Choice of Segmentation and Group Based Policies for Enterprise Networks

Transcription

1

2 Choice of Segmentation and Group Based Policies for Enterprise Networks Hari Holla Technical Marketing Engineer, Cisco ISE BRKCRS-2893 hari_holla /in/hariholla

3 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, cs.co/ciscolivebot#brkcrs Cisco and/or its affiliates. All rights reserved. Cisco Public

4 A multi-national retailer s segmentation problem Case Study The segmentation challenge common to many other type of networks: University, Hospitals, Manufacturing, etc. Customer Concerns Need dynamic segmentation Reduce operational costs Keep it secure Employees, PCI devices, Vendors & Guest in branch needing segmentation. Each segment today is a VLAN and / or a SSID. Provisioning and decommissioning vendors is a tedious task Store Guest BYOD Vendor-1 Vendor-2 Vendor-3 Vendor-N Store PCI Demo Vendor-2 Vendor-A Vendor-B Vendor-N Internet ISR w/ ZBFW WAN VRFs Data Center WLC Servers * Additional VLAN/VRFs for Voice, Print, AP, etc. not shown in the picture BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 VLANs for segmentation? VLAN BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Segmenting with VLANs Applications access-list 102 deny udp gt eq 2165 access-list 102 deny udp lt gt 428 access-list 102 permit ip eq gt 1511 access-list 102 deny tcp gt gt 1945 access-list 102 permit icmp lt eq 116 access-list 102 deny udp eq eq 959 access-list 102 deny tcp eq lt 4993 access-list 102 deny tcp eq lt 848 access-list 102 deny ip eq gt 4878 access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq eq 4175 access-list 102 permit tcp lt gt 1462 access-list 102 permit tcp gt lt 4384 Static ACL Routing Redundancy DHCP Scope Address VLAN Limitations of Traditional Segmentation Security Policy based on Topology High cost and complex maintenance Non-Compliant Voice Enterprise Backbone VACL Employee Aggregation Layer Access Layer Supplier BYOD Enforcement IP based policies. ACLs, Firewall rules Propagation Carry segment context over the network through VLAN tags / IP address / VRF Classification Static / Dynamic VLAN assignments Quarantine VLAN Voice VLAN Data VLAN Guest VLAN BYOD VLAN BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 The alternative: Software Defined Segmentation Controller driven Policy definition and enforcement based on segment IDs. X X X X X X Topology independent Segment IDs (VLAN / IP agnostic) Employees Phones Servers Quarantine BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 Agenda Segmenting using Security Group Tags (SGTs) End-Point Groups (EPGs) Virtual Networks (VNs) Closing thoughts

9 Heads up This is ISE icon, Cisco Identity Service Engine For your reference Hidden Slide (or) For quick glance if the slide shows up

10 Segmentation using Security Group Tags (SGT)

11 Source Cisco TrustSec Destination Egress Policy Employee App_Serv Permit All Prod_Serv Deny All App_Serv Permit All Deny All Prod_Serv Deny All Permit All 5 SGT Remote Access Wireless Network Cisco ISE Directory Production Servers 8 SGT Employees Switch Routers DC Firewall DC Switch Application Servers 7 SGT Classification Propagation Enforcement BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Consistent access governed by simplified policy Data Center Regardless of topology or location, policy (Security Group Tag) stays with users, devices, and servers Shared Services Remediation Application Servers DC Switch TrustSec simplifies ACL management for intra/inter- VLAN traffic Enterprise Backbone ISE Switch Switch DC switch receives policy for only what is connected Employee Tag Supplier Tag Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag VLAN: Data-2 VLAN: Data-1 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Same policy to control lateral access FOR YOUR REFERENCE Segment traffic based on classified group (SGT), not based on topology (VLAN, IP subnet) Shared Services Data Center Application Servers DC Switch Micro-Segmentation / Host Isolation in LAN and DC with single policy (segment devices even in same VLAN or same security group) Switch Enterprise Backbone Switch ISE Employee Tag Supplier Tag Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag VLAN: Data-2 VLAN: Data-1 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 The three common deployment scenarios User to Data Center Access Control Data Center Segmentation Campus and Branch Segmentation Context--based access control Compliance requirements PCI, HIPAA, export controlled information Merger & acquisition integration, divestments Server zoning & Micro-segmentation Production vs. Development Server segmentation Compliance requirements, PCI, HIPAA Firewall rule automation Line of business segregation PCI, HIPAA and other compliance regulations Malware propagation control/quarantine BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 TrustSec Deep Dive

16 Source Doing TrustSec Destination TrustSec Enablement Cisco ISE configuration Network readiness assessment and TrustSec feature enablement Egress Policy Employee App_Serv Prod_Serv App_Serv Permit All Permit All Deny All Prod_Serv Deny All Deny All Permit All 5 SGT Remote Access Wireless Network Cisco ISE Directory Production Servers 8 SGT Employees Switch Routers DC Firewall DC Switch Application Servers 7 SGT Classification Propagation The 3 TrustSec functions Enforcement BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 ISE is the TrustSec controller BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Sources ISE is the TrustSec controller NDAC for a trusted domain of Network Devices SGT: Centrally define Security Group Tags SGACL / Name table: TrustSec policy matrix to be pushed down to the enforcers via secure channel Security Group ACL Destinations SGACL / Name table NDAC (Network Device Admission Control) SGT and SGT Names Security Group Tags 3: Employee 4: Contractors 8: PCI_Servers 9: App_Servers SGT Assignment: ISE can dynamically (via authentications / SXP / pxgrid) or statically (via CLI) assign SGTs to assets Rogue Device(s) 802.1X Dynamic SGT Assignment Dynamic / Static SGT Assignments BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Network Device Admission Control NDAC for a trusted domain of Network Devices SGT: Centrally define Security Group Tags SGACL / Name table: TrustSec policy matrix to be pushed down to the enforcers via secure channel SGT Assignment: ISE can dynamically (via authentications / SXP / pxgrid) or statically (via CLI) assign SGTs to assets BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Network Device Admission Control FOR YOUR REFERENCE NDAC for a trusted domain of Network Devices SGT: Centrally define Security Group Tags SGACL / Name table: TrustSec policy matrix to be pushed down to the enforcers via secure channel SGT Assignment: ISE can dynamically (via authentications / SXP / pxgrid) or statically (via CLI) assign SGTs to assets ISE Environmental Data TrustSec Egress Policy RADIUS EAP FAST Channel IOS Switch authenticates with Cisco ISE for Secure EAP FAST Channel Switch# cts credential id C password cisco Device_SGT to facilitate the communication between ISE and TrustSec devices BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Network Device Admission Control FOR YOUR REFERENCE NDAC for a trusted domain of Network Devices SGT: Centrally define Security Group Tags SGACL / Name table: TrustSec policy matrix to be pushed down to the enforcers via secure channel SGT Assignment: ISE can dynamically (via authentications / SXP / pxgrid) or statically (via CLI) assign SGTs to assets Admin can opt to have custom SGT numbers. Default is System generated. PAC settings used for secure channel between ISE and TrustSec devices BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Defining Security Group Tags (SGTs) NDAC for a trusted domain of Network Devices Define SGTs under Components section in TrustSec Work Center (from ISE 2.0) SGT: Centrally define Security Group Tags SGACL / Name table: TrustSec policy matrix to be pushed down to the enforcers via secure channel SGT Assignment: ISE can dynamically (via authentications / SXP / pxgrid) or statically (via CLI) assign SGTs to assets BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 TrustSec egress policy NDAC for a trusted domain of Network Devices A user friendly policy matrix based on Security Group Tags SGT: Centrally define Security Group Tags SGACL / Name table: TrustSec policy matrix to be pushed down to the enforcers via secure channel SGT Assignment: ISE can dynamically (via authentications / SXP / pxgrid) or statically (via CLI) assign SGTs to assets BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 SGT assignment for endpoints NDAC for a trusted domain of Network Devices Work Centers > TrustSec > Authorization Policy SGT: Centrally define Security Group Tags SGACL / Name table: TrustSec policy matrix to be pushed down to the enforcers via secure channel SGT Assignment: ISE can dynamically (via authentications / SXP / pxgrid) or statically (via CLI) assign SGTs to assets BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 The 3 TrustSec functions 5 Employee 6 Voice 7 Partner A B Classification Propagation Enforcement (Assigning SGTs) Static Assignments Dynamic Assignments Inline methods SXP pxgrid Security Group ACL SG Firewall BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 CLASSIFICATION PROPAGATION ENFORCEMENT Two ways to assign Security Group Tags Dynamic Classification Static Classification L3 Interface (SVI) to SGT L2 Port to SGT MAB Campus Access Distribution Core DC Core DC Access Enterprise Backbone WLC Firewall Hypervisor SW VLAN to SGT Subnet to SGT VM (Port Profile) to SGT BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 CLASSIFICATION PROPAGATION ENFORCEMENT SGT assignment to wired endpoint Cisco ISE Assign SGT Catalyst Switch G 0/1 Switch# show authentication sessions int Gi 0/1 details Interface: GigabitEthernet1/0/23 IIF-ID: 0x107AB MAC Address: IPv6 Address: 2001:DB8:100:0:3809:A879:5197:16DB IPv4 Address: User-Name: bob@trustsec.lab Status: Authorized Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Common Session ID: 0A FC50BEC5800 Acct Session ID: 0x00000FBE Handle: 0xD Current Policy: POLICY_Gi1/0/23 Server Policies: SGT Value: 10 Method status list: Method mab State Authc Success BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 CLASSIFICATION PROPAGATION ENFORCEMENT Assigning SGTs to wireless sessions Cisco ISE Assign SGT WLC Works on AirOS and IOS Wireless controllers. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 CLASSIFICATION PROPAGATION ENFORCEMENT VLANs can be mapped to SGTs VLAN-100 = SGT-100 Catalyst Switch G 0/1 G 0/2 Switch(config)#cts role-based sgt-map vlan-list 100 sgt 100 Switch#show cts role-based sgt-map all Active IPv4-SGT Bindings Information IP Address SGT Source ============================================ LOCAL INTERNAL VLAN VLAN IP-SGT Active Bindings Summary ============================================ Total number of VLAN bindings = 2 Total number of LOCAL bindings = 1 Total number of active bindings = 4 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 CLASSIFICATION PROPAGATION ENFORCEMENT Routes learnt on the interface get SGT Can apply to Layer 3 interfaces regardless of the underlying physical interface: Routed port, SVI (VLAN interface), Tunnel interface, etc. GigabitEthernet 3/0/1 maps to SGT 8 GigabitEthernet 3/0/2 maps to SGT 9 Joint Ventures Route Updates /24 g3/0/1 IP Address SGT Source ======================================== INTERNAL INTERNAL INTERNAL /24 8 L3IF /24 9 L3IF /24 9 L3IF DC Access Business Partners g3/0/2 Route Updates / /24 Hypervisor SW BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 CLASSIFICATION PROPAGATION ENFORCEMENT SGT classification binding source priority FOR YOUR REFERENCE The current priority enforcement order, from lowest (1) to highest (7), is as follows: 1. VLAN Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping configured. 2. CLI Address bindings configured using the IP-SGT form of the cts role-based sgt-map global configuration command. 3. Layer 3 Interface (L3IF) Bindings added due to FIB forwarding entries that have paths through one or more interfaces with consistent L3IF-SGT mapping or Identity Port Mapping on routed ports. 4. SXP Bindings learned from SXP peers. 5. IP_ARP Bindings learned when tagged ARP packets are received on a CTS capable link. 6. LOCAL Bindings of authenticated hosts which are learned via ISE and device tracking. This type of binding also include individual hosts that are learned via ARP snooping on L2 [I]PM configured ports. 7. INTERNAL Bindings between locally configured IP addresses and the device own SGT. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 CLASSIFICATION PROPAGATION ENFORCEMENT In Nexus 1000V, SGTs can be assigned to Port Profile FOR YOUR REFERENCE Port Profile Container of network properties Applied to different interfaces Server Admin may assign Port Profiles to new VMs VMs inherit network properties of the port-profile including SGT SGT stays with the VM even if moved BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 The 3 TrustSec functions 5 Employee 6 Voice 7 Partner A B Classification Propagation Enforcement (Assigning SGTs) Static Assignments Dynamic Assignments Inline methods SXP pxgrid Security Group ACL SG Firewall BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 CLASSIFICATION PROPAGATION ENFORCEMENT Two ways to propagate tags INLINE METHOD OUT-OF-BAND METHOD = SGT-5 SW1 R1 SW2 SW1 R1 SW2 IP 5 IP 5 IP IP /Employees 7/WebServers SGT carried inline in the data traffic. Methods include, SGT over: Ethernet MACSec LISP/VxLAN IPSec DMVPN GETVPN /Employees 7/WebServers IP-to-SGT data shared over control protocol. No SGT in the data plane. Methods include, IP-to-SGT exchange over: SXP pxgrid BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 AES-GCM 128bit Encryption CLASSIFICATION PROPAGATION ENFORCEMENT Ethernet Inline tagging Ethernet Frame Cisco Meta Data MACsec Frame Destination MAC Source MAC 802.1Q CMD ETHTYPE PAYLOAD CRC IETF CMD EtherType Version Length SGT Option Type SGT Value Other CMD Option EtherType:0x8909 SGT Value:16bits Destination MAC Source MAC 802.1AE Header 802.1Q CMD ETHTYPE PAYLOAD 802.1AE Header CRC EtherType:0x88E5 Faster, and most scalable way to propagate SGT within LAN or DC SGT embedded within Cisco Meta Data (CMD) in Layer 2 frame Capable switches understands and process SGT in line-rate Optionally protect CMD with MACsec (IEEE802.1AE) No impact to QoS, IP MTP/Fragmentation L2 Frame Impact: ~20 bytes 16 bits field ~ 64,000 tag space Non-capable device drops frame with unknown Ethertype BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 CLASSIFICATION PROPAGATION ENFORCEMENT L3 Inline: Crypto transport for SGT IPSec, DMVPN and GETVPN FOR YOUR REFERENCE SGT in IPSec IP header (Protocol Type = ESP) ESP Header IV Next Header (IP) Len = 3 Version (0x1) Reserved Len (0x0) Type (1 = SGT) SGT Number (16 bits) Len (0x1) Type (5 = PST) GETVPN Psuedo timestamp Original IP Header Original IP Payload Pad Pad Length Next Header Authentication Tag CMD crypto ikev2 cts sgt cts sgt inline SGT over IPSec SGT over DMVPN SGT over GETVPN crypto gdoi group GDOI identity number server local sa ipsec 1 tag cts sgt match address ipv4 ACL_GETVPN_SGT Cisco Meta Data (CMD) uses protocol 99, and is inserted to the beginning of the ESP/AH payload. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 CLASSIFICATION PROPAGATION ENFORCEMENT L3 Inline: Non-crypto SGT propagation over IP FOR YOUR REFERENCE EIGRP Over The Top - EIGRP on the control plane and Locator ID Separation Protocol (LISP) encapsulation on the data plane to route traffic across the underlying WAN architecture. SGT in LISP CE 3.15S Ver IHL ToS Total Length Identification Time to Live Protocol (17) Flags Fragmentation Offset Header Checksum Source Routing Locator Destination Routing Locator Overall IP MTU Increase: 36 Bytes CE PE Internet / WAN PE PE CE Source Port Destination Port (4341) UDP Length UDP Checksum N L E Resrv d Reserved Locator Status Bits Security Group Tag Pad Ver IHL ToS Total Pad Length Next Header Identification Time to Live Protocol (17) Flags Fragmentation Offset Header Checksum Source Endpoint Identifier Destination Endpoint Identifier LISP Header SGT (16 bit) insertion in the Nonce field (24 bit) router eigrp my-wan! address-family ipv4 unicast \ autonomous-system 100 topology base cts propagate sgt exit-af-topology exit-address-family Learn more: BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 CLASSIFICATION PROPAGATION ENFORCEMENT SGT Exchange Protocol (SXP) For out-of-band IP-SGT binding propagation Propagation method of IP-SGT binding Propagate IP-SGT from classification to enforcement point Routers (SXP Aggregation) Firewall Open protocol (IETF-Draft) & ODL Supported TCP - Port:64999 Switches Speaker Listener IETF Switches Role: Speaker (initiator) and Listener (receiver) Use MD5 for authentication and integrity check Support Single Hop SXP & Multi-Hop SXP (aggregation) Cisco ISE 2.0 and beyond can be an SXP Speaker and Listener. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 Sources CLASSIFICATION PROPAGATION ENFORCEMENT SXP example on AireOS SXP Switch / FW SXP Speaker (Wireless Controller) Cisco ISE Assign SGT 5520 Destinations SXP Listener (Switch / Firewall) No SG based enforcement locally on the controller. IP-SGT sent over SXP to enforcers / Aggregators * Supported on all Wireless Controllers except 7500 & vwlc BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 CLASSIFICATION PROPAGATION ENFORCEMENT SXP support in ISE Cisco ISE as SXP Speaker and Listener Support from ISE 2.0 Useful for classifying destination SGTs Enables 3 rd party access devices for TrustSec ISE Authorization Policy If AD_Group_Employee, then SGT: 5/Employees ISE IP to SGT binding table IP address: is SGT: 9/WebServers 802.1X, RADIUS SXP IP Address SGT Source ================================= LOCAL IP Address SGT Source ================================= SXP BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 CLASSIFICATION PROPAGATION ENFORCEMENT SXP Devices BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 CLASSIFICATION PROPAGATION ENFORCEMENT ISE and SXP Cisco ISE IOS Switch cts sxp enable cts sxp default source-ip cts sxp default password cisco cts sxp connection peer password default mode peer Switch #show cts sxp connections SXP : Enabled Highest Version Supported: 4 Default Password : Set Default Source IP: <Output trimmed> Peer IP : Source IP : Conn status : On Conn version : 4 Conn capability : IPv4-IPv6-Subnet Conn hold time : 120 seconds Local mode : SXP Listener <Output trunkated> Switch# show cts sxp sgt-map brief SXP Node ID(generated):0x0A050301( ) IP-SGT Mappings as follows: IPv4,SGT: < /27, 120:Mail_Servers> IPv4,SGT: < /27, 110:Web_Servers> Total number of IP-SGT Mappings: 2 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 CLASSIFICATION PROPAGATION ENFORCEMENT SXP in action TrustSec Policy X Employee = SGT-5 SXP IP = SGT-10 5 Employee Cisco ISE 2.0+ SXP IP = SGT WAN 10 Web_Server SRC: DST: X IP-SGT Binding Table Access Switch IP Address SGT Source ======================================== INTERNAL LOCAL N7K SRC: DST: IP-SGT Binding Table Nexus Switch IP Address SGT Source ======================================== INTERNAL SXP SXP BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 CLASSIFICATION PROPAGATION ENFORCEMENT 3 rd party access and ISE SXP 802.1X Employee = SGT-5 SXP IP = SGT-10 Cisco ISE 2.0+ SXP IP = SGT-5 5 TrustSec Policy 10 5 Employee Web_Server WAN SRC: DST: rd Party IP-SGT Binding Table Access Switch IP Address SGT Source ======================================== INTERNAL LOCAL N7K SRC: DST: IP-SGT Binding Table Nexus Switch IP Address SGT Source ======================================== INTERNAL SXP SXP BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 CLASSIFICATION PROPAGATION ENFORCEMENT SXP can be single or multi-hop FOR YOUR REFERENCE Single-Hop SXP SXP Speaker SXP Enabled Switch/WLC Non-TrustSec Domain Listener SGT Capable HW Multi-Hop SXP SXP SXP SXP Aggregation SXP Enabled SW/WLC SXP Enabled SW SGT Capable HW SXP SXP Enabled SW/WLC BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 45

46 CLASSIFICATION PROPAGATION ENFORCEMENT 4 SXP versions FOR YOUR REFERENCE Version 1 Version 2 Version 3 Version 4 This is the initial SXP version supports IPv4 binding propagation. Includes support for IPv6 binding propagation and version negotiation. (Older switch and router IOS prior March 2013, WLC) Adds support for Subnet/SGT bindings propagation and expansion. If speaking to a lower version listener will expand the subnet Loop Detection and Prevention, Capability Exchange, built-in Keep Alive mechanism. (New switch and router IOS After March 2013) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 CLASSIFICATION PROPAGATION ENFORCEMENT SXP Scalability FOR YOUR REFERENCE Platform Max SXP Conn. Max IP-SGT Bindings Cisco ISE per PSN 250,000 Catalyst 6500 Sup2T, ,000 Nexus M Series: 200,000 from v7.2 earlier 50,000 F3 Series 64,000 (recommended 50K) F2E Series 32,000 (recommended 25K) Catalyst 4500 Sup7E 1, ,000 Catalyst 4500X / 4500 Sup7LE 1,000 64,000 ASA 5585-X SSP 60 1, ,000 ASA 5585-X SSP ,000 Catalyst 3850/WLC ,000 CSR (450 for bi-dir) 135,000 ISR (900 for bi-dir) 135,000 ASR (900 for bi-dir) 750,000 (from XE3.15), earlier 180,000 ISR2900, ISR (125 for bi-dir 180,000 for unidirectional SXP 125,000 for bi-directional SXP BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 CLASSIFICATION PROPAGATION ENFORCEMENT pxgrid Overview XMPP / Jabber based protocol for context exchange. Secure bi-directional connectivity, grid controlled by ISE Group members can publish or/and subscribe to specific topics TrustSecMetaData topic for Security Group table and IP-SGT binding exchange ISE SXP Node 10:30 AM IP address: is SGT: 9/0009 Firepower Management Center 10:30 AM Received APIC-EM Controller 10:30 AM Received pxgrid BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 CLASSIFICATION PROPAGATION ENFORCEMENT Sharing IP-to-SGT bindings over pxgrid pxgrid clients can subscribe to SGT table and bindings IP to SGT bindings received over SXP can be published via pxgrid Data format: SXPBinding= {ipprefix= /32 tag=9 source= peersequence= } RADIUS pxgrid Any pxgrid subscriber, E.g Infoblox FMC WSA APIC-EM BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 PxGRID Sharing context over pxgrid FOR YOUR REFERENCE Access Control Policies based on ISE Attributes (SGT, Device-type and Endpoint Location) NGIPS / ASA + Firepower BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 CLASSIFICATION PROPAGATION ENFORCEMENT SGT transport over WAN overview FOR YOUR REFERENCE Enterprise LAN Switch Enterprise Network ISE SGACL CTS Link Finance SXP IPSEC Wireless Internet Nexus 7000 Nexus 1000v SXP BYOD Switch SXP DMVPN Catalyst 6500 Data Center Switch Enterprise MPLS GETVPN HR Multiple options for SGT transport over non CTS Layer 3 networks DMVPN for Internet based VPNS GETVPN and OTP for private WAN Learn more: BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 The 3 TrustSec functions 5 Employee 6 Voice 7 Partner A B Classification Propagation Enforcement (Assigning SGTs) Static Assignments Dynamic Assignments Inline SGT SXP WAN Options Security Group ACL SG Firewall BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 52

53 CLASSIFICATION PROPAGATION ENFORCEMENT TrustSec policy matrix in ISE BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 CLASSIFICATION PROPAGATION ENFORCEMENT Deploy the policy on click of a button Deploy Push and deploy TrustSec policies consistently across switching, wireless and routing infrastructure cts role-based enforcement CATALYST SWITCHES NEXUS SWITCHES VIRTUAL SWITCHES INDUSTRIAL SWITCHES WIRELESS ACCESS POINTS ROUTING PLATFORMS BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 54

55 SGT=3 SGT=4 SGT=5 CLASSIFICATION PROPAGATION ENFORCEMENT Policy download only for known destinations SEGMENTATION DEFINED IN ISE Prod_Servers (7) Dev_Servers (8) TrustSec switches requests policies for assets they protect Policies downloaded & applied dynamically Result = Software Defined Segmentation Switches pull down only the policies they need I I pulled I know have SGT-7, policies nothing is to there protect to a protect policy SGT-7 for it? SGACL Enforcement interface ethernet 2/1 cts manual policy static sgt 0x7 no propagate-sgt Dev_Server (SGT=7) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55

56 CLASSIFICATION PROPAGATION ENFORCEMENT East-west segmentation Wannacry When executed, the malware first checks the "kill switch" domain name; if it is not found, then the ransomware encrypts the computer's data, then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet, and "laterally" to computers on the same network. Replaces Private Isolated / Community VLAN functionality with centrally provisioned policy Supports mobile devices (with DHCP address). Static ACLs cannot support same level of policy No other vendor can support this type of use case Employee Tag AP Distribution Switch Access Switch 1 Scan for open ports / OS Anti-Malware-ACL deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www deny tcp src dst eq 443 deny tcp src dst eq 22 deny tcp src dst eq pop3 deny tcp src dst eq 123 Sample ACEs to block PtH (SMB over TCP) used for privilege escalation SGACL Policy BYOD Device Wireless Segment Pawned PC 2 Exploits vulnerability Wired Segment AireOS 8.4 Wave-1, Wave-2 APs and WLC 8540, 5520 PC PtH: Pass-the-Hash 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

57 CLASSIFICATION PROPAGATION ENFORCEMENT Zone based Firewall SGT is a source criteria only in ISR FW, Source or Destination in ASR 1000 class-map type inspect match-any partner-services match protocol http match protocol icmp match protocol ssh class-map type inspect match-any partner-sgts match security-group source tag 2001 match security-group source tag 2002 match security-group source tag 2003 class-map type inspect match-all partner-class match class-map partner-services match class-map partner-sgts class-map type inspect match-any guest-services match protocol http class-map type inspect match-any guest-sgts match security-group source tag 5555 class-map type inspect match-all guest-class match class-map guest-services match class-map guest-sgts class-map type inspect match-any emp-services match protocol http match protocol ftp match protocol icmp match protocol ssh... BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 57

58 CLASSIFICATION PROPAGATION ENFORCEMENT Firewall policy based on SGTs SGT Defined in the ISE or locally defined on ASA Use Destination SGT received from Switches connected to destination Use Network Object (Host, Range, Network (subnet), or FQDN) Trigger IPS/CX based on SGT BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 58

59 CLASSIFICATION PROPAGATION ENFORCEMENT SGT based path selection Inspection Router Policy-based Routing based on SGT Router / Firewall Network A Enterprise WAN SGT-based VRF Selection VRF-GUEST route-map SG_PBR match security-group source tag 100 set ip next-hop match security-group destination tag 150 set ip next-hop Security Example Redirect traffic from malware-infected hosts Contain threats Pass traffic through centralized analysis and inspection functions Segment traffic to different VRFs based on context Other Example User B User A User C To map different user groups to different WAN service Suspicious Employee Guest Available Today: Cisco IOS XE Release 3.16S (ASR 1000) as well as ASA5500-X (9.5.1) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 59

60 CLASSIFICATION PROPAGATION ENFORCEMENT FirePOWER service redirect on tags FOR YOUR REFERENCE Create service policy to forward suspicious traffic to FirePOWER services BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 60

61 CLASSIFICATION PROPAGATION ENFORCEMENT SGT based path selection FOR YOUR REFERENCE CriticalServers (100) Applications Router Router / Firewall Critical applications get priority treatment NonCritical (254) Network A Enterprise WAN f Y Non-critical class gets lower bandwidth class-map employee-non_critical match security-group source tag 10 match security-group destination tag 254 end! class-map employee-critical match security-group source tag 10 match security-group destination tag 100 end! policy-map sg_qos class employee-critical priority percent 50 class employee-non_critical bandwidth percent 25 set dscp ef end Different user groups can be offered different Quality of Service (QoS) Employee (10) 3.17S BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 61

62 TrustSec platform support WAN (GETVPN DMVPN IPSEC) User Switch Router Router Firewall DC Switch vswitch Server ISE Classification Propagation Propagation Enforcement Classification Propagation Enforcement Catalyst 2960-S/-SF/-C/-CX/-Plus/-X/-XR Catalyst 3560-E/-C/-X/-CX/-CG Catalyst 3750-E/-X Catalyst 3650, 3850, 3850-XS Catalyst 4500E (Sup6-E, 6L-E) Catalyst 4500E (Sup 7-E, 7L-E, 8-E, 8L-E) Catalyst 4500-X Catalyst 6500E (Sup720/2T) Catalyst 6800 WLC 2500/5500/WiSM2/Flex7500 WLC 5760 WLC 8510/8540 Nexus 7000 Nexus 6000/5600 Nexus 5500/2200 Nexus 1000v ISRG2, ISR4000, ISRv ASR1000,1000-X; CSR 1000v IE2000/2000U/3000/4000/5000 CGR 2010, CGS2500 ASA 5500, ASAv, FP4100/9300, ISA 3000 ISE Catalyst 2960-S/-SF/-C/-CX/-Plus/-X/-XR Catalyst 3560-E/-C/-X/-CX/-CG Catalyst 3750-E/-X Catalyst 3650, 3850, 3850-XS Catalyst 4500E (Sup6-E, 6L-E) Catalyst 4500E (Sup 7-E, 7L-E, 8-E, 8L-E) Catalyst 4500-X Catalyst 6500E (Sup720/2T) Catalyst 6800 WLC 2500/5500/WiSM2/Flex7500 WLC 5760 WLC 8510/8540 Nexus 7000 Nexus 6000/5600 Nexus 5500/2200 Nexus 1000v ISRG2, ISR4000, ISRv ASR1000,1000-X; CSR 1000v IE2000/2000U/3000/4000/5000 CGR 2010, CGS2500 ASA 5500, ASAv, FP4100/9300, ISA 3000 FP 7000/8000; ISE Catalyst 3560-X/-CX Catalyst 3750-E/-X Catalyst 3650, 3850, 3850-XS Catalyst 4500E (Sup 7-E, 7L-E, 8-E, 8L-E) Catalyst 4500-X Catalyst 6500E (Sup 2T) Catalyst 6800 WLC 5760 Nexus 7000 Nexus 6000/5600 Nexus 5500/2200 Nexus 1000v ISRG2, ISR4000, ISRv ASR1000,1000-X; CSR 1000v IE4000/5000 CGR 2010 ASA 5500, ASAv, FP4100/9300, ISA 3000 Web Security Appliance For up-to-date information visit: Enforcement SGT BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 62

63 How about monitoring segmentation policies? Use NetFlow BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 TrustSec traffic monitoring with Stealthwatch Where When Who What Who Highly scalable (enterprise class) collection High compression long term storage flow record my-flow-record... match flow source group-tag match Months flow ctsof destination data retention group-tag... NetFlow More Context Security Group BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 64

65 Real-time segmentation policy validation Custom event triggers on traffic condition More on StealthWatch: BRKSEC-3014: Security Monitoring with StealthWatch SGT DGT Trigger on traffic in both directions; Successful or unsuccessful BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 65

66 Real-time policy check FOR YOUR REFERENCE Contractor Enterprise Network Register Monitor Network Activity Detect suspicious and malicious activity Network Behaviour and Anomaly Detection Policy Violations Monitor Policy configuration and misconfiguration Monitor for business continuity BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 66

67 TrustSec reduces operational costs for segmentation Based on the results of the PCI validation and PCI Internal Network Penetration and Segmentation Test, it is Verizon s opinion that Cisco TrustSec can successfully perform network segmentation, for the purpose of PCI scope reduction. Cisco has made great strides in integrating support for the TrustSec framework across its product lines - Flexibility to Segregate Resources Without Physical Segmentation or Managing VLANs - Reduction in ACL Maintenance, Complexity and Overhead Cisco TrustSec enabled the organizations interviewed, to reduce operational costs by avoiding additional IT headcount, deploy new environments faster, and implement consistent and effective network segmentation resulting in lower downtime. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 67

68 Segmentation using Endpoint Groups (EPG)

69 TrustSec ACI comparison Segment Identifier TRUSTSEC 16-bit Security Group Tags (SGT) ACI 16-bit Endpoint Groups (EPG) Classification Static or Dynamic Static or Dynamic Transport SGT-over-Ethernet, SXP, LISP and IPSec VxLAN Policy SG-ACL, SG-Firewall, SG-based-PBR, SG-QoS Contracts: ACL, QoS, Redirect (Service-chaining) Scope End-to-end (User to DC) Data Center only Controller Cisco ISE Cisco APIC-DC APIC Application Policy Infrastructure Controller BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 69

70 Application Centric Infrastructure (ACI) Cisco ACI is a comprehensive SDN architecture for Data Center networks Spine-leaf architecture with Nexus 9000 switches Network controlled by APIC- DC controller Routed mesh topology, ECMP load balancing VXLAN for overlay ACI POLICY EPGs CONTRACTS ACI FABRIC CLIENTS Normalized Overlay (VXLAN) 40 Gbps uplink Localized Encapsulation 802.1Q VLAN 50 VM VM WEB Non-Blocking Penalty Free Overlay VXLAN VNID = VM VM APP NVGRE VSID = 7456 VXLAN VNID = 78 DB EPG and Contracts for policy BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 70

71 Manage the fabric instead of individual switches BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 71

72 Virtual Extensible LAN (VXLAN) Extend VLAN capabilities with flexibility 24 bit VNID (VXLAN Network Identifier) VLAN VXLAN 16 million segments 4 times more than VLANs Members need not be co-located like in VLAN IP mobility is supported VXLAN tunnels Layer 2 network over Layer 3 network. No need for Spanning Tree Protocol LAYER 3 LAYER 2 VTEP VTEP VTEP ENCAP DECAP VXLAN tunnel endpoint (VTEP) devices to map end devices to VXLAN segments VLANs can be mapped to VNIDs VNID VNID VNID 1100 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 72

73 VXLAN Encapsulation VXLAN Encapsulation Original Ethernet Frame Outer MAC DA Outer MAC SA Outer IEEE 802.1Q Outer IP DA (VTEP) Outer IP SA (VTEP) Outer UDP VXLAN Header Inner MAC DA Inner MAC SA Optional Inner IEEE 802.1Q Original Ethernet Payload CRC MAC in UDP encapsulation UDP destination Port # 8472 ACI implementation of VXLAN is similar to LISP LISP Flags (8b) Flags (8b) Source Group (16b) VXLAN Instance ID (24b) Metrics (8b) VXLAN Header Source Endpoint Group (EPG) VXLAN Network Identifier (VNID) Locator/ID Separation Protocol (LISP) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 73

74 VXLAN / ACI packet walk VTEPs use Multicast or host tracking method to learn remote host 2 SIP: DIP: SMAC: VTEP-1 DMAC: Spine-1 VNID: 10 HOST DATABASE Host VNID 10 VTEP Host VNID 10 VTEP Spine /24 3 SIP: DIP: SMAC: Spine-1 DMAC: VTEP-2 VNID: 10 SIP: DIP: SMAC: Host-A DMAC: Host-B SIP: DIP: SMAC: Host-A DMAC: Host-B VTEP-1 VTEP-1 Cache Cache Host * VNID 10 VTEP * ARP Host-A VNID / /24 VTEP-1 VNID-10 VTEP-2 VTEP-2 Cache * Host VNID 10 VTEP * Host-B VNID SIP: DIP: SMAC: Host-A DMAC: Host-B SIP: DIP: SMAC: Host-A DMAC: Host-B BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 74 4

75 Endpoint Groups (EPG) Logical group of objects that require similar policy EPG is 16 bits X Web Servers Application Servers Database Servers X Like SGTs, EPGs are topology independent WEB EPG APP EPG DB EPG INGRESS PORTS ONLY EPGs can be assigned to PHYSICAL PORT VIRTUAL PORT VLAN ID VXLAN (VNID) NVGRE (VSID) IP ADDRESS IP SUBNET LAYER 4 PORTS *.DOMAIN.NAME* VM ATTRIBUTES* * - Future BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public

76 Example: Assigning EPG to IP address pool Firewall = WEB EPG Eth 1/1 = APP EPG VLAN-20 = DB EPG Other classification options for EPG VNID VNID VNID 1103 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 76

77 Contracts EPGs can t talk to each other without a contract USER WEB APP C P C P HTTP HTTPS Firewall Service Chaining Contract definitions CONTRACT-U2W CONTRACT-W2A = IN/EG PERMIT QOS IN/EG DENY REDIRECT Contracts connect EPGs over a Provider (P) and Consumer (C) relationship X = USER EPG /15 VNID 1101 WEB EPG VNID 1102 Eth 1/1 = APP EPG HTTP / HTTPS VNID 1103 IN: Ingress, EG: Egress BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public

78 Contracts ACL BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 78

79 Contracts Service Graph BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 79

80 EPGs and Contracts summary EPG + Contracts = Application Network Profile BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 80

81 ACI policy hierarchy ACI MANAGEMENT TENANT CONTEXT CONTEXT Layer 3 / VRF ACI NETWORKING BRIDGE DOMAIN BRIDGE DOMAIN BRIDGE DOMAIN Layer 2 boundary Subnet A, B Subnet B,C Subnet D IP Spaces ACI POLICY USER C EPG EPG EPG WEB DB C C WEB APP DB APPLICATION NETWORK PROFILE Set of EPGs and Contracts BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 81

82 Seeing it on APIC ACI Policy Contracts ACI Networking EPGs BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 82

83 TrustSec ACI Integration

84 Why integrate TrustSec and ACI? ACI POLICY ENDPOINT GROUPS USERS VM VM WEB VM VM APP DB CONTRACTS What users? (Employee / Contractors / Guests) What device-type? (Corporate / BYOD / IOT) Posture complaint? (Compliant / Non-complaint) Threats / Vulnerabilities? (Safe / Compromised hosts) Location? (Corporate / Public / Home) I can help! BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 84

85 ISE and APIC-DC exchange context for interoperability Security Groups Cisco ISE 2.1 TrustSec Policy Domain ISE creates matching Security Groups and Endpoint Groups ISE exchanges IP-SGT/EPG Name bindings ACI Policy Domain End Point Groups Cisco APIC-DC IP-Security Group bindings exchanged with network IP-ClassId, VNI bindings WAN (GETVPN DMVPN IPSEC) User Classification Switch Router Router Firewall Nexus9000 Nexus9000 Server SGT over Ethernet IPSec / DMVPN / GETVPN / SXP Spine Leaf APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 85

86 ISE and APIC integration settings Work Centers > TrustSec > Settings > ACI Settings FOR YOUR REFERENCE APIC-DC IP address ACI tenant where EPGs must be created Suffixes to identify groups created by the integrations BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 86

87 SGT EPG exchange Security Groups and IP bindings Cisco ISE 2.1 End Point Groups (EPG) and IP bindings Cisco APIC-DC More on ACI Security: BRKSEC Demystifying ACI Security APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 87

88 Scaling TrustSec-ACI integration SGT-EPG translation in the data plane Policy plane (APIC REST API) Cisco ISE 2.2 SG/EPG Names and Info for APIC 2.3 translation table TRUSTSEC ACI IP SGT BORDER IP EPG Routing plane (MP-BGP EVPN & Opflex) Data plane (ivxlan with inline groups) ASR1K#show cts sg-epg translations Total Entries: 2 Last update time: 05:07:17 UTC Jun Next refresh time: 05:07:17 UTC Jun * Represents truncated names Status Codes: A - Active Security-Group Endpoint-Group VRF Status :WebServers_APIC BLUE (2) A 05:Employees BLUE (2) A * This feature is applicable for a single ACI tenant with multiple VRFs. BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 88

89 Segmentation using Virtual Networks (VNs)

90 Software Defined Access CISCO DNA CENTER DNA-C Workflows Software Defined Access (SDA) is the nextgeneration network technology to automate and assure network services securely with simplified administration Some key benefits of SDA are: ISE APIC-EM NDP NETWORK AUTOMATION Transform business intent in to network configuration on a click of a button END-TO-END SEGMENTATION SECURE CAMPUS FABRIC(S) Role based segmentation of the network with Virtual Networks and Scalable Groups NETWORK ASSURANCE Based on collected data, provide contextual insights into users and network activities GROUP-1 GROUP-2 EMPLOYEE VIRTUAL NETWORK GROUP-1 GROUP-2 IOT VIRTUAL NETWORK APIC-EM Application Policy Infrastructure Controller, Enterprise Module NDP Network Data Platform BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 90

91 Best of both worlds TRUSTSEC Security Group Tags (SGT) Dynamic SGT assignments to endpoints with ISE Policy Automation Robust platform support Leverage ISE ecosystem for a secure enterprise CAMPUS FABRIC ACI Normalized overlay Contracts and Service chaining Hierarchical policies IP mobility Reusable policies and constructs BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 91

92 DNA Center 4 Step Workflow FOR YOUR REFERENCE Assurance* Sites-Locations Global Settings Wired-Wireless profiles Access control policies Segmentation QoS policies Create Campus Fabric Provision WLCs and APs Network Health Client Status Troubleshooting *(FCS +1) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 92

93 Overlay for Campus Fabric Similar format, different payload LISP IP Based Ver IHL ToS Total Length Identification Time to Live N L E Protocol (17) Flags Fragmentation Offset Header Checksum Source Routing Locator Destination Routing Locator Source Port Destination Port (4341) UDP Length UDP Checksum Resrv d Reserved Security Group Tag Instance ID / Locator Status Bits Pad Ver IHL ToS Total Pad Length Next Header Identification Time to Live Protocol (17) Flags Fragmentation Offset Header Checksum Source Endpoint Identifier Destination Endpoint Identifier Locator Id Separation Protocol Overall IP MTU Increase: 36 Bytes Overlay Header SGT (16 bit) insertion in the Nonce field (24 bit) VXLAN Ethernet Based Ver IHL ToS Total Length Identification Time to Live Protocol (17) Flags Fragmentation Offset Header Checksum Source Routing Locator Destination Routing Locator Source Port Destination Port (8472) UDP Length UDP Checksum Reserved Endpoint Group VxLAN Network Identifier (VN ID) Reserved Pad Inner Destination Pad MAC Length Address Next Header Inner Destination MAC Inner Source MAC Address Address Inner Source MAC Address Ethertype = C-Tag (802.1Q) Ethertype Original Payload Inner VLAN Tag Information Original Ethernet Payload New FCS for Outer Ethernet Frame BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 93

94 Campus fabric in a nutshell 1. LISP based Control-Plane 2. VXLAN like Data-Plane 3. Integrated Cisco TrustSec VRF + SGT Virtual Routing & Forwarding Security Group Tags ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 94

95 Simplifying TrustSec with Campus Fabric TRUSTSEC today DESTINATION TRUSTSEC tomorrow DESTINATION SXP SGT-over-VPN SGT-over-ETHERNET SOURCE Multiple encapsulations / transport options SOURCE Normalized transport and encapsulation for SGTs BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 95

96 Campus Fabric network constructs C Fabric Control-Plane Node (LISP Map Server/Resolver) - Has host tracking database that provides reachability information Fabric Border Node (LISP Proxy tunnel router) Connects Fabric to outside world B CAMPUS FABRIC B Fabric Network ISIS for underlay, VXLAN (LISP) for overlay Host Pool Based on IP Subnet + VLAN-ID with Edge node as Anycast gateway. AAA / Static configuration E E E VLAN VLAN VLAN SUBNET SUBNET SUBNET Fabric Edge Node (LISP Tunnel Router) connects users and devices to the fabric. - Anycast L3 gateway - Registers endpoint ID with control-plane node AAA: Authentication, Authorization and Accounting BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 96

97 Sources Campus Fabric policy constructs TrustSec Policy Destinations SGT Assignments Policy download VN-A VN-B VN-C Virtual Neighborhood based on Virtual Routing & Forwarding (VRF) Maintains a separate Routing & Switching instance for each Virtual Neighborhood TrustSec Policy Security Group Tags Note: at FCS, all SG based policies must be contained within one VN BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 97

98 SDA Fabric work flow DNA-C (UI) APIC-EM Internet & Intranet B C B C + Create Fabric SJC-19-Fabric Add Nodes to Fabric Select Control Plane Node Select Border Node SJC-19-FABRIC Layer-3 Underlay (ECMP) VxLAN Overlay Devices Hosts BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 98

99 SDA Policy and on-boarding DNA-C (UI) APIC-EM Internet & Intranet Cisco ISE B C B C + Create Fabric SJC-19-Fabric Add Nodes to Fabric Select Control Plane Node Select Border Node Add Virtual Network(s) STATIC VN: IOT SGT: IP-POOL: A 802.1X VN: EMPL SGT: IP-POOL: B STATIC VN: GUEST SGT: 30 IP-POOL: C EASY-C Devices Select Authentication type Hosts BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 99

100 FABRIC POLICIES SDA policy deployment Source Destination CISCO DNA CENTER Employees Contract DENY PCI_Servers API Employees Contractors PCI_Servers POS_Systems CISCO ISE POLICY DOWNLOAD FABRIC NODES At SDA release 1, all SG policies must be contained within one Virtual Network BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 100

101 SDA group-based policy administration BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 101

102 ISE programming over APIs from DNA-C BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 102

103 Campus Fabric summary FOR YOUR REFERENCE MANAGEMENT DOMAIN VN VN Virtual Neighborhood Layer 3 / VRF NETWORKING HOST POOL HOST POOL HOST POOL VLAN-X VLAN-Y VLAN-Z Subnet A Subnet B Subnet C Host pool Layer 2 and L3 access boundary POLICY SGT + SGACL SGT + SGACL SGT + SGACL Enterprise Policy Set of SGTs and Policy BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 103

104 Closing thoughts

105 Integrating Security into the Network Discover and Classify Assets Active Monitoring Network Segmentation Understand Behavior Enforce Policy Design and Model Policy 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

106 ISE is critical for Software defined segmentation On-prem cross policy integrations Orchestration Tools Security Group Definitions New Group Members Policy Definition (SGACLs) REST APIs Sec Groups, SGACLs and Membership Info Sec Groups and Membership Info Open Daylight SDA ACI SXP, REST, pxgrid RADIUS, SXP, PxGrid Cisco ISE Sec Group / Membership Info REST, APIs Group policy connections Other vendors Security Group based Policies / Analysis ASA NGFW WSA Stealthwatch SGT classifications, Sec Group & policy download, SGT-EPG translation Software-Defined Segmentation Catalyst switches Nexus switches Industrial Ethernet switches Integrated Service Routers Wireless LAN Connected Grid Routers & Switches 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106

107 Solution to the segmentation challenge TrustSec Solution Case Study TrustSec segmentation Lower operational costs Cisco ISE authorizes each endpoint with SGT and pushes SGACL to Branch CA* Switch One network for all Vendors, but each vendor is segmented with TrustSec Less VLANs & SSIDs to manage. Provisioning / retiring vendors is now EASY! Store Guest BYOD Vendors Internet WAN Data Center Secure Store PCI Demo Vendors *Converged Access = Authenticated and authorized by ISE ISR w/ ZBFW VRFs Cisco ISE Vendor & Guest Accounts Servers * Additional VLAN/VRFs for Voice, Print, AP, etc. not shown in the picture AD Employee Accounts BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 107

108 What should be the choice? For Segmentation and Group-based Policies for Enterprise Networks Open and programmable Controller driven (ISE, APIC ) Reusable Group based policies (TrustSec policies, Contracts ) Topology independent segment identifiers (SGTs, EPGs ) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 108

109 Other ISE Break Out Sessions BRKSEC-2695 Building an Enterprise Access Control Architecture using ISE and TrustSec Imran Bashir Tue 08:00-10:00 AM, Level 3, South Seas F Wed 1:30-03:30 PM, Level 2, Mandalay Bay E BRKSEC-3699 Designing ISE for Scale & High Availability Craig Hyps Tue 1:30-03:30 PM, Level 2, Mandalay Bay J BRKSEC-2059 Deploying ISE in a Dynamic Environment Clark Gambrel Tue 04:00-05:30 PM, Level 3, South Seas E BRKSEC-3697 Advanced ISE Services, Tips and Tricks Aaron Woland Tue 08:00-10:00 AM, L-2, Mandalay Bay G Wed 1:30-03:30 PM, L-2, Mandalay Bay H BRKSEC-2039 Cisco Medical Device NAC Mark Bernard and Tim Lovelace Mon 04:00-05:30 PM, Level 3, South Seas D BRKCOC-2018 Inside Cisco IT: How Cisco Deployed ISE and TrustSec David Iacobacci, Bassem Khalife Thu 08:30-10:00 AM, Level 3, South Seas E BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 109

110 Other TrustSec Break Out Sessions BRKSEC-2203 Enabling Software-Defined Segmentation with TrustSec Fay Lee Tue 4:00-5:30 PM, Level 2, Mandalay Bay G BRKCRS-2893 Choice of Segmentation and Group based Policies for Enterprise Networks Hariprasad Holla Thu 10:30-12:00 PM, Level 2, Breakers IJ BRKCRS-2810 Cisco SD-Access - A Look Under the Hood Shawn Wargo Mon 1:30-03:30 PM, L-2, Lagoon I Tue 08:00-10:00 AM L-3, South Seas D BRKSEC-2205 Security and Virtualization in the Data Center Justin Poole Mon 08:00-10:00 AM, Level 2, Reef F BRKSEC-3014 Security Monitoring with StealthWatch: The detailed walkthrough Matthew Robertson Mon 1:30-3:30 PM, Level 2, Breakers IJ BRKSEC-2026 Building Network Security Policy Through Data Intelligence Darrin Miller, Matthew Robertson Wed 4:00-5:30 PM, Level 3, South Seas G BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 110

111 ISE / TrustSec Labs ISE integration with Firepower using pxgrid protocol Visibility Driven Secure Segmentation Cisco SD-Access- Hands-on Lab LTRSEC-2002 Vibhor Amrodia Aditya Ganjoo Wed 8:00-12:00 PM MGM Grand, Level 1, Room 104 LTRCRS-2006 Hariprasad Holla Aaron Rohyans Wed 01:00-05:00 PM MGM Grand, Level 1, Room 115 LTRCRS-2810 Derek Huckaby Larissa Overbey Wed 01:00 PM, MGM L-1, 116 Thu 08:00 PM, MGM L-1, 101 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 111

112 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public