Choice of Segmentation and Group Based Policies for Enterprise Networks
|
|
- Pierce Baker
- 6 years ago
- Views:
Transcription
1
2 Choice of Segmentation and Group Based Policies for Enterprise Networks Hari Holla Technical Marketing Engineer, Cisco ISE BRKCRS-2893 hari_holla /in/hariholla
3 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, cs.co/ciscolivebot#brkcrs Cisco and/or its affiliates. All rights reserved. Cisco Public
4 A multi-national retailer s segmentation problem Case Study The segmentation challenge common to many other type of networks: University, Hospitals, Manufacturing, etc. Customer Concerns Need dynamic segmentation Reduce operational costs Keep it secure Employees, PCI devices, Vendors & Guest in branch needing segmentation. Each segment today is a VLAN and / or a SSID. Provisioning and decommissioning vendors is a tedious task Store Guest BYOD Vendor-1 Vendor-2 Vendor-3 Vendor-N Store PCI Demo Vendor-2 Vendor-A Vendor-B Vendor-N Internet ISR w/ ZBFW WAN VRFs Data Center WLC Servers * Additional VLAN/VRFs for Voice, Print, AP, etc. not shown in the picture BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 4
5 VLANs for segmentation? VLAN BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 5
6 Segmenting with VLANs Applications access-list 102 deny udp gt eq 2165 access-list 102 deny udp lt gt 428 access-list 102 permit ip eq gt 1511 access-list 102 deny tcp gt gt 1945 access-list 102 permit icmp lt eq 116 access-list 102 deny udp eq eq 959 access-list 102 deny tcp eq lt 4993 access-list 102 deny tcp eq lt 848 access-list 102 deny ip eq gt 4878 access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq eq 4175 access-list 102 permit tcp lt gt 1462 access-list 102 permit tcp gt lt 4384 Static ACL Routing Redundancy DHCP Scope Address VLAN Limitations of Traditional Segmentation Security Policy based on Topology High cost and complex maintenance Non-Compliant Voice Enterprise Backbone VACL Employee Aggregation Layer Access Layer Supplier BYOD Enforcement IP based policies. ACLs, Firewall rules Propagation Carry segment context over the network through VLAN tags / IP address / VRF Classification Static / Dynamic VLAN assignments Quarantine VLAN Voice VLAN Data VLAN Guest VLAN BYOD VLAN BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 6
7 The alternative: Software Defined Segmentation Controller driven Policy definition and enforcement based on segment IDs. X X X X X X Topology independent Segment IDs (VLAN / IP agnostic) Employees Phones Servers Quarantine BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 7
8 Agenda Segmenting using Security Group Tags (SGTs) End-Point Groups (EPGs) Virtual Networks (VNs) Closing thoughts
9 Heads up This is ISE icon, Cisco Identity Service Engine For your reference Hidden Slide (or) For quick glance if the slide shows up
10 Segmentation using Security Group Tags (SGT)
11 Source Cisco TrustSec Destination Egress Policy Employee App_Serv Permit All Prod_Serv Deny All App_Serv Permit All Deny All Prod_Serv Deny All Permit All 5 SGT Remote Access Wireless Network Cisco ISE Directory Production Servers 8 SGT Employees Switch Routers DC Firewall DC Switch Application Servers 7 SGT Classification Propagation Enforcement BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 11
12 Consistent access governed by simplified policy Data Center Regardless of topology or location, policy (Security Group Tag) stays with users, devices, and servers Shared Services Remediation Application Servers DC Switch TrustSec simplifies ACL management for intra/inter- VLAN traffic Enterprise Backbone ISE Switch Switch DC switch receives policy for only what is connected Employee Tag Supplier Tag Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag VLAN: Data-2 VLAN: Data-1 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 12
13 Same policy to control lateral access FOR YOUR REFERENCE Segment traffic based on classified group (SGT), not based on topology (VLAN, IP subnet) Shared Services Data Center Application Servers DC Switch Micro-Segmentation / Host Isolation in LAN and DC with single policy (segment devices even in same VLAN or same security group) Switch Enterprise Backbone Switch ISE Employee Tag Supplier Tag Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag VLAN: Data-2 VLAN: Data-1 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 13
14 The three common deployment scenarios User to Data Center Access Control Data Center Segmentation Campus and Branch Segmentation Context--based access control Compliance requirements PCI, HIPAA, export controlled information Merger & acquisition integration, divestments Server zoning & Micro-segmentation Production vs. Development Server segmentation Compliance requirements, PCI, HIPAA Firewall rule automation Line of business segregation PCI, HIPAA and other compliance regulations Malware propagation control/quarantine BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 14
15 TrustSec Deep Dive
16 Source Doing TrustSec Destination TrustSec Enablement Cisco ISE configuration Network readiness assessment and TrustSec feature enablement Egress Policy Employee App_Serv Prod_Serv App_Serv Permit All Permit All Deny All Prod_Serv Deny All Deny All Permit All 5 SGT Remote Access Wireless Network Cisco ISE Directory Production Servers 8 SGT Employees Switch Routers DC Firewall DC Switch Application Servers 7 SGT Classification Propagation The 3 TrustSec functions Enforcement BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 16
17 ISE is the TrustSec controller BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 17
18 Sources ISE is the TrustSec controller NDAC for a trusted domain of Network Devices SGT: Centrally define Security Group Tags SGACL / Name table: TrustSec policy matrix to be pushed down to the enforcers via secure channel Security Group ACL Destinations SGACL / Name table NDAC (Network Device Admission Control) SGT and SGT Names Security Group Tags 3: Employee 4: Contractors 8: PCI_Servers 9: App_Servers SGT Assignment: ISE can dynamically (via authentications / SXP / pxgrid) or statically (via CLI) assign SGTs to assets Rogue Device(s) 802.1X Dynamic SGT Assignment Dynamic / Static SGT Assignments BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 18
19 Network Device Admission Control NDAC for a trusted domain of Network Devices SGT: Centrally define Security Group Tags SGACL / Name table: TrustSec policy matrix to be pushed down to the enforcers via secure channel SGT Assignment: ISE can dynamically (via authentications / SXP / pxgrid) or statically (via CLI) assign SGTs to assets BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 19
20 Network Device Admission Control FOR YOUR REFERENCE NDAC for a trusted domain of Network Devices SGT: Centrally define Security Group Tags SGACL / Name table: TrustSec policy matrix to be pushed down to the enforcers via secure channel SGT Assignment: ISE can dynamically (via authentications / SXP / pxgrid) or statically (via CLI) assign SGTs to assets ISE Environmental Data TrustSec Egress Policy RADIUS EAP FAST Channel IOS Switch authenticates with Cisco ISE for Secure EAP FAST Channel Switch# cts credential id C password cisco Device_SGT to facilitate the communication between ISE and TrustSec devices BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 20
21 Network Device Admission Control FOR YOUR REFERENCE NDAC for a trusted domain of Network Devices SGT: Centrally define Security Group Tags SGACL / Name table: TrustSec policy matrix to be pushed down to the enforcers via secure channel SGT Assignment: ISE can dynamically (via authentications / SXP / pxgrid) or statically (via CLI) assign SGTs to assets Admin can opt to have custom SGT numbers. Default is System generated. PAC settings used for secure channel between ISE and TrustSec devices BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 21
22 Defining Security Group Tags (SGTs) NDAC for a trusted domain of Network Devices Define SGTs under Components section in TrustSec Work Center (from ISE 2.0) SGT: Centrally define Security Group Tags SGACL / Name table: TrustSec policy matrix to be pushed down to the enforcers via secure channel SGT Assignment: ISE can dynamically (via authentications / SXP / pxgrid) or statically (via CLI) assign SGTs to assets BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 22
23 TrustSec egress policy NDAC for a trusted domain of Network Devices A user friendly policy matrix based on Security Group Tags SGT: Centrally define Security Group Tags SGACL / Name table: TrustSec policy matrix to be pushed down to the enforcers via secure channel SGT Assignment: ISE can dynamically (via authentications / SXP / pxgrid) or statically (via CLI) assign SGTs to assets BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 23
24 SGT assignment for endpoints NDAC for a trusted domain of Network Devices Work Centers > TrustSec > Authorization Policy SGT: Centrally define Security Group Tags SGACL / Name table: TrustSec policy matrix to be pushed down to the enforcers via secure channel SGT Assignment: ISE can dynamically (via authentications / SXP / pxgrid) or statically (via CLI) assign SGTs to assets BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 24
25 The 3 TrustSec functions 5 Employee 6 Voice 7 Partner A B Classification Propagation Enforcement (Assigning SGTs) Static Assignments Dynamic Assignments Inline methods SXP pxgrid Security Group ACL SG Firewall BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 25
26 CLASSIFICATION PROPAGATION ENFORCEMENT Two ways to assign Security Group Tags Dynamic Classification Static Classification L3 Interface (SVI) to SGT L2 Port to SGT MAB Campus Access Distribution Core DC Core DC Access Enterprise Backbone WLC Firewall Hypervisor SW VLAN to SGT Subnet to SGT VM (Port Profile) to SGT BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 26
27 CLASSIFICATION PROPAGATION ENFORCEMENT SGT assignment to wired endpoint Cisco ISE Assign SGT Catalyst Switch G 0/1 Switch# show authentication sessions int Gi 0/1 details Interface: GigabitEthernet1/0/23 IIF-ID: 0x107AB MAC Address: IPv6 Address: 2001:DB8:100:0:3809:A879:5197:16DB IPv4 Address: User-Name: bob@trustsec.lab Status: Authorized Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Common Session ID: 0A FC50BEC5800 Acct Session ID: 0x00000FBE Handle: 0xD Current Policy: POLICY_Gi1/0/23 Server Policies: SGT Value: 10 Method status list: Method mab State Authc Success BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 27
28 CLASSIFICATION PROPAGATION ENFORCEMENT Assigning SGTs to wireless sessions Cisco ISE Assign SGT WLC Works on AirOS and IOS Wireless controllers. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 28
29 CLASSIFICATION PROPAGATION ENFORCEMENT VLANs can be mapped to SGTs VLAN-100 = SGT-100 Catalyst Switch G 0/1 G 0/2 Switch(config)#cts role-based sgt-map vlan-list 100 sgt 100 Switch#show cts role-based sgt-map all Active IPv4-SGT Bindings Information IP Address SGT Source ============================================ LOCAL INTERNAL VLAN VLAN IP-SGT Active Bindings Summary ============================================ Total number of VLAN bindings = 2 Total number of LOCAL bindings = 1 Total number of active bindings = 4 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 29
30 CLASSIFICATION PROPAGATION ENFORCEMENT Routes learnt on the interface get SGT Can apply to Layer 3 interfaces regardless of the underlying physical interface: Routed port, SVI (VLAN interface), Tunnel interface, etc. GigabitEthernet 3/0/1 maps to SGT 8 GigabitEthernet 3/0/2 maps to SGT 9 Joint Ventures Route Updates /24 g3/0/1 IP Address SGT Source ======================================== INTERNAL INTERNAL INTERNAL /24 8 L3IF /24 9 L3IF /24 9 L3IF DC Access Business Partners g3/0/2 Route Updates / /24 Hypervisor SW BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 30
31 CLASSIFICATION PROPAGATION ENFORCEMENT SGT classification binding source priority FOR YOUR REFERENCE The current priority enforcement order, from lowest (1) to highest (7), is as follows: 1. VLAN Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping configured. 2. CLI Address bindings configured using the IP-SGT form of the cts role-based sgt-map global configuration command. 3. Layer 3 Interface (L3IF) Bindings added due to FIB forwarding entries that have paths through one or more interfaces with consistent L3IF-SGT mapping or Identity Port Mapping on routed ports. 4. SXP Bindings learned from SXP peers. 5. IP_ARP Bindings learned when tagged ARP packets are received on a CTS capable link. 6. LOCAL Bindings of authenticated hosts which are learned via ISE and device tracking. This type of binding also include individual hosts that are learned via ARP snooping on L2 [I]PM configured ports. 7. INTERNAL Bindings between locally configured IP addresses and the device own SGT. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 31
32 CLASSIFICATION PROPAGATION ENFORCEMENT In Nexus 1000V, SGTs can be assigned to Port Profile FOR YOUR REFERENCE Port Profile Container of network properties Applied to different interfaces Server Admin may assign Port Profiles to new VMs VMs inherit network properties of the port-profile including SGT SGT stays with the VM even if moved BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 32
33 The 3 TrustSec functions 5 Employee 6 Voice 7 Partner A B Classification Propagation Enforcement (Assigning SGTs) Static Assignments Dynamic Assignments Inline methods SXP pxgrid Security Group ACL SG Firewall BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 33
34 CLASSIFICATION PROPAGATION ENFORCEMENT Two ways to propagate tags INLINE METHOD OUT-OF-BAND METHOD = SGT-5 SW1 R1 SW2 SW1 R1 SW2 IP 5 IP 5 IP IP /Employees 7/WebServers SGT carried inline in the data traffic. Methods include, SGT over: Ethernet MACSec LISP/VxLAN IPSec DMVPN GETVPN /Employees 7/WebServers IP-to-SGT data shared over control protocol. No SGT in the data plane. Methods include, IP-to-SGT exchange over: SXP pxgrid BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 34
35 AES-GCM 128bit Encryption CLASSIFICATION PROPAGATION ENFORCEMENT Ethernet Inline tagging Ethernet Frame Cisco Meta Data MACsec Frame Destination MAC Source MAC 802.1Q CMD ETHTYPE PAYLOAD CRC IETF CMD EtherType Version Length SGT Option Type SGT Value Other CMD Option EtherType:0x8909 SGT Value:16bits Destination MAC Source MAC 802.1AE Header 802.1Q CMD ETHTYPE PAYLOAD 802.1AE Header CRC EtherType:0x88E5 Faster, and most scalable way to propagate SGT within LAN or DC SGT embedded within Cisco Meta Data (CMD) in Layer 2 frame Capable switches understands and process SGT in line-rate Optionally protect CMD with MACsec (IEEE802.1AE) No impact to QoS, IP MTP/Fragmentation L2 Frame Impact: ~20 bytes 16 bits field ~ 64,000 tag space Non-capable device drops frame with unknown Ethertype BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 35
36 CLASSIFICATION PROPAGATION ENFORCEMENT L3 Inline: Crypto transport for SGT IPSec, DMVPN and GETVPN FOR YOUR REFERENCE SGT in IPSec IP header (Protocol Type = ESP) ESP Header IV Next Header (IP) Len = 3 Version (0x1) Reserved Len (0x0) Type (1 = SGT) SGT Number (16 bits) Len (0x1) Type (5 = PST) GETVPN Psuedo timestamp Original IP Header Original IP Payload Pad Pad Length Next Header Authentication Tag CMD crypto ikev2 cts sgt cts sgt inline SGT over IPSec SGT over DMVPN SGT over GETVPN crypto gdoi group GDOI identity number server local sa ipsec 1 tag cts sgt match address ipv4 ACL_GETVPN_SGT Cisco Meta Data (CMD) uses protocol 99, and is inserted to the beginning of the ESP/AH payload. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 36
37 CLASSIFICATION PROPAGATION ENFORCEMENT L3 Inline: Non-crypto SGT propagation over IP FOR YOUR REFERENCE EIGRP Over The Top - EIGRP on the control plane and Locator ID Separation Protocol (LISP) encapsulation on the data plane to route traffic across the underlying WAN architecture. SGT in LISP CE 3.15S Ver IHL ToS Total Length Identification Time to Live Protocol (17) Flags Fragmentation Offset Header Checksum Source Routing Locator Destination Routing Locator Overall IP MTU Increase: 36 Bytes CE PE Internet / WAN PE PE CE Source Port Destination Port (4341) UDP Length UDP Checksum N L E Resrv d Reserved Locator Status Bits Security Group Tag Pad Ver IHL ToS Total Pad Length Next Header Identification Time to Live Protocol (17) Flags Fragmentation Offset Header Checksum Source Endpoint Identifier Destination Endpoint Identifier LISP Header SGT (16 bit) insertion in the Nonce field (24 bit) router eigrp my-wan! address-family ipv4 unicast \ autonomous-system 100 topology base cts propagate sgt exit-af-topology exit-address-family Learn more: BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 37
38 CLASSIFICATION PROPAGATION ENFORCEMENT SGT Exchange Protocol (SXP) For out-of-band IP-SGT binding propagation Propagation method of IP-SGT binding Propagate IP-SGT from classification to enforcement point Routers (SXP Aggregation) Firewall Open protocol (IETF-Draft) & ODL Supported TCP - Port:64999 Switches Speaker Listener IETF Switches Role: Speaker (initiator) and Listener (receiver) Use MD5 for authentication and integrity check Support Single Hop SXP & Multi-Hop SXP (aggregation) Cisco ISE 2.0 and beyond can be an SXP Speaker and Listener. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 38
39 Sources CLASSIFICATION PROPAGATION ENFORCEMENT SXP example on AireOS SXP Switch / FW SXP Speaker (Wireless Controller) Cisco ISE Assign SGT 5520 Destinations SXP Listener (Switch / Firewall) No SG based enforcement locally on the controller. IP-SGT sent over SXP to enforcers / Aggregators * Supported on all Wireless Controllers except 7500 & vwlc BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 39
40 CLASSIFICATION PROPAGATION ENFORCEMENT SXP support in ISE Cisco ISE as SXP Speaker and Listener Support from ISE 2.0 Useful for classifying destination SGTs Enables 3 rd party access devices for TrustSec ISE Authorization Policy If AD_Group_Employee, then SGT: 5/Employees ISE IP to SGT binding table IP address: is SGT: 9/WebServers 802.1X, RADIUS SXP IP Address SGT Source ================================= LOCAL IP Address SGT Source ================================= SXP BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 40
41 CLASSIFICATION PROPAGATION ENFORCEMENT SXP Devices BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 41
42 CLASSIFICATION PROPAGATION ENFORCEMENT ISE and SXP Cisco ISE IOS Switch cts sxp enable cts sxp default source-ip cts sxp default password cisco cts sxp connection peer password default mode peer Switch #show cts sxp connections SXP : Enabled Highest Version Supported: 4 Default Password : Set Default Source IP: <Output trimmed> Peer IP : Source IP : Conn status : On Conn version : 4 Conn capability : IPv4-IPv6-Subnet Conn hold time : 120 seconds Local mode : SXP Listener <Output trunkated> Switch# show cts sxp sgt-map brief SXP Node ID(generated):0x0A050301( ) IP-SGT Mappings as follows: IPv4,SGT: < /27, 120:Mail_Servers> IPv4,SGT: < /27, 110:Web_Servers> Total number of IP-SGT Mappings: 2 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 42
43 CLASSIFICATION PROPAGATION ENFORCEMENT SXP in action TrustSec Policy X Employee = SGT-5 SXP IP = SGT-10 5 Employee Cisco ISE 2.0+ SXP IP = SGT WAN 10 Web_Server SRC: DST: X IP-SGT Binding Table Access Switch IP Address SGT Source ======================================== INTERNAL LOCAL N7K SRC: DST: IP-SGT Binding Table Nexus Switch IP Address SGT Source ======================================== INTERNAL SXP SXP BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 43
44 CLASSIFICATION PROPAGATION ENFORCEMENT 3 rd party access and ISE SXP 802.1X Employee = SGT-5 SXP IP = SGT-10 Cisco ISE 2.0+ SXP IP = SGT-5 5 TrustSec Policy 10 5 Employee Web_Server WAN SRC: DST: rd Party IP-SGT Binding Table Access Switch IP Address SGT Source ======================================== INTERNAL LOCAL N7K SRC: DST: IP-SGT Binding Table Nexus Switch IP Address SGT Source ======================================== INTERNAL SXP SXP BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 44
45 CLASSIFICATION PROPAGATION ENFORCEMENT SXP can be single or multi-hop FOR YOUR REFERENCE Single-Hop SXP SXP Speaker SXP Enabled Switch/WLC Non-TrustSec Domain Listener SGT Capable HW Multi-Hop SXP SXP SXP SXP Aggregation SXP Enabled SW/WLC SXP Enabled SW SGT Capable HW SXP SXP Enabled SW/WLC BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 45
46 CLASSIFICATION PROPAGATION ENFORCEMENT 4 SXP versions FOR YOUR REFERENCE Version 1 Version 2 Version 3 Version 4 This is the initial SXP version supports IPv4 binding propagation. Includes support for IPv6 binding propagation and version negotiation. (Older switch and router IOS prior March 2013, WLC) Adds support for Subnet/SGT bindings propagation and expansion. If speaking to a lower version listener will expand the subnet Loop Detection and Prevention, Capability Exchange, built-in Keep Alive mechanism. (New switch and router IOS After March 2013) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 46
47 CLASSIFICATION PROPAGATION ENFORCEMENT SXP Scalability FOR YOUR REFERENCE Platform Max SXP Conn. Max IP-SGT Bindings Cisco ISE per PSN 250,000 Catalyst 6500 Sup2T, ,000 Nexus M Series: 200,000 from v7.2 earlier 50,000 F3 Series 64,000 (recommended 50K) F2E Series 32,000 (recommended 25K) Catalyst 4500 Sup7E 1, ,000 Catalyst 4500X / 4500 Sup7LE 1,000 64,000 ASA 5585-X SSP 60 1, ,000 ASA 5585-X SSP ,000 Catalyst 3850/WLC ,000 CSR (450 for bi-dir) 135,000 ISR (900 for bi-dir) 135,000 ASR (900 for bi-dir) 750,000 (from XE3.15), earlier 180,000 ISR2900, ISR (125 for bi-dir 180,000 for unidirectional SXP 125,000 for bi-directional SXP BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 47
48 CLASSIFICATION PROPAGATION ENFORCEMENT pxgrid Overview XMPP / Jabber based protocol for context exchange. Secure bi-directional connectivity, grid controlled by ISE Group members can publish or/and subscribe to specific topics TrustSecMetaData topic for Security Group table and IP-SGT binding exchange ISE SXP Node 10:30 AM IP address: is SGT: 9/0009 Firepower Management Center 10:30 AM Received APIC-EM Controller 10:30 AM Received pxgrid BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 48
49 CLASSIFICATION PROPAGATION ENFORCEMENT Sharing IP-to-SGT bindings over pxgrid pxgrid clients can subscribe to SGT table and bindings IP to SGT bindings received over SXP can be published via pxgrid Data format: SXPBinding= {ipprefix= /32 tag=9 source= peersequence= } RADIUS pxgrid Any pxgrid subscriber, E.g Infoblox FMC WSA APIC-EM BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 49
50 PxGRID Sharing context over pxgrid FOR YOUR REFERENCE Access Control Policies based on ISE Attributes (SGT, Device-type and Endpoint Location) NGIPS / ASA + Firepower BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 50
51 CLASSIFICATION PROPAGATION ENFORCEMENT SGT transport over WAN overview FOR YOUR REFERENCE Enterprise LAN Switch Enterprise Network ISE SGACL CTS Link Finance SXP IPSEC Wireless Internet Nexus 7000 Nexus 1000v SXP BYOD Switch SXP DMVPN Catalyst 6500 Data Center Switch Enterprise MPLS GETVPN HR Multiple options for SGT transport over non CTS Layer 3 networks DMVPN for Internet based VPNS GETVPN and OTP for private WAN Learn more: BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 51
52 The 3 TrustSec functions 5 Employee 6 Voice 7 Partner A B Classification Propagation Enforcement (Assigning SGTs) Static Assignments Dynamic Assignments Inline SGT SXP WAN Options Security Group ACL SG Firewall BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 52
53 CLASSIFICATION PROPAGATION ENFORCEMENT TrustSec policy matrix in ISE BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 53
54 CLASSIFICATION PROPAGATION ENFORCEMENT Deploy the policy on click of a button Deploy Push and deploy TrustSec policies consistently across switching, wireless and routing infrastructure cts role-based enforcement CATALYST SWITCHES NEXUS SWITCHES VIRTUAL SWITCHES INDUSTRIAL SWITCHES WIRELESS ACCESS POINTS ROUTING PLATFORMS BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 54
55 SGT=3 SGT=4 SGT=5 CLASSIFICATION PROPAGATION ENFORCEMENT Policy download only for known destinations SEGMENTATION DEFINED IN ISE Prod_Servers (7) Dev_Servers (8) TrustSec switches requests policies for assets they protect Policies downloaded & applied dynamically Result = Software Defined Segmentation Switches pull down only the policies they need I I pulled I know have SGT-7, policies nothing is to there protect to a protect policy SGT-7 for it? SGACL Enforcement interface ethernet 2/1 cts manual policy static sgt 0x7 no propagate-sgt Dev_Server (SGT=7) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
56 CLASSIFICATION PROPAGATION ENFORCEMENT East-west segmentation Wannacry When executed, the malware first checks the "kill switch" domain name; if it is not found, then the ransomware encrypts the computer's data, then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet, and "laterally" to computers on the same network. Replaces Private Isolated / Community VLAN functionality with centrally provisioned policy Supports mobile devices (with DHCP address). Static ACLs cannot support same level of policy No other vendor can support this type of use case Employee Tag AP Distribution Switch Access Switch 1 Scan for open ports / OS Anti-Malware-ACL deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www deny tcp src dst eq 443 deny tcp src dst eq 22 deny tcp src dst eq pop3 deny tcp src dst eq 123 Sample ACEs to block PtH (SMB over TCP) used for privilege escalation SGACL Policy BYOD Device Wireless Segment Pawned PC 2 Exploits vulnerability Wired Segment AireOS 8.4 Wave-1, Wave-2 APs and WLC 8540, 5520 PC PtH: Pass-the-Hash 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
57 CLASSIFICATION PROPAGATION ENFORCEMENT Zone based Firewall SGT is a source criteria only in ISR FW, Source or Destination in ASR 1000 class-map type inspect match-any partner-services match protocol http match protocol icmp match protocol ssh class-map type inspect match-any partner-sgts match security-group source tag 2001 match security-group source tag 2002 match security-group source tag 2003 class-map type inspect match-all partner-class match class-map partner-services match class-map partner-sgts class-map type inspect match-any guest-services match protocol http class-map type inspect match-any guest-sgts match security-group source tag 5555 class-map type inspect match-all guest-class match class-map guest-services match class-map guest-sgts class-map type inspect match-any emp-services match protocol http match protocol ftp match protocol icmp match protocol ssh... BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 57
58 CLASSIFICATION PROPAGATION ENFORCEMENT Firewall policy based on SGTs SGT Defined in the ISE or locally defined on ASA Use Destination SGT received from Switches connected to destination Use Network Object (Host, Range, Network (subnet), or FQDN) Trigger IPS/CX based on SGT BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 58
59 CLASSIFICATION PROPAGATION ENFORCEMENT SGT based path selection Inspection Router Policy-based Routing based on SGT Router / Firewall Network A Enterprise WAN SGT-based VRF Selection VRF-GUEST route-map SG_PBR match security-group source tag 100 set ip next-hop match security-group destination tag 150 set ip next-hop Security Example Redirect traffic from malware-infected hosts Contain threats Pass traffic through centralized analysis and inspection functions Segment traffic to different VRFs based on context Other Example User B User A User C To map different user groups to different WAN service Suspicious Employee Guest Available Today: Cisco IOS XE Release 3.16S (ASR 1000) as well as ASA5500-X (9.5.1) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 59
60 CLASSIFICATION PROPAGATION ENFORCEMENT FirePOWER service redirect on tags FOR YOUR REFERENCE Create service policy to forward suspicious traffic to FirePOWER services BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 60
61 CLASSIFICATION PROPAGATION ENFORCEMENT SGT based path selection FOR YOUR REFERENCE CriticalServers (100) Applications Router Router / Firewall Critical applications get priority treatment NonCritical (254) Network A Enterprise WAN f Y Non-critical class gets lower bandwidth class-map employee-non_critical match security-group source tag 10 match security-group destination tag 254 end! class-map employee-critical match security-group source tag 10 match security-group destination tag 100 end! policy-map sg_qos class employee-critical priority percent 50 class employee-non_critical bandwidth percent 25 set dscp ef end Different user groups can be offered different Quality of Service (QoS) Employee (10) 3.17S BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 61
62 TrustSec platform support WAN (GETVPN DMVPN IPSEC) User Switch Router Router Firewall DC Switch vswitch Server ISE Classification Propagation Propagation Enforcement Classification Propagation Enforcement Catalyst 2960-S/-SF/-C/-CX/-Plus/-X/-XR Catalyst 3560-E/-C/-X/-CX/-CG Catalyst 3750-E/-X Catalyst 3650, 3850, 3850-XS Catalyst 4500E (Sup6-E, 6L-E) Catalyst 4500E (Sup 7-E, 7L-E, 8-E, 8L-E) Catalyst 4500-X Catalyst 6500E (Sup720/2T) Catalyst 6800 WLC 2500/5500/WiSM2/Flex7500 WLC 5760 WLC 8510/8540 Nexus 7000 Nexus 6000/5600 Nexus 5500/2200 Nexus 1000v ISRG2, ISR4000, ISRv ASR1000,1000-X; CSR 1000v IE2000/2000U/3000/4000/5000 CGR 2010, CGS2500 ASA 5500, ASAv, FP4100/9300, ISA 3000 ISE Catalyst 2960-S/-SF/-C/-CX/-Plus/-X/-XR Catalyst 3560-E/-C/-X/-CX/-CG Catalyst 3750-E/-X Catalyst 3650, 3850, 3850-XS Catalyst 4500E (Sup6-E, 6L-E) Catalyst 4500E (Sup 7-E, 7L-E, 8-E, 8L-E) Catalyst 4500-X Catalyst 6500E (Sup720/2T) Catalyst 6800 WLC 2500/5500/WiSM2/Flex7500 WLC 5760 WLC 8510/8540 Nexus 7000 Nexus 6000/5600 Nexus 5500/2200 Nexus 1000v ISRG2, ISR4000, ISRv ASR1000,1000-X; CSR 1000v IE2000/2000U/3000/4000/5000 CGR 2010, CGS2500 ASA 5500, ASAv, FP4100/9300, ISA 3000 FP 7000/8000; ISE Catalyst 3560-X/-CX Catalyst 3750-E/-X Catalyst 3650, 3850, 3850-XS Catalyst 4500E (Sup 7-E, 7L-E, 8-E, 8L-E) Catalyst 4500-X Catalyst 6500E (Sup 2T) Catalyst 6800 WLC 5760 Nexus 7000 Nexus 6000/5600 Nexus 5500/2200 Nexus 1000v ISRG2, ISR4000, ISRv ASR1000,1000-X; CSR 1000v IE4000/5000 CGR 2010 ASA 5500, ASAv, FP4100/9300, ISA 3000 Web Security Appliance For up-to-date information visit: Enforcement SGT BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 62
63 How about monitoring segmentation policies? Use NetFlow BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 63
64 TrustSec traffic monitoring with Stealthwatch Where When Who What Who Highly scalable (enterprise class) collection High compression long term storage flow record my-flow-record... match flow source group-tag match Months flow ctsof destination data retention group-tag... NetFlow More Context Security Group BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 64
65 Real-time segmentation policy validation Custom event triggers on traffic condition More on StealthWatch: BRKSEC-3014: Security Monitoring with StealthWatch SGT DGT Trigger on traffic in both directions; Successful or unsuccessful BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 65
66 Real-time policy check FOR YOUR REFERENCE Contractor Enterprise Network Register Monitor Network Activity Detect suspicious and malicious activity Network Behaviour and Anomaly Detection Policy Violations Monitor Policy configuration and misconfiguration Monitor for business continuity BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 66
67 TrustSec reduces operational costs for segmentation Based on the results of the PCI validation and PCI Internal Network Penetration and Segmentation Test, it is Verizon s opinion that Cisco TrustSec can successfully perform network segmentation, for the purpose of PCI scope reduction. Cisco has made great strides in integrating support for the TrustSec framework across its product lines - Flexibility to Segregate Resources Without Physical Segmentation or Managing VLANs - Reduction in ACL Maintenance, Complexity and Overhead Cisco TrustSec enabled the organizations interviewed, to reduce operational costs by avoiding additional IT headcount, deploy new environments faster, and implement consistent and effective network segmentation resulting in lower downtime. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 67
68 Segmentation using Endpoint Groups (EPG)
69 TrustSec ACI comparison Segment Identifier TRUSTSEC 16-bit Security Group Tags (SGT) ACI 16-bit Endpoint Groups (EPG) Classification Static or Dynamic Static or Dynamic Transport SGT-over-Ethernet, SXP, LISP and IPSec VxLAN Policy SG-ACL, SG-Firewall, SG-based-PBR, SG-QoS Contracts: ACL, QoS, Redirect (Service-chaining) Scope End-to-end (User to DC) Data Center only Controller Cisco ISE Cisco APIC-DC APIC Application Policy Infrastructure Controller BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 69
70 Application Centric Infrastructure (ACI) Cisco ACI is a comprehensive SDN architecture for Data Center networks Spine-leaf architecture with Nexus 9000 switches Network controlled by APIC- DC controller Routed mesh topology, ECMP load balancing VXLAN for overlay ACI POLICY EPGs CONTRACTS ACI FABRIC CLIENTS Normalized Overlay (VXLAN) 40 Gbps uplink Localized Encapsulation 802.1Q VLAN 50 VM VM WEB Non-Blocking Penalty Free Overlay VXLAN VNID = VM VM APP NVGRE VSID = 7456 VXLAN VNID = 78 DB EPG and Contracts for policy BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 70
71 Manage the fabric instead of individual switches BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 71
72 Virtual Extensible LAN (VXLAN) Extend VLAN capabilities with flexibility 24 bit VNID (VXLAN Network Identifier) VLAN VXLAN 16 million segments 4 times more than VLANs Members need not be co-located like in VLAN IP mobility is supported VXLAN tunnels Layer 2 network over Layer 3 network. No need for Spanning Tree Protocol LAYER 3 LAYER 2 VTEP VTEP VTEP ENCAP DECAP VXLAN tunnel endpoint (VTEP) devices to map end devices to VXLAN segments VLANs can be mapped to VNIDs VNID VNID VNID 1100 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 72
73 VXLAN Encapsulation VXLAN Encapsulation Original Ethernet Frame Outer MAC DA Outer MAC SA Outer IEEE 802.1Q Outer IP DA (VTEP) Outer IP SA (VTEP) Outer UDP VXLAN Header Inner MAC DA Inner MAC SA Optional Inner IEEE 802.1Q Original Ethernet Payload CRC MAC in UDP encapsulation UDP destination Port # 8472 ACI implementation of VXLAN is similar to LISP LISP Flags (8b) Flags (8b) Source Group (16b) VXLAN Instance ID (24b) Metrics (8b) VXLAN Header Source Endpoint Group (EPG) VXLAN Network Identifier (VNID) Locator/ID Separation Protocol (LISP) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 73
74 VXLAN / ACI packet walk VTEPs use Multicast or host tracking method to learn remote host 2 SIP: DIP: SMAC: VTEP-1 DMAC: Spine-1 VNID: 10 HOST DATABASE Host VNID 10 VTEP Host VNID 10 VTEP Spine /24 3 SIP: DIP: SMAC: Spine-1 DMAC: VTEP-2 VNID: 10 SIP: DIP: SMAC: Host-A DMAC: Host-B SIP: DIP: SMAC: Host-A DMAC: Host-B VTEP-1 VTEP-1 Cache Cache Host * VNID 10 VTEP * ARP Host-A VNID / /24 VTEP-1 VNID-10 VTEP-2 VTEP-2 Cache * Host VNID 10 VTEP * Host-B VNID SIP: DIP: SMAC: Host-A DMAC: Host-B SIP: DIP: SMAC: Host-A DMAC: Host-B BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 74 4
75 Endpoint Groups (EPG) Logical group of objects that require similar policy EPG is 16 bits X Web Servers Application Servers Database Servers X Like SGTs, EPGs are topology independent WEB EPG APP EPG DB EPG INGRESS PORTS ONLY EPGs can be assigned to PHYSICAL PORT VIRTUAL PORT VLAN ID VXLAN (VNID) NVGRE (VSID) IP ADDRESS IP SUBNET LAYER 4 PORTS *.DOMAIN.NAME* VM ATTRIBUTES* * - Future BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public
76 Example: Assigning EPG to IP address pool Firewall = WEB EPG Eth 1/1 = APP EPG VLAN-20 = DB EPG Other classification options for EPG VNID VNID VNID 1103 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 76
77 Contracts EPGs can t talk to each other without a contract USER WEB APP C P C P HTTP HTTPS Firewall Service Chaining Contract definitions CONTRACT-U2W CONTRACT-W2A = IN/EG PERMIT QOS IN/EG DENY REDIRECT Contracts connect EPGs over a Provider (P) and Consumer (C) relationship X = USER EPG /15 VNID 1101 WEB EPG VNID 1102 Eth 1/1 = APP EPG HTTP / HTTPS VNID 1103 IN: Ingress, EG: Egress BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public
78 Contracts ACL BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 78
79 Contracts Service Graph BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 79
80 EPGs and Contracts summary EPG + Contracts = Application Network Profile BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 80
81 ACI policy hierarchy ACI MANAGEMENT TENANT CONTEXT CONTEXT Layer 3 / VRF ACI NETWORKING BRIDGE DOMAIN BRIDGE DOMAIN BRIDGE DOMAIN Layer 2 boundary Subnet A, B Subnet B,C Subnet D IP Spaces ACI POLICY USER C EPG EPG EPG WEB DB C C WEB APP DB APPLICATION NETWORK PROFILE Set of EPGs and Contracts BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 81
82 Seeing it on APIC ACI Policy Contracts ACI Networking EPGs BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 82
83 TrustSec ACI Integration
84 Why integrate TrustSec and ACI? ACI POLICY ENDPOINT GROUPS USERS VM VM WEB VM VM APP DB CONTRACTS What users? (Employee / Contractors / Guests) What device-type? (Corporate / BYOD / IOT) Posture complaint? (Compliant / Non-complaint) Threats / Vulnerabilities? (Safe / Compromised hosts) Location? (Corporate / Public / Home) I can help! BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 84
85 ISE and APIC-DC exchange context for interoperability Security Groups Cisco ISE 2.1 TrustSec Policy Domain ISE creates matching Security Groups and Endpoint Groups ISE exchanges IP-SGT/EPG Name bindings ACI Policy Domain End Point Groups Cisco APIC-DC IP-Security Group bindings exchanged with network IP-ClassId, VNI bindings WAN (GETVPN DMVPN IPSEC) User Classification Switch Router Router Firewall Nexus9000 Nexus9000 Server SGT over Ethernet IPSec / DMVPN / GETVPN / SXP Spine Leaf APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 85
86 ISE and APIC integration settings Work Centers > TrustSec > Settings > ACI Settings FOR YOUR REFERENCE APIC-DC IP address ACI tenant where EPGs must be created Suffixes to identify groups created by the integrations BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 86
87 SGT EPG exchange Security Groups and IP bindings Cisco ISE 2.1 End Point Groups (EPG) and IP bindings Cisco APIC-DC More on ACI Security: BRKSEC Demystifying ACI Security APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 87
88 Scaling TrustSec-ACI integration SGT-EPG translation in the data plane Policy plane (APIC REST API) Cisco ISE 2.2 SG/EPG Names and Info for APIC 2.3 translation table TRUSTSEC ACI IP SGT BORDER IP EPG Routing plane (MP-BGP EVPN & Opflex) Data plane (ivxlan with inline groups) ASR1K#show cts sg-epg translations Total Entries: 2 Last update time: 05:07:17 UTC Jun Next refresh time: 05:07:17 UTC Jun * Represents truncated names Status Codes: A - Active Security-Group Endpoint-Group VRF Status :WebServers_APIC BLUE (2) A 05:Employees BLUE (2) A * This feature is applicable for a single ACI tenant with multiple VRFs. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 88
89 Segmentation using Virtual Networks (VNs)
90 Software Defined Access CISCO DNA CENTER DNA-C Workflows Software Defined Access (SDA) is the nextgeneration network technology to automate and assure network services securely with simplified administration Some key benefits of SDA are: ISE APIC-EM NDP NETWORK AUTOMATION Transform business intent in to network configuration on a click of a button END-TO-END SEGMENTATION SECURE CAMPUS FABRIC(S) Role based segmentation of the network with Virtual Networks and Scalable Groups NETWORK ASSURANCE Based on collected data, provide contextual insights into users and network activities GROUP-1 GROUP-2 EMPLOYEE VIRTUAL NETWORK GROUP-1 GROUP-2 IOT VIRTUAL NETWORK APIC-EM Application Policy Infrastructure Controller, Enterprise Module NDP Network Data Platform BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 90
91 Best of both worlds TRUSTSEC Security Group Tags (SGT) Dynamic SGT assignments to endpoints with ISE Policy Automation Robust platform support Leverage ISE ecosystem for a secure enterprise CAMPUS FABRIC ACI Normalized overlay Contracts and Service chaining Hierarchical policies IP mobility Reusable policies and constructs BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 91
92 DNA Center 4 Step Workflow FOR YOUR REFERENCE Assurance* Sites-Locations Global Settings Wired-Wireless profiles Access control policies Segmentation QoS policies Create Campus Fabric Provision WLCs and APs Network Health Client Status Troubleshooting *(FCS +1) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 92
93 Overlay for Campus Fabric Similar format, different payload LISP IP Based Ver IHL ToS Total Length Identification Time to Live N L E Protocol (17) Flags Fragmentation Offset Header Checksum Source Routing Locator Destination Routing Locator Source Port Destination Port (4341) UDP Length UDP Checksum Resrv d Reserved Security Group Tag Instance ID / Locator Status Bits Pad Ver IHL ToS Total Pad Length Next Header Identification Time to Live Protocol (17) Flags Fragmentation Offset Header Checksum Source Endpoint Identifier Destination Endpoint Identifier Locator Id Separation Protocol Overall IP MTU Increase: 36 Bytes Overlay Header SGT (16 bit) insertion in the Nonce field (24 bit) VXLAN Ethernet Based Ver IHL ToS Total Length Identification Time to Live Protocol (17) Flags Fragmentation Offset Header Checksum Source Routing Locator Destination Routing Locator Source Port Destination Port (8472) UDP Length UDP Checksum Reserved Endpoint Group VxLAN Network Identifier (VN ID) Reserved Pad Inner Destination Pad MAC Length Address Next Header Inner Destination MAC Inner Source MAC Address Address Inner Source MAC Address Ethertype = C-Tag (802.1Q) Ethertype Original Payload Inner VLAN Tag Information Original Ethernet Payload New FCS for Outer Ethernet Frame BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 93
94 Campus fabric in a nutshell 1. LISP based Control-Plane 2. VXLAN like Data-Plane 3. Integrated Cisco TrustSec VRF + SGT Virtual Routing & Forwarding Security Group Tags ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 94
95 Simplifying TrustSec with Campus Fabric TRUSTSEC today DESTINATION TRUSTSEC tomorrow DESTINATION SXP SGT-over-VPN SGT-over-ETHERNET SOURCE Multiple encapsulations / transport options SOURCE Normalized transport and encapsulation for SGTs BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 95
96 Campus Fabric network constructs C Fabric Control-Plane Node (LISP Map Server/Resolver) - Has host tracking database that provides reachability information Fabric Border Node (LISP Proxy tunnel router) Connects Fabric to outside world B CAMPUS FABRIC B Fabric Network ISIS for underlay, VXLAN (LISP) for overlay Host Pool Based on IP Subnet + VLAN-ID with Edge node as Anycast gateway. AAA / Static configuration E E E VLAN VLAN VLAN SUBNET SUBNET SUBNET Fabric Edge Node (LISP Tunnel Router) connects users and devices to the fabric. - Anycast L3 gateway - Registers endpoint ID with control-plane node AAA: Authentication, Authorization and Accounting BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 96
97 Sources Campus Fabric policy constructs TrustSec Policy Destinations SGT Assignments Policy download VN-A VN-B VN-C Virtual Neighborhood based on Virtual Routing & Forwarding (VRF) Maintains a separate Routing & Switching instance for each Virtual Neighborhood TrustSec Policy Security Group Tags Note: at FCS, all SG based policies must be contained within one VN BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 97
98 SDA Fabric work flow DNA-C (UI) APIC-EM Internet & Intranet B C B C + Create Fabric SJC-19-Fabric Add Nodes to Fabric Select Control Plane Node Select Border Node SJC-19-FABRIC Layer-3 Underlay (ECMP) VxLAN Overlay Devices Hosts BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 98
99 SDA Policy and on-boarding DNA-C (UI) APIC-EM Internet & Intranet Cisco ISE B C B C + Create Fabric SJC-19-Fabric Add Nodes to Fabric Select Control Plane Node Select Border Node Add Virtual Network(s) STATIC VN: IOT SGT: IP-POOL: A 802.1X VN: EMPL SGT: IP-POOL: B STATIC VN: GUEST SGT: 30 IP-POOL: C EASY-C Devices Select Authentication type Hosts BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 99
100 FABRIC POLICIES SDA policy deployment Source Destination CISCO DNA CENTER Employees Contract DENY PCI_Servers API Employees Contractors PCI_Servers POS_Systems CISCO ISE POLICY DOWNLOAD FABRIC NODES At SDA release 1, all SG policies must be contained within one Virtual Network BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 100
101 SDA group-based policy administration BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 101
102 ISE programming over APIs from DNA-C BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 102
103 Campus Fabric summary FOR YOUR REFERENCE MANAGEMENT DOMAIN VN VN Virtual Neighborhood Layer 3 / VRF NETWORKING HOST POOL HOST POOL HOST POOL VLAN-X VLAN-Y VLAN-Z Subnet A Subnet B Subnet C Host pool Layer 2 and L3 access boundary POLICY SGT + SGACL SGT + SGACL SGT + SGACL Enterprise Policy Set of SGTs and Policy BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 103
104 Closing thoughts
105 Integrating Security into the Network Discover and Classify Assets Active Monitoring Network Segmentation Understand Behavior Enforce Policy Design and Model Policy 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
106 ISE is critical for Software defined segmentation On-prem cross policy integrations Orchestration Tools Security Group Definitions New Group Members Policy Definition (SGACLs) REST APIs Sec Groups, SGACLs and Membership Info Sec Groups and Membership Info Open Daylight SDA ACI SXP, REST, pxgrid RADIUS, SXP, PxGrid Cisco ISE Sec Group / Membership Info REST, APIs Group policy connections Other vendors Security Group based Policies / Analysis ASA NGFW WSA Stealthwatch SGT classifications, Sec Group & policy download, SGT-EPG translation Software-Defined Segmentation Catalyst switches Nexus switches Industrial Ethernet switches Integrated Service Routers Wireless LAN Connected Grid Routers & Switches 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
107 Solution to the segmentation challenge TrustSec Solution Case Study TrustSec segmentation Lower operational costs Cisco ISE authorizes each endpoint with SGT and pushes SGACL to Branch CA* Switch One network for all Vendors, but each vendor is segmented with TrustSec Less VLANs & SSIDs to manage. Provisioning / retiring vendors is now EASY! Store Guest BYOD Vendors Internet WAN Data Center Secure Store PCI Demo Vendors *Converged Access = Authenticated and authorized by ISE ISR w/ ZBFW VRFs Cisco ISE Vendor & Guest Accounts Servers * Additional VLAN/VRFs for Voice, Print, AP, etc. not shown in the picture AD Employee Accounts BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 107
108 What should be the choice? For Segmentation and Group-based Policies for Enterprise Networks Open and programmable Controller driven (ISE, APIC ) Reusable Group based policies (TrustSec policies, Contracts ) Topology independent segment identifiers (SGTs, EPGs ) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 108
109 Other ISE Break Out Sessions BRKSEC-2695 Building an Enterprise Access Control Architecture using ISE and TrustSec Imran Bashir Tue 08:00-10:00 AM, Level 3, South Seas F Wed 1:30-03:30 PM, Level 2, Mandalay Bay E BRKSEC-3699 Designing ISE for Scale & High Availability Craig Hyps Tue 1:30-03:30 PM, Level 2, Mandalay Bay J BRKSEC-2059 Deploying ISE in a Dynamic Environment Clark Gambrel Tue 04:00-05:30 PM, Level 3, South Seas E BRKSEC-3697 Advanced ISE Services, Tips and Tricks Aaron Woland Tue 08:00-10:00 AM, L-2, Mandalay Bay G Wed 1:30-03:30 PM, L-2, Mandalay Bay H BRKSEC-2039 Cisco Medical Device NAC Mark Bernard and Tim Lovelace Mon 04:00-05:30 PM, Level 3, South Seas D BRKCOC-2018 Inside Cisco IT: How Cisco Deployed ISE and TrustSec David Iacobacci, Bassem Khalife Thu 08:30-10:00 AM, Level 3, South Seas E BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 109
110 Other TrustSec Break Out Sessions BRKSEC-2203 Enabling Software-Defined Segmentation with TrustSec Fay Lee Tue 4:00-5:30 PM, Level 2, Mandalay Bay G BRKCRS-2893 Choice of Segmentation and Group based Policies for Enterprise Networks Hariprasad Holla Thu 10:30-12:00 PM, Level 2, Breakers IJ BRKCRS-2810 Cisco SD-Access - A Look Under the Hood Shawn Wargo Mon 1:30-03:30 PM, L-2, Lagoon I Tue 08:00-10:00 AM L-3, South Seas D BRKSEC-2205 Security and Virtualization in the Data Center Justin Poole Mon 08:00-10:00 AM, Level 2, Reef F BRKSEC-3014 Security Monitoring with StealthWatch: The detailed walkthrough Matthew Robertson Mon 1:30-3:30 PM, Level 2, Breakers IJ BRKSEC-2026 Building Network Security Policy Through Data Intelligence Darrin Miller, Matthew Robertson Wed 4:00-5:30 PM, Level 3, South Seas G BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 110
111 ISE / TrustSec Labs ISE integration with Firepower using pxgrid protocol Visibility Driven Secure Segmentation Cisco SD-Access- Hands-on Lab LTRSEC-2002 Vibhor Amrodia Aditya Ganjoo Wed 8:00-12:00 PM MGM Grand, Level 1, Room 104 LTRCRS-2006 Hariprasad Holla Aaron Rohyans Wed 01:00-05:00 PM MGM Grand, Level 1, Room 115 LTRCRS-2810 Derek Huckaby Larissa Overbey Wed 01:00 PM, MGM L-1, 116 Thu 08:00 PM, MGM L-1, 101 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 111
112 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec (NaaS / NaaE)
TrustSec (NaaS / NaaE) per@cisco.com Security on top of the mind for our customers 60% 85% 54% of data is stolen in HOURS of point-of-sale intrusions aren t discovered for WEEKS of breaches remain undiscovered
More informationCisco Campus Fabric Introduction. Vedran Hafner Systems engineer Cisco
Cisco Campus Fabric Introduction Vedran Hafner Systems engineer Cisco Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility (w/o stretching VLANs) Network
More informationEvolving your Campus Network with. Campus Fabric. Shawn Wargo. Technical Marketing Engineer BRKCRS-3800
Evolving your Campus Network with Campus Fabric Shawn Wargo Technical Marketing Engineer BRKCRS-3800 Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility
More informationCisco SD-Access Policy Driven Manageability
BRKCRS-3811 Cisco SD-Access Policy Driven Manageability Victor Moreno, Distinguished Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session
More informationCisco TrustSec 4.0:How to Create Campus and Branch-Office Segmentation
Ordering Guide TrustSec 4.0:How to Create Campus and Branch-Office Segmentation Ordering Guide November 2013 2013 and/or its affiliates. All rights reserved. This document is Public Information. Page 1
More informationCisco TrustSec Software-Defined Segmentation Platform and Capability Matrix Release 6.3
TrustSec Software-Defined Segmentation Platform and Capability Matrix Release 6.3 TrustSec uniquely builds upon your existing identity-aware infrastructure by enforcing segmentation and access control
More informationVeč kot SDN - SDA arhitektura v uporabniških omrežjih
Več kot SDN - SDA arhitektura v uporabniških omrežjih Aleksander Kocelj SE Cisco Agenda - Introduction to Software Defined Access - Brief description on SDA - Cisco SDA Assurance - DEMO 2 New Requirements
More informationEnterprise Network Segmentation with Cisco TrustSec
Enterprise Network Segmentation with Cisco TrustSec Hariprasad Holla @hari_holla Abstract This session provides an overview of the Cisco TrustSec solution for Enterprise network segmentation and Role-Based
More informationCisco Group Based Policy Platform and Capability Matrix Release 6.4
Group d Policy Platform and Capability Matrix Release 6.4 (inclusive of TrustSec Software-Defined Segmentation) Group d Policy (also known as TrustSec Software-Defined Segmentation) uniquely builds upon
More informationSD-Access Wireless: why would you care?
SD-Access Wireless: why would you care? CUWN Architecture - Centralized Overview Policy Definition Enforcement Point for Wi-Fi clients Client keeps same IP address while roaming WLC Single point of Ingress
More informationPolicy Defined Segmentation with Cisco TrustSec
Policy Defined Segmentation with Cisco TrustSec Session ID 18PT Rob Bleeker Consulting System Engineer CCIE #: 2926 Abstract This session will explain how TrustSec Security Group Tagging can be used to
More informationCisco TrustSec Software-Defined Segmentation Release 6.1 System Bulletin
System Bulletin TrustSec Software-Defined Segmentation Release 6.1 System Bulletin Introduction Network segmentation is essential for protecting critical business assets. TrustSec Software Defined Segmentation
More informationCisco TrustSec Software-Defined Segmentation Release 6.1 System Bulletin
System Bulletin TrustSec Software-Defined Segmentation Release 6.1 System Bulletin Introduction Network segmentation is essential for protecting critical business assets. TrustSec Software Defined Segmentation
More informationNetwork as an Enforcer (NaaE) Cisco Services. Network as an Enforcer Cisco and/or its affiliates. All rights reserved.
Network as an Enforcer (NaaE) Cisco Services INTRODUCTION... 6 Overview of Network as an Enforcer... 6 Key Benefits... 6 Audience... 6 Scope... 6... 8 Guidelines and Limitations... 8 Configuring SGACL
More informationSoftware-Defined Access 1.0
Software-Defined Access 1.0 What is Cisco Software-Defined Access? The Cisco Software-Defined Access (SD-Access) solution uses Cisco DNA Center to provide intent-based policy, automation, and assurance
More informationTech Update Oktober Rene Andersen / Ib Hansen
Tech Update 10 12 Oktober 2017 Rene Andersen / Ib Hansen DNA Solution Cisco Enterprise Portfolio DNA Center Simple Workflows DESIGN PROVISION POLICY ASSURANCE Identity Services Engine DNA Center APIC-EM
More informationVXLAN Overview: Cisco Nexus 9000 Series Switches
White Paper VXLAN Overview: Cisco Nexus 9000 Series Switches What You Will Learn Traditional network segmentation has been provided by VLANs that are standardized under the IEEE 802.1Q group. VLANs provide
More informationImplementing VXLAN in DataCenter
Implementing VXLAN in DataCenter LTRDCT-1223 Lilian Quan Technical Marketing Engineering, INSBU Erum Frahim Technical Leader, ecats John Weston Technical Leader, ecats Why Overlays? Robust Underlay/Fabric
More informationWe re ready. Are you?
We re ready. Are you? Network as a Sensor and Enforcer Matt Robertson, Technical Marketing Engineer BRKSEC-2026 Why are we here today? Insider Threats Leverage the network Identify and control policy,
More informationCisco Trusted Security Enabling Switch Security Services
Cisco Trusted Security Enabling Switch Security Services Michal Remper, CCIE #8151 CSE/AM mremper@cisco.com 2009 Cisco Systems, Inc. All rights reserved. 1 Enter Identity & Access Management Strategic
More informationTrustSec Configuration Guides. TrustSec Capabilities on Wireless 8.4 Software-Defined Segmentation through SGACL Enforcement on Wireless Access Points
TrustSec Configuration Guides TrustSec Capabilities on Wireless 8.4 Software-Defined Segmentation through SGACL Enforcement on Wireless Access Points Table of Contents TrustSec Capabilities on Wireless
More informationSecuring BYOD with Cisco TrustSec Security Group Firewalling
White Paper Securing BYOD with Cisco TrustSec Security Group Firewalling Getting Started with TrustSec What You Will Learn The bring-your-own-device (BYOD) trend can spur greater enterprise productivity
More information2012 Cisco and/or its affiliates. All rights reserved. 1
2012 Cisco and/or its affiliates. All rights reserved. 1 Policy Access Control: Challenges and Architecture UA with Cisco ISE Onboarding demo (BYOD) Cisco Access Devices and Identity Security Group Access
More informationContents. Introduction
Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram ISE - Configuration Steps 1. SGT for Finance and Marketing 2. Security group ACL for traffic Marketing ->Finance
More informationData Center Configuration. 1. Configuring VXLAN
Data Center Configuration 1. 1 1.1 Overview Virtual Extensible Local Area Network (VXLAN) is a virtual Ethernet based on the physical IP (overlay) network. It is a technology that encapsulates layer 2
More informationCisco.Network.Intuitive FastLane IT Forum. Andreas Korn Systems Engineer
Cisco.Network.Intuitive FastLane IT Forum Andreas Korn Systems Engineer 12.10.2017 Ziele dieser Session New Era of Networking - Was ist darunter zu verstehen? Software Defined Access Wie revolutioniert
More informationCampus Fabric. How To Integrate With Your Existing Networks. Kedar Karmarkar - Technical Leader BRKCRS-2801
Campus Fabric How To Integrate With Your Existing Networks Kedar Karmarkar - Technical Leader Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility (w/o
More informationSoftware-Defined Access 1.0
White Paper Software-Defined Access 1.0 Solution White Paper Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA https://www.cisco.com/ Tel: 408 526-4000 800 553-NETS
More informationEnterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.
2 CHAPTER Cisco's Disaster Recovery as a Service (DRaaS) architecture supports virtual data centers that consist of a collection of geographically-dispersed data center locations. Since data centers are
More informationCisco Software Defined Access (SDA)
Cisco Software Defined Access (SDA) Transformational Approach to Network Design & Provisioning Sanjay Kumar Regional Manager- ASEAN, Cisco Systems What is network about? Source: google.de images Security
More informationIdentity Based Network Access
Identity Based Network Access Identity Based Network Access - Agenda What are my issues Cisco ISE Power training What have I achieved What do I want to do What are the issues? Guest Student Staff Contractor
More informationCisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003
Cisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003 Agenda ACI Introduction and Multi-Fabric Use Cases ACI Multi-Fabric Design Options ACI Stretched Fabric Overview
More informationCisco SD-Access Hands-on Lab
LTRCRS-2810 Cisco SD-Access Hands-on Lab Larissa Overbey - Technical Marketing Engineer, Cisco Derek Huckaby - Technical Marketing Engineer, Cisco https://cisco.box.com/v/ltrcrs-2810-bcn2018 Password:
More informationDigital Network Architecture for Securing Enterprise Networks
Digital Network Architecture for Securing Enterprise Networks Matt Robertson Evgeny Mirolyubov Technical Marketing Engineers, Advanced Threat Solutions Cisco Spark How Questions? Use Cisco Spark to communicate
More informationSegmentation. Threat Defense. Visibility
Segmentation Threat Defense Visibility Establish boundaries: network, compute, virtual Enforce policy by functions, devices, organizations, compliance Control and prevent unauthorized access to networks,
More informationImplementing VXLAN. Prerequisites for implementing VXLANs. Information about Implementing VXLAN
This module provides conceptual information for VXLAN in general and configuration information for layer 2 VXLAN on Cisco ASR 9000 Series Router. For configuration information of layer 3 VXLAN, see Implementing
More informationEnabling Software- Defined Segmentation with TrustSec
Enabling Software- Defined Segmentation with TrustSec Fay-Ann Lee Technical Marketing Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this
More informationSDN Security BRKSEC Alok Mittal Security Business Group, Cisco
SDN Security Alok Mittal Security Business Group, Cisco Security at the Speed of the Network Automating and Accelerating Security Through SDN Countering threats is complex and difficult. Software Defined
More informationService Graph Design with Cisco Application Centric Infrastructure
White Paper Service Graph Design with Cisco Application Centric Infrastructure 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 101 Contents Introduction...
More informationCampus Fabric Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches)
Campus Fabric Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches) First Published: 2017-07-31 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706
More informationData Center Security. Fuat KILIÇ Consulting Systems
Data Center Security Fuat KILIÇ Consulting Systems Engineer @Security Data Center Evolution WHERE ARE YOU NOW? WHERE DO YOU WANT TO BE? Traditional Data Center Virtualized Data Center (VDC) Virtualized
More informationCampus Fabric Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 3650 Switches)
Campus Fabric Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 3650 Switches) First Published: 2017-07-31 Last Modified: 2017-11-03 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive
More informationCisco Application Centric Infrastructure and Microsoft SCVMM and Azure Pack
White Paper Cisco Application Centric Infrastructure and Microsoft SCVMM and Azure Pack Introduction Cisco Application Centric Infrastructure (ACI) is a next-generation data center fabric infrastructure
More informationVXLAN Deployment Use Cases and Best Practices
VXLAN Deployment Use Cases and Best Practices Azeem Suleman Solutions Architect Cisco Advanced Services Contributions Thanks to the team: Abhishek Saxena Mehak Mahajan Lilian Quan Bradley Wong Mike Herbert
More informationCisco TrustSec Platform Support Matrix
Sales Tool TrustSec Platform Support Matrix System Component Platform Solution Minimum Solution- Level Validated Classification Control Plane Propagation () (Inline ) MACsec (for WAN) Enforceme nt Identity
More informationSoftware-Defined Access Wireless
Introduction to, page 1 Configuring SD-Access Wireless (CLI), page 7 Introduction to The Enterprise Fabric provides end-to-end enterprise-wide segmentation, flexible subnet addressing, and controller-based
More informationISE Primer.
ISE Primer www.ine.com Course Overview Designed to give CCIE Security candidates an intro to ISE and some of it s features. Not intended to be a complete ISE course. Some topics are not discussed. Provides
More informationACI Multi-Site Architecture and Deployment. Max Ardica Principal Engineer - INSBU
ACI Multi-Site Architecture and Deployment Max Ardica Principal Engineer - INSBU Agenda ACI Network and Policy Domain Evolution ACI Multi-Site Deep Dive Overview and Use Cases Introducing ACI Multi-Site
More informationEvolution of Data Center Security Automated Security for Today s Dynamic Data Centers
Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers Speaker: Mun Hossain Director of Product Management - Security Business Group Cisco Twitter: @CiscoDCSecurity 2 Any
More informationHPE FlexFabric 5940 Switch Series
HPE FlexFabric 5940 Switch Series EVPN Configuration Guide Part number: 5200-2002b Software version: Release 25xx Document version: 6W102-20170830 Copyright 2017 Hewlett Packard Enterprise Development
More informationDNA SA Border Node Support
Digital Network Architecture (DNA) Security Access (SA) is an Enterprise architecture that brings together multiple building blocks needed for a programmable, secure, and highly automated fabric. Secure
More informationCisco Exam Questions & Answers
Cisco 648-375 Exam Questions & Answers Number: 648-375 Passing Score: 800 Time Limit: 120 min File Version: 22.1 http://www.gratisexam.com/ Cisco 648-375 Exam Questions & Answers Exam Name: Cisco Express
More informationMP-BGP VxLAN, ACI & Demo. Brian Kvisgaard System Engineer, CCIE SP #41039 November 2017
MP-BGP VxLAN, ACI & Demo Brian Kvisgaard System Engineer, CCIE SP #41039 November 2017 Datacenter solutions Programmable Fabric Classic Ethernet VxLAN-BGP EVPN standard-based Cisco DCNM Automation Modern
More informationCisco TrustSec Software-Defined Segmentation Platform and Capability Matrix
Sales Tool TrustSec Software-Defined Segmentation Platform and Capability Matrix TrustSec uniquely builds upon your existing identity-aware infrastructure by enforcing segmentation and access control policies
More informationSoftware-Defined Access Wireless
Introduction to, page 1 Configuring SD-Access Wireless (CLI), page 7 Enabling SD-Access Wireless (GUI), page 8 Configuring SD-Access Wireless VNID (GUI), page 9 Configuring SD-Access Wireless WLAN (GUI),
More informationRouting Underlay and NFV Automation with DNA Center
BRKRST-1888 Routing Underlay and NFV Automation with DNA Center Prakash Rajamani, Director, Product Management Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session
More informationCisco SD-Access Building the Routed Underlay
Cisco SD-Access Building the Routed Underlay Rahul Kachalia Sr. Technical Leader Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the
More informationDNA Campus Fabric. How to Migrate The Existing Network. Kedar Karmarkar - Technical Leader BRKCRS-2801
DNA Campus Fabric How to Migrate The Existing Network Kedar Karmarkar - Technical Leader Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility (w/o stretching
More informationExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you
ExamTorrent http://www.examtorrent.com Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you Exam : 400-251 Title : CCIE Security Written Exam (v5.0) Vendor : Cisco Version
More informationCisco Software-Defined Access
Migration Guide Cisco Software-Defined Access 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 31 Contents Cisco SD-Access... 3 Evolution of Networking
More informationWorking with Contracts
Contracts, page 1 Filters, page 9 Taboo Contracts, page 12 Inter-Tenant Contracts, page 15 Contracts Contracts provide a way for the Cisco Application Centric Infrastructure (ACI) administrator to control
More informationCisco Application Centric Infrastructure (ACI) - Endpoint Groups (EPG) Usage and Design
White Paper Cisco Application Centric Infrastructure (ACI) - Endpoint Groups (EPG) Usage and Design Emerging IT technologies have brought about a shift from IT as a cost center to IT as a business driver.
More informationContents. EVPN overview 1
Contents EVPN overview 1 EVPN network model 1 MP-BGP extension for EVPN 2 Configuration automation 3 Assignment of traffic to VXLANs 3 Traffic from the local site to a remote site 3 Traffic from a remote
More informationIntroduction to External Connectivity
Before you begin Ensure you know about Programmable Fabric. Conceptual information is covered in the Introduction to Cisco Programmable Fabric and Introducing Cisco Programmable Fabric (VXLAN/EVPN) chapters.
More informationCisco Network Admission Control (NAC) Solution
Data Sheet Cisco Network Admission Control (NAC) Solution New: Updated to include the Cisco Secure Network Server (SNS) Cisco Network Admission Control (NAC) solutions allow you to authenticate wired,
More informationSoftware-Defined Access Design Guide
Cisco Validated design Software-Defined Access Design Guide December 2017 Solution 1.1 Table of Contents Table of Contents Cisco Digital Network Architecture and Software-Defined Access Introduction...
More informationCisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13
Q&A Cisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13 Q. What is the Cisco Cloud Services Router 1000V? A. The Cisco Cloud Services Router 1000V (CSR 1000V) is a router in virtual
More informationContents. Introduction. Prerequisites. Configure. Requirements. Components Used. Network Diagram
Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram Traffic Flow Configurations Switch 3850-1 Switch 3850-2 ISE Verify References Related Cisco Support Community
More informationSoftware-Defined Access Wireless
Introduction to, page 1 Configuring SD-Access Wireless (CLI), page 7 Enabling SD-Access Wireless (GUI), page 8 Configuring SD-Access Wireless VNID (GUI), page 9 Configuring SD-Access Wireless WLAN (GUI),
More informationCisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer
Cisco Next Generation Firewall and IPS Dragan Novakovic Security Consulting Systems Engineer Cisco ASA with Firepower services Cisco TALOS - Collective Security Intelligence Enabled Clustering & High Availability
More informationCisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller
Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table
More informationHuawei CloudEngine Series. VXLAN Technology White Paper. Issue 06 Date HUAWEI TECHNOLOGIES CO., LTD.
Issue 06 Date 2016-07-28 HUAWEI TECHNOLOGIES CO., LTD. 2016. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of
More informationSD-Access Wireless Design and Deployment Guide
SD-Access Wireless Design and Deployment Guide Executive Summary 2 Software Defined Access 2 SD Access Wireless 3 SD Access Wireless Architecture 4 Setting up SD-Access Wireless with DNAC 13 SD Access
More informationCisco TrustSec Quick Start Configuration Guide
Cisco TrustSec Quick Start Configuration Guide Table of Contents Introduction... 5 Using This Guide... 5 Baseline ISE Configuration for TrustSec... 7 Active Directory Integration (optional)... 7 Defining
More informationMigration from Classic DC Network to Application Centric Infrastructure
Migration from Classic DC Network to Application Centric Infrastructure Kannan Ponnuswamy, Solution Architect, Cisco Advanced Services Acronyms IOS vpc VDC AAA VRF STP ISE FTP ToR UCS FEX OTV QoS BGP PIM
More informationIP Fabric Reference Architecture
IP Fabric Reference Architecture Technical Deep Dive jammon@brocade.com Feng Shui of Data Center Design 1. Follow KISS Principle Keep It Simple 2. Minimal features 3. Minimal configuration 4. Configuration
More informationCisco TrustSec How-To Guide: Central Web Authentication
Cisco TrustSec How-To Guide: Central Web Authentication For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 1
More informationONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013
ONE POLICY Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013 Agenda Secure Unified Access with ISE Role-Based Access Control Profiling TrustSec Demonstration How ISE is Used Today
More informationP ART 3. Configuring the Infrastructure
P ART 3 Configuring the Infrastructure CHAPTER 8 Summary of Configuring the Infrastructure Revised: August 7, 2013 This part of the CVD section discusses the different infrastructure components that are
More informationSecurity? where to? Adrian Aron. Consultant Systems Engineer. 19 Oct
Security? where to? Adrian Aron Consultant Systems Engineer 19 Oct Agenda Industry shift and trends Router security, switch security OpenDNS Integration and automation Q&A Road from task to implementation
More informationEIGRP Over the Top. Finding Feature Information. Information About EIGRP Over the Top. EIGRP Over the Top Overview
The feature enables a single end-to-end routing domain between two or more Enhanced Interior Gateway Routing Protocol (EIGRP) sites that are connected using a private or a public WAN connection. This module
More information2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
2018 Cisco and/or its affiliates. All rights reserved. Cisco Public PSODCN-1030 Intent Based Systems Deliver Automation Dave Malik Cisco Fellow and Chief Architect Advanced Services @dmalik2 2018 Cisco
More informationNexus 1000V in Context of SDN. Martin Divis, CSE,
Nexus 1000V in Context of SDN Martin Divis, CSE, mdivis@cisco.com Why Cisco Nexus 1000V Losing the Edge Server Admin Host Host Host Host Server Admin manages virtual switching! vswitch vswitch vswitch
More informationCisco Group Encrypted Transport VPN
Cisco Group Encrypted Transport VPN Q. What is Cisco Group Encrypted Transport VPN? A. Cisco Group Encrypted Transport is a next-generation WAN VPN solution that defines a new category of VPN, one that
More informationACI Terminology. This chapter contains the following sections: ACI Terminology, on page 1. Cisco ACI Term. (Approximation)
This chapter contains the following sections:, on page 1 Alias API Inspector App Center Alias A changeable name for a given object. While the name of an object, once created, cannot be changed, the Alias
More informationCisco SD-WAN and DNA-C
Cisco SD-WAN and DNA-C SD-WAN Cisco SD-WAN Intent-based networking for the branch and WAN 4x Improved application experience Better user experience Deploy applications in minutes on any platform with consistent
More informationCisco TrustSec How-To Guide: Monitor Mode
Cisco TrustSec How-To Guide: Monitor Mode For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 2 Introduction...
More informationManaging Site-to-Site VPNs: The Basics
CHAPTER 23 A virtual private network (VPN) consists of multiple remote peers transmitting private data securely to one another over an unsecured network, such as the Internet. Site-to-site VPNs use tunnels
More informationCisco Nexus Data Broker
Data Sheet Cisco Nexus Data Broker Product Overview You used to monitor traffic mainly to manage network operations. Today, when you monitor traffic you can find out instantly what is happening throughout
More informationCisco Virtual Networking Solution for OpenStack
Data Sheet Cisco Virtual Networking Solution for OpenStack Product Overview Extend enterprise-class networking features to OpenStack cloud environments. A reliable virtual network infrastructure that provides
More informationAPIC-EM / EasyQoS - End to End Orchestration of QoS in Enterprise Networks
APIC-EM / EasyQoS - End to End Orchestration of QoS in Enterprise Networks Saurav Prasad Technical Marketing Engineer CTHNMS-1002 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after
More informationLayer 4 to Layer 7 Design
Service Graphs and Layer 4 to Layer 7 Services Integration, page 1 Firewall Service Graphs, page 5 Service Node Failover, page 10 Service Graphs with Multiple Consumers and Providers, page 12 Reusing a
More informationImplementing Cisco Edge Network Security Solutions ( )
Implementing Cisco Edge Network Security Solutions (300-206) Exam Description: The Implementing Cisco Edge Network Security (SENSS) (300-206) exam tests the knowledge of a network security engineer to
More informationISE Identity Service Engine
CVP ISE Identity Service Engine Cisco Validated Profile (CVP) Series 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 10 Contents 1. Profile introduction...
More informationConfiguring MPLS and EoMPLS
37 CHAPTER This chapter describes how to configure multiprotocol label switching (MPLS) and Ethernet over MPLS (EoMPLS) on the Catalyst 3750 Metro switch. MPLS is a packet-switching technology that integrates
More informationProvisioning Overlay Networks
This chapter has the following sections: Using Cisco Virtual Topology System, page 1 Creating Overlays, page 2 Creating Network using VMware, page 4 Creating Subnetwork using VMware, page 4 Creating Routers
More informationIntelligent WAN Multiple VRFs Deployment Guide
Cisco Validated design Intelligent WAN Multiple VRFs Deployment Guide September 2017 Table of Contents Table of Contents Deploying the Cisco Intelligent WAN... 1 Deploying the Cisco IWAN Multiple VRFs...
More informationDemand-Based Control Planes for Switching Fabrics
Demand-Based Control Planes for Switching Fabrics Modern switching fabrics use virtual network overlays to support mobility, segmentation, and programmability at very large scale. Overlays are a key enabler
More informationExam Name: VMware Certified Associate Network Virtualization
Vendor: VMware Exam Code: VCAN610 Exam Name: VMware Certified Associate Network Virtualization Version: DEMO QUESTION 1 What is determined when an NSX Administrator creates a Segment ID Pool? A. The range
More informationCisco CCIE Data Center Written Exam v2.0. Version Demo
Cisco 400-151 CCIE Data Center Written Exam v2.0 Version Demo QUESTION 1 Which IETF standard is the most efficient messaging protocol used in an lot network? A. SNMP B. HTTP C. CoAP D. MQTI Correct Answer:
More information