE Header 802.1Q CMD ETHTYPE No impact to QoS, IP MTP/Fragmentation CRC PAYLOAD L2 Frame Impact: ~20 bytes 16 bits field gives ~ 64,000 tag space ETHTYPE:0x AE Header CRC Non-capable device drops frame might drop frame. L3 processing will result in improper offset lookup for IP. L2 only may work ETHTYPE:0x88E5 18

19 SGT Link Authentication and Authorization SGT Review Mode MACSEC MACSEC Pairwise Master Key (PMK) MACSEC Pairwise Transient Key (PTK) Encryption Cipher Selection (no-encap, null, GCM, GMAC) Trust/Propagation Policy for Tags cts dot1x Y Dynamic Dynamic Negotiated Dynamic from ISE/configured cts manual with encryption Y Static Dynamic Static Static cts manual no encryption N N/A N/A N/A Static CTS Manual is strongly recommended configuration for SGT propagation cts dot1x takes link down with AAA down. Tight coupling of link state and AAA state Some platforms (ISRG2, ASR1K, N6K, N5K, N1KV, ASA) only support cts manual/no encryption 19 19

20 SAP The Key Derivation SGT Review 20

21 Enforcement - Ease of Data Center Provisioning SGT Review Ease of Provisioning Manual Automated Firewalls must be manually updated with new IP address & permissions New workload is provisioned Firewall applies the correct security policy based on security group membership Workload is provisioned with security group attribute TrustSec policies applied to Switches and Firewalls 21

22 End to End SGT/SGACL Enforcement SGT Review End user authenticated Classified as Employee (5) FIB Lookup Destination MAC/Port SGT 20 Destination Classification CRM: SGT 20 PCI: SGT 30 SGT 20 SRC: Cat3750X 5 SRC: DST: SGT: 5 Cat6500/Sup2T Nexus 7000 N5600 Enterprise Backbone N2248 N2248 SRC\DST CRM (20) PCI (30) CRM PCI DST: SGT: 20 DST: SGT: 30 WLC5508 Employee (5) SGACL-A Deny BYOD (7) Deny Deny 22

23 SGT=3 SGT=4 SGT=5 Egress Policy Enforcement TCAM scaling SGT Review Enterprise Backbone SGACL Enforcement SGACL Enforcement Web_Server (SGT=7) Time_Stamp_Server (SGT=10) Network devices download policies only when they have a device connected only for connected systems Egress filtering and dynamic download scales the TCAM of switches 23

24 Use Case Review

25 Common SGT Use Cases Use Cases NW2 NW3 NW4 This Session Focuses Here! NW1 NW5 Secure Wi-Fi Wired Physical Servers VMs SGT10 SGT20 SGT40 SGT30 Resource Access Control Data Center Server Segmentation 25

26 PCI Compliance: Use Case applicable to most compliance requirements PCI Server Server DATA CENTER Use Cases Data Center Network Key SEGMENTATION ENFORCEMENT PCI SCOPE SEGMENTATION ACROSS COMPANY WAN BRANCH Register Workstation 26

27 PCI Compliance Use Cases validation.pdf 27

28 Security Group Firewall (SGFW) ASA Data Center IP Address SGT Marketing (10) Security group tags assigned based on attributes (user, location, posture, access type, device type) Campus /Branch Network Design Considerations SXP SGFW SGACL Consistent Classification/enforcement between FW and switching. SGT Names sync d ISE and CSM/ASDM Enforcement on a firewall SXP ASDM/CSM Policies SGT Name Download SGT 10 = PCI_User SGT 100 = PCI_Svr Enforcement on a switch Rich Logging requirements will be fulfilled on SGFW URL logging, etc. Switch logging is best effort via syslog (N7K/N5K) or netflow (Cat6K Sup2T) Lower OpEx - Automation of Firewall Rules for Users and Servers Use Cases ISE for SGACL Policies Data Center 28

29 Financial Use Cases Multiple phases and use-cases Currently enforcement on Catalyst switches User devices classified by 802.1X or MAB Servers defined by IP address or Nexus 1KV Port Profile Use-cases Controlled access to DC applications for compliance User User control DC segmentation 29

30 Manufacturer Large Manufacturing Company deploying Secure Wi-Fi Large Campus Wireless Deployment Data Center /24 = SGT 10 Use Cases ACL needs to scale more than 64 lines of ACL (>1,500) on WLC Campus D Branch Office SGT solution within C6K chassis 10.x.x.0/24 = SGT 7 Campus C 10.z.z.0/24 = SGT 22 WiSM2 aggregates AP traffic Policy enforcement Sup2T based on SGT Destination SGT values defined by IP & Subnet 10.y.y.0/24 = SGT 6 Internet SXP Cat6500VSS System Sup2T Sup2T WiSM2 WiSM2 WiSM2 WiSM2 VSS CAPWAP Tunnel Corporate Network /8 = SGT 100 SXP ISE Reduced IOS static ACL managing policy using Egress Matrix e.g. about 500 lines of ACL allowing HTTPS is now supported by single line of SGACL permit tcp dst eq 443 Non-Compliant Mobile Device SGT 2: Limited Access Access Points SGT 3: Full Access Compliant Corporate Asset 30

31 ASA VPN TrustSec Use Case: Use Cases SGT Classification for VPN Remote Access Session ASA (v9.2.1) and ISE 1.2 (Patch 5) required Why TrustSec? Policy based on Remote Access user s connection context Enables consolidated policy for wired, wireless, and VPN RAS Simplifies VPN RAS design and helps to scale as business grows Simplifies VPN contractor (or employee) to DC access policy Provides relatively simple deployment with security focused products Provides local (ASA RAS) or distributed enforcement (ASA in DC, DC Switches, Campus Switches or Routers) 31

32 Pool A Pool B Pool C Remote Access Today Use Cases Policy Domain 1 Policy Domain 2 NW1 NW2 Wireless Policy ISE Wired Policy LDAP AD Pool A: /24 Pool B: /24 Pool C: /24 DC1 DC2 ASA RAS1 RAS2 Internet SSL-VPN Internet Internet SSL-VPN Access policies are separated Partner A Partner B Partner C Policies mapped to Topology Ingress Filtering Everywhere 32

33 VPN User to DC Access Use Cases Regardless of topology or location, policy (Security Group Tag) stays with users, devices, and servers TrustSec simplifies VPN Address / Filtering management Data Center Firewall RAS-EMEA Pool-B Supplier Apps Campus Core Data Center Pool-A PCI Apps Source Destination Action IP Sec Group IP Sec Group Service Action Any Employee Any Supplier HTTP Allow Any PCI-User Any PCI Apps HTTPS Allow Any Supplier-B Any PCI Apps TCP Deny Any Any Any Any Any Deny RAS-US Internet SSL-VPN Employee Tag PCI User Tag Supplier-B Tag Employee PCI-User Supplier-B 33

34 Use Cases Multi-Tenant Data Center Inside out classification DC has both shared apps and BU-specific apps Shared Apps Data Center BU Apps BU routers accept their own SGT and the shared application SGT values DC Router: Tag Yellow apps with Yellow Tag Shared apps with Purple Blue BU 3 rd -party supplier Blue BU WAN Blue BU Branch Office Blue BU Classification Allow Blue & Purple Core Network (Transit) Yellow BU Classification Allow Yellow & Purple Yellow BU WAN Yellow BU Branch Office Yellow BU 3 rd -party supplier 34

35 Multi-Tenant Data Center Inside out classification BU-level classifications Use Cases Shared Apps Shared and BU-specific apps flow properly. Standard SGACLs simplifies base policy Data Center BU Apps DC Router: Tag Yellow apps with Yellow Tag Shared apps with Purple Blue BU Core Network Yellow BU 3 rd -party supplier (Transit) 3 rd -party supplier Blue BU Yellow BU WAN Blue BU Branch Office Blue BU Router: Allow Blue & Purple Yellow BU Router: Allow Yellow & Purple WAN Yellow BU Branch Office 35

36 TrustSec Platform Support Use Cases Classification Propagation Enforcement Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/-X Catalyst 3750-E/-X Catalyst 3850, 3650 WLC 5760 Catalyst 4500E (Sup6E/7L-E) Catalyst 4500E (Sup8E) Catalyst 6500E (Sup720/2T), 6880X Wireless LAN Controller 2500/5500/WiSM2 Nexus 7000 Nexus 5500 Nexus 1000v (Port Profile) ISR G2 Router, CGR2000 IE2000/3000, CGS2000 ASA5500X, ASAv (VPN RAS) Q3CY14 SXP SXP SXP SXP SXP SXP SXP SXP SXP SXP SXP SXP SXP SXP SXP SXP SXP SGT SGT SGT SGT SGT SGT SGT SGT SGT SGT SGT SGT Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/, 3750-E Catalyst 3560-X, 3750-X Catalyst 3650, 3850 Catalyst 4500E (Sup6E) Catalyst 4500E (Sup 7E)***, 4500X Catalyst 4500 (Sup8E)*** Catalyst 6500E (Sup720) Catalyst 6500E (Sup 2T)**** / 6880X WLC 2500, 5500, WiSM2** WLC 5760 Nexus 1000v SGT Beta Nexus 5500/22xx FEX** Nexus 7000/22xx FEX GETVPN GETVPN IPSec IPSec ISRG2, CGR2000 ASR1000 ASA5500(X) Firewall, ASASM All ISRG2 Inline SGT (except C800): Today ISRG2/ASR1K: DMVPN, FlexVPN: Q3CY14 Q3CY14 SGT Beta SGACL SGACL SGACL SGACL SGACL SGACL SGFW SGFW SGFW Catalyst 3560-X Catalyst 3750-X Catalyst 3850, 3650 WLC 5760 Catalyst 4500E (Sup7E) Catalyst 4500E (Sup8E) Catalyst 6500E (Sup2T) / 6880X Nexus 7000 Nexus 6000 Nexus 5500/5600 Nexus 1000v Beta ISR G2 Router, CGR2000 ASR 1000 Router ASA 5500/5500X Firewal ASAvl Q3CY14 ** WLC 2500, 5500, WiSM2, Nexus 5K only supports SXP Speaker role *** 4500E (Sup7E/8E) requires 47XX Line cards for Inline SGT **** 6500 (Sup2T) requires 69xx Line cards for Inline SGT 36

37 DC Design Consideration and Implementation

38 DC Design Consideration

39 SGT Transport 2014 Campus Access Block Normal Link In-line SGT Tagging Design Consideration Cat3850 Cat3850 Cat3560-X Cat3560-X AP AP Cat4500 Cat4500 Cat4500 Cat6500/Sup2T Cat6500/Sup2T SXPv WLC Branch Block IPSec DM-VPN GET-VPN All SGT-capable ISR G2 Cat6500/Sup2T ASR1K ASA N7K Cat6500/Sup2T Core Block N7K ASA Cat3750-X SXPv2 Internet Edge Block ASA RA-VPN SXP ASA+IPS+CX Outside Switch AP Cat3750-X ISR G2 ISR G WLC SXPv2 N2248 ASAv CSR1KV SXP N5K N1KV N5K N2K 5760 WLC DMZ Switch Nexus 6000 ISE1.2 Web Security Appliance SSL-VPN (RAS) Internet ASR1K C800 (CVO) VDI Infra 39 UCS DC Block 39

40 SGT Enforcement Q Campus Access Block Normal Link In-line SGT Tagging Design Consideration Cat3850 SGACL Cat3850 Cat3560-X SGACL Cat3560-X SGACL AP AP Cat4500 Cat4500 Cat4500 Cat6500/Sup2T Cat6500/Sup2T 5508 WLC SGACL Branch Block IPSec DM-VPN GET-VPN All SGT-capable ISR G2 ZBSGFW ZBSGFW ASR1K Cat6500/Sup2T ASA N7K Cat6500/Sup2T Core Block N7K ASA SGACL Cat3750-X Internet Edge Block ASA RA-VPN ASA+IPS+CX Outside Switch AP Cat3750-X ISR G2 SGACL ISR G WLC N2248 SGFW ASAv CSR1KV SGACL N6K N1KV N5K N2K SGACL 5760 WLC DMZ Switch Nexus 6000 ISE1.2 Web Security Appliance SGFW SSL-VPN (RAS) Internet ASR1K ZBSGFW C800 (CVO) VDI Infra 40 UCS DC Block

41 Customer End State in the Data Center PCI Users Branch/Campus Business Partner/VPN Edge Design Considerations PCI_RAS Users LOB2 Users LOB2_Business Partner Core Network Risk Level 1 Risk Level 2 SXP SXP ISE PCI_Web PCI_App PCI_DB LOB2_DB 41

42 Hardware Forwarding SGT/SGACL Today Two Groupings of Hardware Forwarding for SGACL Port/VLAN based Catalyst 3K-X Nexus 5500 IP/SGT Based Nexus 7000 M series and F series Nexus 6000/5600 Cat 6K/Sup2T Cat 4K/Sup7E/Sup8E Cat 3850/5760 ASR1K Each type of hardware has different scaling limits There are limits on the number of SGT/DGT as well as Access Control Entries (ACE) in TCAM All hardware shares ACE entries when possible amongst SGT/DGT Each type of hardware has different logging and monitoring capabilities Counters ACE Logging Netflow with SGT/DGT Design Considerations 42

43 Nexus 5500 SGT and DGT Derivation Each Port has one DGT (which is also used as SGT in the ingress) associated with it. FIB Port DGT From the Packet Ingress Path (SGT Derivation) Egress Table DGT/SGT Vlan table Static Config SGACL Design Considerations Ingress tagging is done only if cts is enforced on the vlan SGT Egress Path (DGT derivation and SGACL) 43

44 N7K M series SGT and DGT Derivation Design Considerations Priority control btw sources L3/FIB table From the Packet Ingress Path (SGT Derivation) Ingress port based Static Config SGT FIB IP prefix DGT DGT Egress Table DGT/SGT L3/FIB Table, each prefix has an associated DGT SGACL Egress Path (DGT derivation and SGACL) A number of SGT(DGT) assignment sources, e.g. SXP, VLAN- SGT,, will be evaluated by TrustSec software against a priority list, the winning result will be programmed into the L3/FIB table 44

45 N7K F series SGT and DGT Derivation Design Considerations Priority control btw sources IP/SGT CAM table From the Packet Ingress Path (SGT Derivation) Ingress port based Static Config SGT FIB IP prefix DGT DGT Egress Table DGT/SGT IP/SGT CAM Table, each prefix has an associated DGT SGACL Egress Path (DGT derivation and SGACL) A number of SGT(DGT) assignment sources, e.g. SXP, VLAN- SGT,, will be evaluated by TrustSec software against a priority list, the winning result will be programmed into the L3/FIB table 45

46 Design Considerations Implications of Hardware Forwarding Capabilities: Port/VLAN Based Hardware Limited SXP applicability due to the SGT derivation on mac/port Limited number of SGTs per port (one per vlan/port) IP/SGT Based Hardware Allows for bidirectional SXP - However, NXOS SXP code is v1 so it can t support it in software until the it is upgraded to SXPv4 (roadmap item) Allows for multi-hop SXP coming into the switch due to FIB lookup for IP/SGT Tagging/Enforcement for incoming packet due to FIB lookup for IP/SGT Scale varies per platform. Think hundreds of groups with simple reused permissions (ACEs) N5K limited since it can t find SGT via SXP. No N5K SXP listener - even for L2 adjacent hosts N5K can t be a listener for an N1KV N6K ASIC is capable for SXP listener, but not supported in current code N1KV is software forwarding, but it is reliant on NXOS platform independent code from the N7K so it can only be a speaker in current code 46

47 Business Partner and VPN Edge Design Considerations Design Considerations Is this really Data Center related? In Cisco s experience these connections typically are a block on the edge of the DC It is also the most common place Cisco is asked for the ability to classify based on the routes or the interface of a business partner/contractor/joint venture, etc. This has driven the need to be able to classify on routing aggregators and VPN devices. 47

48 Layer 3 Interface to SGT L3IF Route Prefix Monitoring on a specific Layer 3 Port with mapping to the associate SGT Can be applied to Layer 3 interfaces regardless of the underlying physical interface: Routed port, SVI (VLAN interface), Layer 3 subinterface of a Layer2 port, Tunnel interface Makes the prefixes available for export in SXP ISR/ASR1K/Cat6K Joint Ventures Route Updates /24 SGT 8 EOR Design Considerations ASR1K#show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ======================================== INTERNAL INTERNAL INTERNAL /24 8 L3IF /24 9 L3IF /24 9 L3IF DC Access Business Partners SGT 9 Route Updates / /24 Hypervisor SW 48

49 Layer 3 Interface to SGT Port/SGT mapping Design Considerations Port to Interface Mapping does not learn IP Prefixes via route learning All traffic coming into the interface is tagged with the SGT on the interface Will not make prefixes learned available in SXP Joint Ventures Route Updates /24 SGT 8 Local Int ASR1K#show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ======================================== INTERNAL INTERNAL INTERNAL /24 2 INTERNAL /24 8 L3IF EOR DC Access Business Partners Route Updates / /24 Hypervisor SW 49

50 RAS VPN Considerations ASA supports SGT classification for RAS VPN Mix and match classifications in the same subnet/dhcp pool if you d like Most concentrators allow users/groups to be mapped to specific DHCP pools or VLANs. Older ASA and 3 rd party VPN concentrators are supported via Subnet/SGT or L3IF on upstream router ISE RAS VPN Dynamic Classification DC ASA Design Considerations PCI_Web Core External Cloud SXP LOB1_Web 3 rd Party VPN Static Classification 50

51 External Classification to Data Center Traffic Flow How do I handle an ASA on supporting SXP fronting DC resources? How do I handle 3 rd party services sitting in front of the DC IPS SLB Firewall Two options Build SXP from access layer to DC Use Inline Tagging transport to DC services layer and use SGT Caching Design Considerations 51

52 SGT Caching Overview Design Considerations While tagged packets arrive, SGT is removed and cached. Untagged packets are sent to DPI services. Upon receipt from DPI at the egress, packets are retagged with appropriate SGT 52

53 Services with SGT Caching 8 SRC: DST: SGT: 8 Design Considerations Service Chaining Possible 3 rd party devices for Server Load Balancing (SLB), Intrusion Prevention Services (IPS), etc. Security Group Firewalling Firewall rule automation using ASA SG-Firewall functions IP Address SGT (Employee_Full) 8 SGT Caching on C6500/N7K Caches IP-SGT mappings from data plane Sends IP-SGT mappings to ASA in SXP DC Access Layer SGT Tagged Traffic Untagged Traffic SXP Physical Servers Physical Servers SGACL enabled Device SG Firewall enabled Device 53

54 Nexus 5500 TrustSec Capabilities Design Considerations No SXP listener SXP speaker only Port/SGT only No port profile supported in current code 128 SGACL TCAM entries available per bank of 8 ports 4 are default entries effectively only 124 available for feature use The sum of the SGACL entries per 8 port bank cannot contain more than 124 permissions in total (3 + 9 in this example) SGACL can be reused extensively SGT,DGT combinations on a N5500 reusing 124 lines of permissions WEB-ACL: permit tcp dst eq 443 permit tcp dst eq 80 deny ip HR-DB-ACL: permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp des eq 139 deny ip 54

55 Design Considerations Nexus 6000 TrustSec Capabilities - Current Shipping Code is similar to N5500 platform 128 ACEs for configuration NO SXP Listener Only SXP Speaker Port/SGT definition only Logs are like Nexus 7000 Platform The ASIC is an L3 ASIC which allows us to permit future IP/SGT capabilities 55

56 Design Considerations Nexus 7000 TrustSec Capabilities - SGT/SGACL supported on M series, F1, F2, F2E cards as of 6.2(6a) SGT/SGACL support on F3 as of 6.2(10) ~ Q3CY14 N7K does all enforcement via IP/SGT programming in ASICs. This creates an interesting design case. In the case where the N7K is performing intra-vlan policy (within the same VLAN) The N7K MUST have an SVI on the VLAN If N7K is L2 only then create an SVI w/o IP to be able to snoop ARP/DHCP to discover the IP This allows the IP/SGT to be programmed properly for intra vlan filtering L2 Only N7K N7K-DST1# sho run int vlan 3207 interface Vlan3207 LOB1 LOB2 PCI_DB no shutdown 56 56

57 NX-OS Large Scale SGACL Design Considerations Large numbers of SGT/DGT cells and SGACLs on N7K/N6K/N5K require new handling of SGACLs. Large policies can also exceed a single RADIUS packet, so the below releases introduce RADIUS SGACL fragmentation to spread the SGACL policies across multiple packets. N (6) onwards N5600/ N (2)N2 onwards N7000 and N5500 requires a batch programming command to scale SGACLs N7K-DST1(config-vlan)# cts role-based policy batched-programming enable 57

58 VLAN Designating Risk Levels / Security Zones Design Considerations Often a VLAN is equal to a Risk Level/Security Zone In many cases ingress/egress ACLs are used to control flows between VLANs VLAN/SGT can be used on the Nexus 7000 to reduce TCAM usage substantially ACL conversion has shown 60% to 88% TCAM reduction Distribution layer enforcement allows any compute Does assume within a VLAN is permissible Flows to other risk levels/security zones still enforced on firewall N7K 6.2 release N7K-DST1(config)# vlan 100 N7K-DST1(config-vlan)# cts role-based sgt 100 N7K-DST1# sho cts role-based sgt-map ISE VLAN 100 Risk Level 1 PCI_Web IP ADDRESS SGT VRF/VLAN SGT CONFIGURATION Campus Network PCI_App LOB_App (PCI_Servers) vlan:200 Learnt through VLAN SGT configuration (PCI_Servers) vlan:200 Learnt through VLAN SGT configuration (PCI_Servers) vrf:1 CLI Configured (Production_Servers)vrf:1 CLI Configured 58 VLAN 200 Risk Level 1 LOB_App

59 Data Center Configuration

60 DC Traffic Segmentation with SGT Configuration Servers are assigned SGTs via static port profile/port/ip-sgt Map Servers attempt to communicate east-west Traffic hits the egress enforcement point Only permitted traffic path (source SGT to destination SGT) is allowed Traffic Enforcement is distributed across 5K, 6K and 7K PCI-DB to LOB1-DB hits SGACL PCI-LOB1-ACL on 5K PCI-DB to LOB1-DB hits SGACL PCI-LOB1-ACL on 7K 60 Data Center Nexus 7000s VMs/Baremetal Nexus 55XXs SRC \ DST PCI DB (111) PCI DB(111) LOB1 DB (222) LOB1 DB (222) LOB2 DB (333) LOB2 DB (333) Security Server (444) ISE Security Server (444) PCI DB (111) Permit all PCI-LOB1-ACL PCI-LOB2-ACL Deny All LOB1 DB (222) LOB2 DB (333) Security Server (444) PCI-LOB1- ACL PCI-LOB2- ACL SGACL: PCI- LOB1-ACL Core Network SGACL: PCI- LOB2-ACL Permit All Deny All Deny All Deny All Permit All Deny All Deny All Deny All Deny All Deny All

61 Simplified Data Center Topology - walkthrough User/Server VPN to Data Center enforcement will occur on ASA SGT from SXP from VPN ASA DGT from N7K SXP Business Partner to Data Center enforcement will occur on ASA SGT from frame DGT from N7K SXP PCI DB (111) LOB1 DB (222) LOB2 DB (333) N5K N6K SXP N7K w/sgt Caching N1KV SXP Security exchange Protocol SGT over Ethernet (SGToEthernet) Ethernet Configuration ASA SXP 61

62 Simplified Data Center Topology - walkthrough Server/Server traffic enforced via SGACL From PCI DB <-> LOB1 DB enforced on N5K From N5K -> N1KV enforced N1KV SGT from frame IP/SGT from port profile N1KV -> N5K enforced on N5K SGT from frame SGT from port definition N1KV->N6K enforced on N6K Same as N1KV->N5K From Risk Level 1 -> Risk Level 2 enforced on ASA Assumption is N7K doing SGT caching to send SXP to ASA PCI DB (111) LOB1 DB (222) LOB2 DB (333) N5K N6K SXP N7K w/sgt Caching N1KV SXP Security exchange Protocol SGT over Ethernet (SGToEthernet) Ethernet Configuration ASA SXP 62

63 Business Partner Router Port Classification Options For our topology we re tagging from the router to the data center. We will use configuration on the left If we had to put IP/SGT into SXP we would use configuration on the right Port/SGT Tag only transport interface GigabitEthernet0/0/0 ip address cts manual policy static sgt 2 trusted interface GigabitEthernet0/0/2 ip address cts manual policy static sgt 50 no propagate-sgt cdp enable ASR1K-2#sho cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ============================================ /24 50 L3IF INTERNAL 63 Prefix Learning SXP subnet/sgt interface GigabitEthernet0/0/2 ip address cts role-based sgt-map sgt 50 Configuration ASR1K-2#sho cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ============================================ /24 50 L3IF INTERNAL /24 50 L3IF INTERNAL /24 50 L3IF

64 ASA RAS VPN Configuration: Configuration RAS VPN will assign a tag to the end user based on the authz policy matched in ISE when the user logs into the group. We then communicate the tag via SXP to the DC ASA. DC ASA will then use the SGT aaa-server cts-mlist protocol radius dynamic-authorization aaa-server cts-mlist (inside) host timeout 5 key trustsec authentication-port 1812 accounting-port 1813 radius-common-pw trustsec cts server-group cts-mlist cts sxp enable cts sxp default password trustsec cts sxp default source-ip cts sxp connection peer source password default mode local speaker group-policy GroupPolicy_cts-local internal group-policy GroupPolicy_cts-local attributes wins-server none dns-server value vpn-tunnel-protocol ssl-client default-domain value cts.local tunnel-group cts-local general-attributes address-pool test authentication-server-group cts-mlist accounting-server-group cts-mlist default-group-policy GroupPolicy_cts-local tunnel-group cts-local webvpn-attributes group-alias cts-local enable 64

65 N7K SGT Caching Config Configuration N7K-DST1(config)# cts role-based sgt-caching? <CR> with-enforcement SGT caching with RBACL enforcement N7K-DST1(config)# cts role-based sgt-caching with-enforcement SGT caching with enforcement will implicitly display syslogs for all the ACEs in RBACLs. Continue(yes/no) [no] yes N7K-DST1# sho cts role-based sgt-caching Caching Modes Status SGT caching Disabled SGT caching with enforcement Enabled N7K-DST2# sho cts role-based sgt-map cached IP ADDRESS SGT VRF/VLAN SGT CONFIGURATION (Production_Servers) vrf:1 Cached (Device_SGT) vrf:1 Cached (Device_SGT) vrf:1 Cached (Production_Servers) vrf:1 Cached (Production_Servers) vrf:1 Cached 65

66 N7K SGT Caching Notes Configuration SGT Caching enabled with and without enforcement Without enforcement its just converting from data plane to control plane at a mid point in the network Typically Deployed at an aggregation layer where there is no enforcement Service chains to 3 rd party devices that do not support SGT Convert form native tagging to SXP for pre 9.3(1) ASA With enforcement is for when the N7K is the enforcement point and needs to convert from data plane to control plane. Typically when the N7K is acting as a aggregated routing/service layer in the DC N7K will ask ISE for relevant policies of all it s SGTs when it receives an IP/SGT update Everytime time it receives an update.. Yes that is a lot of information filling ISE logs 66

67 SGT Caching Configuration Catalyst 6500 (Global CLI Commands) Configuration Enabling CTS SGT Caching globally in independent mode cts role-based sgt-caching Enabling CTS SGT Caching on vlans in independent mode cts role-based sgt-caching vlan-list <[all vlan_id]> Enabling CTS SGT Caching globally in dependent mode cts role-based sgt-caching with-enforcement Enabling RBACL enforcement globally cts role-based enforcement Enabling RBACL enforcement on vlans cts role-based enforcement vlan-list <[all vlan_id]> 67

68 SGT Caching Show Commands Catalyst 6500 To display the SGT-IPv4 bindings show cts role-based sgt-map all ipv4 show cts role-based sgt-map vrf <vrf_name> all ipv4 To display the SGT-IPv6 bindings show cts role-based sgt-map all ipv6 show cts role-based sgt-map vrf <vrf_name> all ipv6 To display RBACL entires programmed in ACL TCAM show platform hardware acl entry rbacl all To display the ACL result of RBACL entries programmed in ACL TCAM show platform hardware acl tcam result <acl_entry_result> Configuration 68

69 SGT Caching Debug Commands Catalyst 6500 [no] debug fm rbacl caching events Detailed debugs: [no] debug rbm bindings [no] debug rbm api [no] debug fm rbacl caching packets [no] debug fm rbacl all Configuration Note: no logging console is recommended before enabling these detailed debugging commands as they could potentially flood the console 69

70 Configure ISE for Nexus Switch Configuration Administration->Network Resources->Network Devices->+Add N55KAa# show cts environment-data CTS Environment Data ============================== Current State : TS_ENV_DNLD_ST_ENV_DOWNLOAD_DONE Last Status : CTS_ENV_SUCCESS Local Device SGT : 0x0002 Transport Type : CTS_ENV_TRANSPORT_DIRECT Data loaded from cache : FALSE Env Data Lifetime : seconds after last update Last Update Time : Thu May 23 17:22: Server List : CTSServerList1 AID:a6f054a3856a bba63e IP: Port:

71 Configure Nexus 7K: (Bootstrap) Step 1: Configure Communications between Nexus and ISE N7K-DST1(config)# feature cts N7K-DST1(config)# feature dot1x N7K-DST1(config)# cts device-id N7K-DST1 password trustsec N7K-DST1(config)# radius-server key trustsec pac N7K-DST1(config)# aaa group server ISE N7K-DST1(config)# server N7K-DST1(config)# aaa authentication dot1x default group ISE N7K-DST1(config)# aaa authorization cts default group ISE N7K-DST1(config)# aaa accounting dot1x default group ISE Step 2: Verify PAC is downloaded N7K-DST1# show cts pacs PAC Info : ============================== PAC Type : TrustSec AID : a6f054a3856a bba63e I-ID : N7K-DST1 AID Info : ise Credential Lifetime : Sun Aug 3 16:56: Configuration PAC Opaque : a a6f054a3856a bba63e c f22d715cffe37591f629bae3bcc3c9e a00093a80bf65b034bb e2863a540d797ab17d1593b354e4aa3b74835df48ed45fad79c c96ceef74ea3e d9c8 dcfb191d2e8448a4de98b5578f83b526fb4d586ecc2510eefe1d90dee fb1b77291aac4848ac2d4d5d3694e9d0e5fadbdaae5a7f Step 3: Enable Role based counter and enforcement N7K-DST1(config)# cts role-based counters enable N7K-DST1(config)# cts role-based enforcement 71

72 Configure Nexus 5K/6K: (Bootstrap) Step 1: Configure Communications between Nexus and ISE N55KA(config)# feature cts N55KA(config)# feature dot1x N55KA(config)# cts device-id N55KA password trustsec N55KA(config)# radius-server key trustsec pac N55KA(config)# aaa group server ISE N55KA(config)# server N55KA(config)# use-vrf management N55KA(config)# aaa authentication dot1x default group ISE N55KA(config)# aaa authorization cts default group ISE N55KA(config)# aaa accounting dot1x default group ISE Step 2: Verify PAC is downloaded N55KA# show cts pacs PAC Info : ============================== PAC Type : TrustSec AID : a6f054a3856a bba63e I-ID : N55KA AID Info : ise Credential Lifetime : Fri Jul 11 04:25: Configuration PAC Opaque : b a6f054a3856a bba63e c629fc10ec d0b283e a00093a809914bbf46a3d8d8c81eab9e4819bde120047a2f28ca c9b65015c3a851f5a9c99b6541d40b8d d045c1f7262b3a72e3b99b661733f92f71dcad42673a67549a af2b1c0b18438a514178e98c7ed72f088d7b8db9cdbfba76b11c209f401ba8 c522f5fe5900e264a8ab02fd Step 3: Enable Role based counter and enforcement N55KA(config)# cts role-based counters enable N55KA(config)# vlan 118 N55KA(config)# cts role-based enforcement 72

73 Configuration Nexus for Native tagging Up/DownStream: We MUST enable the physical ports to trust the neighboring device to send native tagged packets When enabling TrustSec on a switch the default behavior is to drop packets sent to it with a native tag. This is similar to QoS where we trust dscp on trunk links BEST PRACTICE: On All platforms it is best practice to manually shut/no shut the port after applying cts manual commands This guarantees that the control plane has fully programmed the port level PHY/ASIC N7K-DST1(config)# int e1/30 N7K-DST1(config)# cts manual N7K-DST1(config-if-cts-manual)# policy static sgt 0x0002 trusted N7K-DST1(config-if)# shutdown N7K-DST1(config-if)# no shutdown 73

74 Configure ISE SGACL Policy Matrix Configuration Best Practice: NXOS can only handle 1 SGACL. Put implicit deny/permit in the SGACL 74

75 Configure Nexus to Statically assign Tags: Static IP-SGT - There is an option to manage this in ISE via IP/SGT or DNS/SGT mappings Configuration N7K-DST1(config)# cts role-based sgt-map Static SGT on Physical Port facing the server NOTE: If you forget this command your server will not be able to access the network!! N7K-DST1(config)# int e1/30 N7K-DST1(config-if)# cts manual N7K-DST1(config-if-cts-manual)# policy static sgt 0X3 N7K-DST1(config-if-cts-manual)# no propagate-sgt Port-Profile: NOTE: Port-Profile on N7K will only work on NON-FEX ports. 5K/6K don t have support yet. N1KV supported N7K-DST1(config)# port-profile type ethernet PCI-DB N7K-DST1(config)# cts manual N7K-DST1(config)# policy static sgt 0x17 N7K-DST1(config)# no propagate-sgt N7K-DST1(config)# switchport N7K-DST1(config)# switchport access vlan 100 VLAN to SGT N7K-DST1(config)# (config)# vlan 100 N7K-DST1(config-vlan)# 2014 Cisco and/or cts its affiliates. role-based All rights reserved. sgt 17 75

76 Verify Configuration Verify environmental data Verify SGACLs downloaded and look at counters: N7K-DST1# show cts role-based access-list rbacl:deny IP deny ip rbacl:permit IP permit ip rbacl:pci_web_server rbacl:shaun_deny N7K-DST1# show cts role-based counters RBACL policy counters enabled Counters last cleared: 04/16/2014 at 06:28:11 PM sgt:unknown dgt:19 [41677] rbacl:deny IP deny ip [41677] sgt:unknown dgt:24 [13269] rbacl:deny IP deny ip [13269] sgt:4 dgt:3 [0] rbacl:deny IP deny ip [0] sgt:6 dgt:12 [0] rbacl:deny IP deny ip [0] sgt:7 dgt:3 [53769] rbacl:deny IP deny ip [53769] Configuration 76

77 Configuration Nexus 5500 East-West Segmentation Configuration: Post Boot Strap N55KA(config)# cts role-based counters enable N55KA(config)# vlan 118 N55KA(config-vlan)# cts role-based enforcement N55KA(config-vlan)# int e 1/1 N55KA(config-vlan)# switchport trunk N55KA(config-vlan)# switchport trunk native vlan 2 N55KA(config-vlan)# cts manual Turn on SGACL counters Enable Role Based enforcement on VLAN 118 Go into CTS manual mode for the port (other int CLI clipped) N55KA(config-if-cts-manual)# policy static sgt 0x2 trusted Set SGT and Trust for to N7K-DST1 (for screen real estate) Trunk 77

78 Configuration Nexus 5500 East-West Segmentation Configuration N55KA(config-vlan)# int e102/1/1 N55KA(config-vlan)# switchport N55KA(config-vlan)# switchport access vlan 118 N55KA(config-vlan)# cts manual Go into CTS manual mode for the port N55KA(config-if-cts-manual)# policy static sgt 0x111 Set SGT on the FEX port e102/1/1 to SGT 111 N55KA(config-if-cts-manual)# no propagate-sgt Don t send the SGT to the server This would be bad. N55KA(config-if-cts-manual)# no shut N55KA(config-vlan)# int e102/1/2 N55KA(config-vlan)# switchport N55KA(config-vlan)# switchport access vlan 118 N55KA(config-vlan)# cts manual Go into CTS manual mode for the port N55KA(config-if-cts-manual)# policy static sgt 0x222 Set SGT on the FEX port e102/1/1 to SGT 222 N55KA(config-if-cts-manual)# no propagate-sgt Don t send the SGT to the server This would be bad. N55KA(config-if-cts-manual)# no shut N55KA(config)# cts sxp enable Enable SXP protocol for peering relationships N55KA(config)# cts sxp connection peer source password none mode listener Peer with 7KA N55KA(config)# cts sxp connection peer source password none mode listener Peer with 7KB 78

79 Nexus 7000 East-West Configuration Configuration feature cts feature dot1x cts device-id N7K-DST1 password 7 wnyxlszh123 cts role-based counters enable cts role-based sgt-map cts role-based sgt-map cts role-based enforcement vlan 87 cts role-based enforcement vlan 118 cts role-based enforcement interface Ethernet1/25 description N5K connection cts manual policy static sgt 0x0002 trusted switchport switchport mode trunk switchport trunk allowed vlan 90, ,124 spanning-tree port type normal channel-group 10 mode active no shutdown 79

80 SGT Assignment on Nexus 1000v Use Case: Current Code Configuration N1KV: Assigns SGT based on static Port-profile Assignments SGT = Finance SGT = Employee VM VM VM VM SGT = Employee- VDI VM VM VM VM SXP comes from Hypervisor Nexus 1000V VEM Hypervisor Nexus 1000V VEM VSM not VEM Server Server SXP Nexus 1000V VSM PAC TOR filters traffic based on SG-ACLs ISE Finance Application Finance Application 80

81 Nexus 1000v Configuration current code Configuration CTS-N1K(config)# feature cts CTS-N1K(config)# port-profile type vethernet LOB2-VDI CTS-N1K(config-port-prof)# vmware port-group CTS-N1K(config-port-prof)# switch mode access CTS-N1K(config-port-prof)# switch acc vlan 118 CTS-N1K(config-port-prof)# cts sgt 16 CTS-N1K(config-port-prof)# no shut CTS-N1K(config-port-prof)# state enabled Existing Code: July Port- Profile Commands will change! (see following Slides) SXP: CTS-N1K(config)# cts device tracking CTS-N1K(config)# cts sxp enable CTS-N1K(config)# cts sxp connection peer source password none mode listener vrf management CTS-N1K(config)# cts sxp connection peer source password none mode listener vrf management 81

82 Nexus 1000v - Verification Configuration CTS-N1K(config)# show cts sxp connection PEER_IP_ADDR VRF PEER_SXP_MODE SELF_SXP_MODE CONNECTION STATE management listener speaker connected management listener speaker connected CTS-N1K(config)# show cts role-based sgt-map Interface SGT IP ADDRESS VRF Learnt Vethernet Device Tracking Vethernet2 16 Vethernet Device Tracking CTS-N1K(config)# 82

83 SGACL on Nexus 1000v Use Case: (BETA) Configuration N1KV: Assigns SGT based on static Port-profile Assignments SGT = PCI SGT = Employee VM VM VM VM SGT = PCIVDI VM VM VM VM Hypervisor Nexus 1000V VEM VEM filters traffic based on SG-ACLs Hypervisor Nexus 1000V VEM Server Server Nexus 1000V VSM TOR filters traffic based on SG-ACLs PAC ISE Finance Application Finance Application 83

84 Nexus 1000v SGACL Configuration (Beta) Configuration CTS-N1K(config)# feature cts CTS-N1K(config)# cts device-id cts-n1k password 0 trustsec CTS-N1K(config)# radius-server host key 0 trustsec pac authentication accounting CTS-N1K(config)# aaa group server radius cts-ise CTS-N1K(config)# server CTS-N1K(config)# use-vrf management CTS-N1K(config)# source-interface mgmt0 CTS-N1K(config)# aaa authentication cts default group cts-ise CTS-N1K(config)# aaa authorization cts default group cts-ise CTS-N1K(config)# cts role-based counters 84

85 Nexus 1000V Port Profile Setup (Beta) Create UPLINK port-profile: Configuration CTS-N1K(config)# port-profile type ethernet uplink-vem CTS-N1K(config-port-prof)# switchport mode trunk CTS-N1K(config-port-prof)# switchport trunk allowed vlan CTS-N1K(config-port-prof)# cts manual CTS-N1K(config-port-prof)# policy static sgt 0x2 trusted ->Set tag to device SGT (2) and trust CTS-N1K(config-port-prof)# propagate-sgt ->Propogate the SGT to neighbor CTS-N1K(config-port-prof)# no shutdown CTS-N1K(config-port-prof)# state enabled CTS-N1K(config-port-prof)# vmware port-group Create PCI-Server port-profile: CTS-N1K(config)# port-profile type vethernet PCI_Servers CTS-N1K(config-port-prof)# switchport mode access CTS-N1K(config-port-prof)# switchport access vlan 200 CTS-N1K(config-port-prof)# cts manual CTS-N1K(config-port-prof)# policy static sgt 0x7d0 ->Set the Tag to PCI-Servers Hex 0x7d0 = 1000 Decimal CTS-N1K(config-port-prof)# role-based enforcement ->Enable Role-based enforcement CTS-N1K(config-port-prof)# no shutdown CTS-N1K(config-port-prof)# state enabled CTS-N1K(config-port-prof)# vmware port-group 85

86 Nexus 1000v SGACL Verification (beta) Configuration CTS-N1K# show cts role-based counters RBACL policy counters enabled Counters last cleared: 05/02/2014 at 04:41:47 AM Counters last updated on 05/08/2014 at 06:30:03 PM: rbacl:permit IP permit ip [129105] rbacl:deny_log deny icmp log [522997] rbacl:permit_log permit ip log [119029] sampg-n1kv-vsm-1# show cts role-based access-list rbacl:permit IP permit ip rbacl:deny_log deny icmp log rbacl:permit_log permit ip log CTS-N1K# 86

87 Configuration for ASA SGFW to Work Configuration First the DC switches must be configured to speak SXP to the SXP listening ASA to receive IP to Tag mappings. N7K-DST1(config)# cts sxp enable N7K-DST1 (config)# cts sxp connection peer source password required trustsec123 mode listener N7K-DST1(config)# cts sxp connection peer source password required trustsec123 mode listener N7K-DST1# sho cts sxp connection PEER_IP_ADDR VRF PEER_SXP_MODE SELF_SXP_MODE CONNECTION STATE default speaker listener connected 87

88 Configuration for ASA SGFW to Work Cont. Configuration Second Configure the ASA for SXP: 88

89 Configuration for ASA SGFW to Work Cont. (2) Finally configure your SGFW ACE entries Configuration Add CTS groups from the left side to the selected side 89

90 ASA SGFW Verification Configuration Check SXP peering on the DC switch side: 90

91 ASA SGFW Verification: Cont. Configuration Check SXP peering on the ASA side and verify IP-SGT Bindings: Connection to DC 7Ks is UP IP-SGTs being received from DC Switches 91

92 ASA Native Tagging Configuration: DC Design Native Tag configuration need only on the OUTSIDE interface Firewall rules are written to permit traffic from the outside to the inside (SGT->DGT). To get tags to the firewall for DGT we must still utilize SXP. ASA5515X-A(config)# int g0/0 ASA5515X-A(config-if)# nameif outside ASA5515X-A(config-if)# cts manual ASA5515X-A(config-if)# policy static sgt 2 trusted ASA5515X-A(config-if)# ip address

93 Data Center Monitoring

94 Logging from Nexus 7000 pghlab-n7k-dst1-n7k-shaun# show cts role-based policy sgt:8 dgt:6 rbacl:permit_mail deny icmp log permit tcp dst eq 110 permit tcp dst eq 143 permit tcp dst eq 25 permit tcp dst eq 465 permit tcp dst eq 585 permit tcp dst eq 993 permit tcp dst eq 995 deny all log pghlab-n7k-dst1-n7k-shaun(config)# log level acllog 6 Recommended log levels pghlab-n7k-dst1-n7k-shaun(config)# log level cts 5 pghlab-n7k-dst1-n7k-shaun(config)# log ip access-list include sgt pghlab-n7k-dst1-n7k-shaun# show logging ip access-list cache detail SGT Source IP Destination IP S-Port D-Port Interface Protocol Hits Ethernet2/15 (1)ICMP Monitoring 94

95 Logging from Nexus 5500 pghlab-55ka# show cts role-based policy sgt:8 dgt:6 rbacl:permit_mail deny icmp log permit tcp dst eq 110 permit tcp dst eq 143 permit tcp dst eq 25 permit tcp dst eq 465 permit tcp dst eq 585 permit tcp dst eq 993 permit tcp dst eq 995 deny all log pghlab-55ka(config)# log level acllog 6 Log levels to make this work pghlab-55ka(config)# log level cts 7 pghlab-55ka# show logging logfile duration 0:30: Jun 6 12:27:06 pghlab-55ka last message repeated 6 times 2013 Jun 6 12:27:06 pghlab-55ka %CTS-6-CTS_RBACL_STAT_LOG: CTS ACE deny ip log, Threshold exceeded: Hit count in 10s period = Jun 6 12:27:16 pghlab-55ka %CTS-6-CTS_RBACL_STAT_LOG: CTS ACE deny ip log, Threshold exceeded: Hit count in 10s period = Jun 6 12:27:56 pghlab-55ka last message repeated 4 times Monitoring Threshold exceeded is a message about not overwhelming the CPU with log messages on the box. 95

96 Monitoring N Monitoring SGACL drops N55KA# show platform fwm info lif eth100/1/45 grep good Eth100/1/45 pd: rx frames: good 2755 drop 3; tx frames: good 2689 drop 106 Looking at the egress interface on the N5K protecting the server. It should show drops. This correlated with counters increments shows what server and SGACL is being hit N55KA# sho cts role-based counters RBACL policy counters enabled Counters last cleared: 11/16/2011 at 05:55:24 PM rbacl:allow_sql permit tcp dst eq 1433 [0] permit icmp [0] deny ip [0] rbacl:deny IP deny ip [6730] rbacl:deny_icmp_log deny icmp log [106] rbacl:permit IP permit ip [85730] rbacl:test_deny deny icmp log [0] 96

97 ASA Firewall Logging Monitoring Firewall logging will show the SGT/DGT in the logs if known by the firewall 97

98 Nexus 5500 SGACL Logging Monitoring Logging can be enabled for ACEs The log enabled ACEs will be polled periodically and a syslog of severity 6 printed on the console if it is hit in that period Current polling period is set at 10s Example Sample syslog switch(config)# cts role-based access-list test switch(config-rbacl)# permit all log 2011 Sep 27 18:35:34 swo2-273 %$ VDC-1 %$ %CTS-6-CTS_RBACL_STAT_LOG: CTS ACE permit all log, Threshold exceeded: Hit count in 10s period = 4 98

99 Data Center Server SGT Orchestration

100 Data Center Server SGT Design Considerations Orchestration Server SGTs can be assigned either statically or dynamically (less preferred) Statically Manual IP-SGT Binding must be entered onto the Data Center Switches Dynamically Servers would have to run 802.1X to authenticate to the network and get assigned an SGT via ISE. Server admins do not like to run dot1x on their server platforms. Not all platforms support dot1x either When Servers are decommissioned, Tags should be removed with the server during the decom process. 100

101 Typical Process Before SGT Orchestration Orchestration Server Admin/LOB requests a new server. The network team, the server team and the security team meet and plan (sometimes multiple times) to plan VLAN, IP addressing, DNS, Security Profiles, etc. The server is turned up by the server team. Network Team must now go to the network devices add devices port to VLAN, etc. The firewall team adds the destination IP address to appropriate firewall rules or firewall groups. All adds and deletes are a manual process! 101

102 Data Center Server SGT Orchestration Orchestration Through the use of Data Center orchestration tools we can fully automate the provisioning of server IP-SGT/port profile bindings for VMs and bare-metal machines based on the selected service catalog in the automation provisioning portal We can also automate the removal of IP-SGT bindings when the server is decommissioned from the network In our use case example we will show how to use UCS Director (UCSD) orchestration suite to automate the server IP-SGT provisioning process 102

103 Benefits of SGT Orchestration Orchestration Lower OPEX and time to provision: When deploying a server we reduce the amount of people that need to touch the Network Server Security policies When a server is spun up from the provisioning portal, the IP-SGT binding is automatically provisioned to the network, Once a server has its SGT all SGACLs and SGFWs will begin enforcing without having to manually edit firewall rules every time a server comes on-line or goes offline. 103

104 UCS Director Portal Screen Orchestration 104

105 UCS Director Custom Task for Server SGT Deployment This assumes some knowledge of UCSD and workflow editing. Create a workflow that IP address of the VM/Bare-metal machine Logs into the DC switches Adds the IP-SGT mapping based on the Service Catalog (IE: LOB1, LOB2, PCI) Orchestration 105

106 How to Configure UCSD for Server SGT Deployment Cont. Add this workflow to each service catalog we want and SGT deployed when ordering the VM/bare metal machine Orchestration 106

107 Orchestration SGT Automates the Firewall Rule Process! A PCI DB servers example When the server is provisioned the workflow runs Assigns the PCI DB SGT to the DC switches. The DC switches communicate via SXP to the firewall, Immediately the firewall can now enforce with no rule changes 107

108 ASA SGFW in Action Orchestration Firewall dynamically learns IP-SGT mapping via SXP from core N7Ks (after the UCSD workflow inserts the IP-SGT mapping on to the switches automatically), which then fit into already existing SGFW rules.. Security admins no longer have to manually administer rules every time a server is spun up 108

109 ASA SGFW in Action (cont) Orchestration 109

110 Summary Summary SGTs builds upon Dynamic and Static Classification Services to deliver software defined network security. SGTs provides a scalable role based access control model for the enterprise Data Center and Campus/Branch topologies SGTs has migration strategies allow customer to deploy with existing hardware SGT functions for the Data Center are deployable today 110

111 Cisco ISE & TrustSec Sessions: Building Blocks BRKSEC-3697 Advanced ISE Services, Tips and Tricks (Tue 12:30pm) BRKSEC-3699 Designing ISE for Scale & High Availability (Wed 1:30pm) BRKSEC-3692 Deploying TrustSec SGTs in the Branch and Campus (Wed 4:00pm) Deploying TrustSec SGTs in the Data Center (Wed 8:00am) BRKSEC-2695 Building an Enterprise Access Control Architecture Using ISE and TrustSec (Mon 10:00am) PSOSEC-2002 Identity Services Engine (ISE 1.3 Update) (Mon 2:00pm) 111

112 Links Secure Access, TrustSec, and ISE on Cisco.com TrustSec and ISE Deployment Guides: TrustSec.html YouTube: Fundamentals of TrustSec: 112

113 Participate in the My Favorite Speaker Contest Promote Your Favorite Speaker and You Could be a Winner Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress) Send a tweet and include Your favorite speaker s Twitter Two hashtags: #CLUS #MyFavoriteSpeaker You can submit an entry for more than one of your favorite speakers Don t forget to View the official rules at 113

114 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online 114

115 Continue Your Education Demos in the Cisco Campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings 115

116