Advanced Security Group

Tags (SGT)
The Detailed Walk Through

Darrin Miller, DTME

BRKSEC-3690
Cisco Webex Teams

Questions?
Use Cisco Webex Teams to chat
with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
About Me
Darrin Miller
• Security focused Technical Marketing Engineer
• Focused on Architecture, Policy, and Threat
• Author of Books, CVDs, Whitepapers, Patents, etc.
• Cisco Live Distinguished Speaker Hall of Fame Elite
• 20+ years at Cisco: Research, Development, TME
Clarification:
That is “my” beer.
Beer Lover It was placed in
front of me. In
addition I paid for
the dinner where
the accuser made
Beer Lover this picture. 

Accuser

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• Security/Scalable Group Tag (SGT) Review
• Use Case Reviews with Design Considerations
• Campus
• WLAN
• Software Defined Access (SD-Access) – SGT/VXLAN
• Firewall Integration with SD-Access
• Meraki/3rd party interop
• WAN
• SXP WAN design
• SGT over WAN
• Data Center
• SGT/ACI
• Cloud

• Summary

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
 SGT Review
Traditional Segmentation

Design needs to be replicated for floors,

buildings, offices, and other facilities. Cost
could be extremely high

ACL Aggregation Layer

VLAN Addressing DHCP Scope

Redundancy Routing Static ACL

Access Layer

Quarantine Voice Data PCI Contractor

Simple Segmentation with 2 VLANs

More Policies using more VLANs
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
 SGT Review
Groups Denote Common Roles and Policy

• Business-based SGT_Guest SGT_Building

Management
SGT_Employee

groupings to provide
consistent policy and 50 Employee 1 Employee 2 Employee 3

access independent Guest 1

°
Temperature

of network topology Device 1

• Leverage attributes Guest 2

Surveillance
Device 1
Employee 4

such as user role,

50
location, and device °
type to define group Temperature
Device 2 Surveillance

assignments Guest 3 Guest 4 Device 2

SGT_FinanceServer SGT_Printers

Fin 1 Fin 2 Printer 1 Printer 2

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
 SGT Review
Example: User to Application Access Control
• Regardless of topology or
Public Cloud - IaaS
location, policy (Security
Group Tag) stays with users,
Data Center Data Center
Devices, and workloads Firewall
• SGT simplifies ACL
management for intra/inter- Campus Core
VLAN traffic
• Other Use Cases
- Workload/Workload Micro
segmentation
- User/User – Device/Device
Micro Segmentation Access Layer
- Hybrid Cloud Employee Tag
Supplier Tag
Guest Tag
Non-Compliant
Tag
Voice Voice Employee Suppliers Guest Non-Compliant

Building 3 Main Building

WLAN Data VLAN Data VLAN
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
 SGT Review
Classification Methods

User endpoints Dynamic mechanisms

Passive
Dynamic

Ideal for users and 802.1X. MAB,

ID (Easy
mobile devices WebAuth Profiling
Connect)
SGT #1
pxGrid &
Virtual Systems ACI (App- V. Port
REST
Centric) Profile SGT #2
APIs

SGT #3
Internal resources Static mechanisms
Internal IT SGT #4
infrastructure and
topology-based IP
Subnets VLANs
Static

policy Address

Partner & external L3

VN Port
External partners and Interface
3rd party connections

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
 SGT Review
SGT Transport Mechanism
Inline SGT Tagging
Security/Scalable group eXchange Protocol (SXP)
IP-SGT Binding Table
IP Address SGT SRC SGT=50
10.1.100.98 50 Local
ASIC ASIC
SXP Optionally Encrypted

Non-SGT
capable
Campus Access Core DC Core TOR DC Access
Enterprise
Backbone
10.1.100.98

Hypervisor SW
WLC SGT=50
Ethernet Frame FW
SRC: 10.1.100.98
Inline Tagging (data plane):
ASIC
If Device supports SGT in its ASIC
IP Address SGT SXP (control plane):
10.1.100.98 50 Shared between Devices that do
SXP not have SGT-capable hardware
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
 SGT Review
SGT Transport over L3 networks
Enterprise
Network

VXLAN
Guest Server
Finance Catalyst Switch ISE Posture
WLC
Profiler
Nexus 5000/2000
Enterprise LAN
Internet
BYOD
SXP

DMVPN
Catalyst Switch Catalyst 6500
Nexus 7000 Data Center

Catalyst Switch
Admin GETVPN

Ent. MPLS
SGACL
HR
SGT carried inband with ethernet frame
• Multiple options for SGT transport over non CTS Layer 3 networks
• DMVPN for Internet based VPNs – IWAN compatible SGT carried inband with VXLAN

• GETVPN for security private MPLS clouds SGT carried inband with DMVPN

• SD-Access enterprise networks SGT carried inband with GETVPN

• LISP control plane with VXLAN data plane IP/SGT carried in SXP out of band
*** By default you can go from SXP to inline tagging
*** To go inline tagging to SXP you must use SGT caching

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
 SGT Review
End-to-end SGT Tagging

FIB Lookup
Destination MAC/Port SGT 30 Destination Classification
CRM: SGT 20
PCI_DB: SGT 30
End user authenticated
Classified as Employee (5)
ISE
Cat9300 Cat9500 Cat9600 Nexus 7000 Nexus 5500 Nexus 2248
CRM
5 Enterprise DST: 10.1.100.52
Backbone SGT: 20
SRC:10.1.10.220
SRC: 10.1.10.220 DST: 10.1.200.100 PCI_DB
SGT: 5 Nexus 2248 DST: 10.1.200.100
SGT: 30
WLC5508 Firepower
SGT Tagging SRC\DST CRM (20) PCI_DB (30)
Employee (5) SGACL-A Deny
BYOD (7) Deny Deny

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
 SGT Review
Dynamic Security Group ACL (SGACL)
Downloads
Prod_Servers Dev_Servers
• New User/Device/Server provisioned Switches pull
down only the
• Switch requests policies for assets they protect policies they need

• Policies downloaded & applied dynamically

• Result: Software-Defined Segmentation

SGT=3
SGT=4
SGT=5
• All controls centrally managed
• Security policies de-coupled from network topology
• No switch-specific security configs needed
• One place to audit network-wide policies

Switches request
Prod_Server policies for assets
Dev_Server
(SGT=7) they protect
(SGT=10)

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
 SGT Review
Open Implementations

• 3rd parties support SGTs vis pxGrid - IETF proposal for Security Automation and
Continuous Monitoring (SACM) – Checkpoint amongst others
• SXP published as an Informational Draft to the IETF, based on customer requests –
shipping partner implementations
• Open Source SXP Implementations – Java in OpenDaylight, C on github.com
• Includes the Cisco Meta Data (CMD) format for inclusion of the SGT with Ethernet
frames (detailed on the next slides)
• https://datatracker.ietf.org/doc/draft-smith-kandula-sxp/

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
 SGT Review
Why is this Interesting? – Making “Intent” Real

• There are other management/orchestration offerings that take in IP/object definitions

and render them as IP ACLs to the firewall/enforcement point
• The IP ACL does not describe the “intent” of the policy in the device or in the
telemetry (logging, etc.) produced by the device
• As we will see in the upcoming sections SGT/SGACLs i.e. actually carry the “intent”
and puts that “intent” into the following
• Policy Definition – ISE
• Policy on the enforcement point - SGACL on switches, routers, wireless, firewalls
• Policy in the logging/telemetry analysis – netflow, syslog

• This is done in a dynamic, simple, open, and automated

• All of this results in the following (next slide)

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
 SGT Review
Forrester: The Total Economic Impact of SGTs

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Use Case Reviews with
Design Considerations
 Use Case - Campus
SGT/SGACL Supported Platforms
http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html

Classification Propagation Enforcement

Catalyst 2960-S/-SF/-C/-CX/-Plus/- Catalyst 2960-S/-SF/-C/-CX/-Plus/-
X/-XR X/-XR Catalyst 3560-X/-CX
Catalyst 3560-E/-C/-X/-CX/-CG Catalyst 3560-E/-C/-X/-CX/-CG Catalyst 3750-E/-X
Catalyst 3750-E/-X Catalyst 3750-E/-X Catalyst 3650, 3850, 3850-XS
Catalyst 3650, 3850, 3850-XS Catalyst 3650, 3850, 3850-XS
Catalyst 4500E (Sup6-E, 6L-E) Catalyst 4500E (Sup6-E, 6L-E) Catalyst 4500E (Sup 7-E, 7L-E, 8-E,
Catalyst 4500E (Sup 7-E, 7L-E, 8-E, Catalyst 4500E (Sup 7-E, 7L-E, 8-E, 8L-E)
8L-E) 8L-E) Catalyst 4500-X
Catalyst 4500-X Catalyst 4500-X Catalyst 6500E (Sup 2T)
Catalyst 6500E (Sup720/2T) Catalyst 6500E (Sup720/2T) Catalyst 6800
Catalyst 6800 Catalyst 6800
WLC 2500/5500/WiSM2/Flex7500 WLC 2500/5500/WiSM2/Flex7500 WLC 8540/5520
WLC 5760 WLC 5760
WLC 8510/8540 WLC 8510/8540 Nexus 7000
Nexus 7000 Nexus 7000 Nexus 6000/5600
Nexus 6000/5600 Nexus 6000/5600 Nexus 5500/2200
Nexus 5500/2200 Nexus 5500/2200 Nexus 1000v
Nexus 1000v Nexus 1000v ISRG2, ISR4000, ISRv
ISRG2, ISR4000, ISRv ISRG2, ISR4000, ISRv ASR1000,1000-X; CSR 1000v
ASR1000,1000-X; CSR 1000v ASR1000,1000-X; CSR 1000v IE4000/5000
IE2000/2000U/3000/4000/5000 IE2000/2000U/3000/4000/5000 CGR 2010
CGR 2010, CGS2500 CGR 2010, CGS2500 ASA 5500, ASAv, FP4100/9300, ISA
ASA 5500, ASAv, FP4100/9300, ISA ASA 5500, ASAv, FP4100/9300, ISA 3000
3000 3000 Web Security Appliance
ISE FP 7000/8000; ISE Catalyst 9K
Catalyst 9K Catalyst 9K

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Use Case Review -
Campus
 Use Case - Campus
Campus Access Control

• Business Problem/Background
• BYOD assets require restricted access to Corp. network and Internet proxies
• Production vs. Development Users on Corp. WLAN
• Compliant vs. Noncompliant Users on Corp. WLAN
• Centralized compulsory tunneling caused application performance degradation
• Scaling Decentralized access control – platform, opex, capex

• Solution Overview
• Use of SXP to communicate IP/SGT of all classes of users above to upstream SGACL switch
• Use subnet/SGT and IP/SGT definitions published to distributed SGACL switches via SXP, ISE push, or CLI
• Upstream SGACL switch derives SGT/DGT matches from SXP, ISE 1.3, or CLI.
• Example - Reduced IOS ACE from approx. 1500 lines to one ACE
• permit tcp dst eq 443

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
 Use Case - Campus
Manufacturer Internet Proxies
192.168.31.1/32 = SGT100
IP Address SGT
Data Center
192.168.31.1./32 Internet Proxies - 100
SGT DGT SGACL 192.168.32.0/24 = SGT 20 192.168.31.1./32 Internet Proxies - 100
192.268.32.0/24 Data Center - 20
ISE 192.168.32.0/24 Data Center - 20
BYOD Data Center deny ip Branch Office 10.x.x.0/24 Campus D - 30
10.x.x.0/24 Campus A - 30
Campus A 10.z.z.0/24 Branch Office - 50
10.z.z.0/24 = SGT 50 10.z.z.0/24 Branch Office - 50
10.x.x.0/24 = SGT 50
IP Address SGT

192.168.31.1./32 Internet Proxies - 100

192.168.32.0/24 Data Center - 20

DGT: Data Center (20)
10.x.x.0/24 Campus A - 30

10.z.z.0/24 Branch Office - 50

10.2.1.100 BYOD - 3 SGT: BYOD (3) SXP

10.2.10.200 Full Access - 6 IP Address SGT

192.168.31.1./32 Internet Proxies - 100

192.168.32.0/24 Data Center - 20 Cat 9500

Cat9500 Cat 9500 10.x.x.0/24 Campus A - 30
Sup Sup SXP
Sup SXP
SXP 10.z.z.0/24 Branch Office - 50
WLC1
WLC1 WLC1 10.23.1.100 Limited Access- 8
WLC2
10.23.10.200 Full Access - 6
WLC2 WLC2 CAPWAP Tunnel CAPWAP Tunnel
CAPWAP Tunnel

Access Points Access Points

Access Points

Development Device Non-Compliant Compliant

BYOD Asset Mobile Device Corporate Asset

SGT 6: Full Access SGT 3: BYOD SGT 4: Dev SGT 5: Production SGT 8: Limited Access SGT 6: Full Access
IP Address SGT
IP Address SGT SRC:10.2.1.100
10.23.1.100 Limited_Access - 8
10.2.1.100 BYOD - 3 DST: 192.168.32.100
10.23.10.200 Full Access - 6
10.2.10.200 Full Access - 6
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
 Use Case - Campus
Hardware Forwarding SGT/SGACL

• Two Groupings of Hardware Forwarding

• Port/VLAN based
• Cat 3K-X , IE4K, etc.
• N5500

• IP/SGT Based
• Cat9K/Cat 6K-Sup2T
• N7K – M series and F series
• Cat 4K/Sup7E/Sup8E
• Cat 3850/5760
• ASR1K

• Each type of hardware has different scaling limits

• There are limits on the number of SGT/DGT as well as Access Control Entries (ACE) in TCAM
• All hardware shares ACE entries when possible amongst SGT/DGT

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
 Use Case - Campus
SGT and Destination Group Tag (DGT) Derivation in Cat 3K-X

L2 table From the Static

Classification
(only) Packet Config

Ingress Path (SGT Derivation) SGT

DGT
Each (Port,vlan) DGT SGT/DGT
(Port,vlan) SGACL
can have
one DGT
associated
with it.
Egress Path (DGT derivation and SGACL)

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
 Use Case - Campus
SGT and DGT Derivation in Cat9K
From the Ingress port based
Priority L3/FIB table
control btw Packet Static Config
sources
Ingress Path (SGT Derivation) SGT

DGT
IP prefix DGT SGT/DGT

L3/FIB Table, SGACL

each prefix
has an
associated
DGT

Egress Path (DGT derivation and SGACL)

A number of SGT(DGT) assignment sources, e.g. SXP, VLAN-SGT,
Subnet/Host SGT, will be evaluated by SGT software against a priority
list, the winning result will be programmed into the L3/FIB table
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
 Use Case - Campus
Implications of Hardware Forwarding Capabilities
• Port/VLAN Based Hardware
• Limited SXP applicability due to the SGT derivation on mac/port
• Fine to be speakers/relays but not SGT/DGT derivation for enforcement from SXP
• Limited number of SGTs per port (one or one per vlan/port)
• Not appropriate for this WLAN access control use case
• IP/SGT Based Hardware Implications
• Behaves like routing/forwarding – longest match determines SGT
• Tagging/Enforcement for incoming packet due to FIB lookup for IP/SGT
• Allows for bidirectional SXP
• Allows for multi-hop SXP coming into the switch due to FIB lookup for IP/SGT
• Scale varies per platform since IP/SGT shares FIB TCAM with routing

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
 Use Case - Campus
WLC SXP Configuration

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
 Use Case - Campus
IOS SXP Configuration
C3850#show cts role-based sgt-map all details
Active IP-SGT Bindings Information

IP Address Security Group Source

======================================================================
10.10.11.1 2:Device_sgt INTERNAL
3850
10.10.11.100 6:Full_Access LOCAL
cts sxp enable
cts sxp connection peer 10.1.44.1 source C9K-CORE-1#show cts sxp connections brief
10.1.11.44 password default mode local SXP : Enabled
Highest Version Supported: 4
! SXP Peering to Cat6K
Default Password : Set
Default Source IP: Not Set
9K Connection retry open period: 120 secs
cts sxp enable Reconcile period: 120 secs
Retry open timer is not running
cts sxp default password cisco123
! -----------------------------------------------------------------------------
cts sxp connection peer 10.1.11.44 source Peer_IP Source_IP Conn Status Duration
10.1.44.1 password default mode local listener -----------------------------------------------------------------------------
10.1.11.44 10.1.44.1 On 11:28:14:59 (dd:hr:mm:sec)
hold-time 0 0
10.1.44.44 10.1.44.1 On 22:56:04:33 (dd:hr:mm:sec)
! ^^ Peering to Cat3K
cts sxp connection peer 10.1.44.44 source Total num of SXP Connections = 2
10.1.44.1 password default mode local listener C9K-CORE-1#show cts role-based sgt-map all details
Active IP-SGT Bindings Information
hold-time 0 0
! ^^ SXP Peering to WLC IP Address Security Group Source
======================================================================
10.1.40.10 2000:PCI_Servers CLI
10.1.44.1 2:Device_sgt INTERNAL
--- snip ---
10.0.200.203 3:BYOD SXP
10.10.11.100 6:Full_Access
BRKSEC-3690
SXP
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
 Use Case - Campus
Enabling SGT/SGACL on IOS
• Following is a high-level overview of SGT/SGACL configuration on Catalyst switches when used with ISE2.x

• Configure ISE 2.x to the point where you can perform 802.1X authentication (bootstrap, certificate, AD
integration, basic authentication & authorization rules)

• Configure Device SGT (Work Centers > Trustsec > Components > Security Group)

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
 Use Case - Campus
SGT Configuration for ISE
• Under Work Centers > TrustSec > Trustsec Policy > Network Device authorization, assign Device
SGT created in step (2) to default condition

• Optionally under Administration > System > Settings > Protocols > EAP-FAST > EAP-FAST Settings, change A-ID
description to something meaningful, so that you can recognise which ISE you are receiving PAC file

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
 Use Case - Campus
Configuration an SGT Device
• Configure RADIUS secret.
Also Advanced TrustSec
Settings, check Use
Device ID for TrustSec,
then type Device
password. This ID and
Password needs to be
exactly same as you
define on network Device
CLI

• Best practice for timers is

to set for a long duration
so policy is only updated
on the device via an
RADIUS COA is good for small changes.
explicit push/workflow CLI is good for large changes or CLI only
platforms like N7K
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
 Use Case - Campus
Configuring an Catalyst Switch for SGT
• Following CLI is required to turn on NDAC (to authenticate Device to ISE and receive policies
including SGACL from ISE)
• Enabling AAA
C9K-CORE-1#config t
Enter configuration commands, one per line. End with CNTL/Z.
C9K-CORE-1(config)#aaa new-model

• Defining RADIUS server with PAC keyword

C9K-CORE-1(config)#radius-server host <ISE_PSN_IP> pac key <RADIUS_SHARED_SECRET>

• Define authorization list name for Trustsec policy download

C9K-CORE-1(config)#cts authorization list <AUTHZ_List_Name>

• Use default AAA group for 802.1X and “defined authz list” for authorization
C9K-CORE-1(config)#aaa authentication dot1x default group radius
C9K-CORE-1(config)#aaa authorization network <AUTHZ_List_Name> group radius

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
 Use Case - Campus
Configuring an IOS Switch for SGT(cont.)
• Configure RADIUS server to use VSA in authentication request

C9K-CORE-1(config)#radius-server vsa send authentication

• Enable 802.1X in system level

C9K-CORE-1(config)#dot1x system-auth-control

• Define Device credential (EAP-FAST I-ID), which must match ones in ISE AAA client configuration

C9K-CORE-1 #cts credential id <Device_ID> password <Device_PASSWORD>

Note: remember that Device credential under IOS is configured in Enable mode, not
in config mode. This is different CLI command level between IOS and NX-OS,
where you need to configure Device credential in config mode

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
 Use Case - Campus
Verification – Environment Data
C6K-CORE-1#show cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 2-00
Server List Info:
Installed list: CTSServerList1-0004, 3 server(s):
*Server: 10.1.100.3, port 1812, A-ID 04FB30FE056125FE90A340C732ED9530
Status = ALIVE
auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs
*Server: 10.1.100.4, port 1812, A-ID 04FB30FE056125FE90A340C732ED9530
Status = ALIVE
auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs
*Server: 10.1.100.6, port 1812, A-ID 04FB30FE056125FE90A340C732ED9530
Status = ALIVE
auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs
Multicast Group SGT Table:
Security Group Name Table:
0001-30 :
2-98 : 80 -> Trustsec_Devices
unicast-unknown-98 : 80 -> Unknown
Any : 80 -> ANY

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
 Use Case - Campus
Create the SGTs in ISE – UI/REST

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
 Use Case - Campus
Preparing ISE for SGACL Enforcement
• ISE needs to be configured for SGT/SGACL and associated policies
Under Work Center > TrustSec > Egress Policy

2
Select Permission

permit tcp dst eq 80 log

permit tcp dst eq 443 log
deny ip log

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
 Use Case - Campus
Activating SGACL Enforcement on IOS Switch
• After setting up SGT/SGACL on ISE, you can now enable SGACL Enforcement on IOS switch

Defining IP to SGT mapping for servers – Shown via CLI, but can be pushed from ISE to CLI or via SXP
C6K-CORE-1(config)#cts role-based sgt-map 192.168.31.1 sgt 100
C6K-CORE-1(config)#cts role-based sgt-map 192.168.32.0/24 sgt 20
C6K-CORE-1(config)#cts role-based sgt-map 10.x.x.0 sgt 30

Enabling SGACL Enforcement Globally and for VLAN

C6K-CORE-1(config)#cts role-based enforcement
C6K-CORE-1(config)#cts role-based enforcement vlan-list 40

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
 Use Case - Campus
Downloading Policy on IOS Switch
• After enabling SGACL enforcement, policies need to be downloaded to IOS, the egress
enforcement point

Refresh Environment Data using cts refresh environment-data

C6K-CORE-1# cts refresh environment-data

Environment data download in progress

Refresh Policy using cts refresh policy

C6K-CORE-1# cts refresh policy

Policy refresh in progress

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
 Use Case - Campus
Downloading Policy on IOS Switch
Verify Environment Data

C6K-CORE-1#show cts environment-data

CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 2-00
Server List Info:
Installed list: CTSServerList1-0004, 3 server(s):
*Server: 10.1.100.3, port 1812, A-ID 04FB30FE056125FE90A340C732ED9530
Status = ALIVE
auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs
*Server: 10.1.100.4, port 1812, A-ID 04FB30FE056125FE90A340C732ED9530
Status = ALIVE
auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs
*Server: 10.1.100.6, port 1812, A-ID 04FB30FE056125FE90A340C732ED9530
Status = ALIVE
auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs
Multicast Group SGT Table:
Security Group Name Table:
0001-22 :
7-98 : 80 -> Network_Admin_User
6-98 : 80 -> Full_Access
5-98 : 80 -> Production
4-98 : 80 -> Dev
3-98 : 80 -> BYOD
2-98 : 80 -> Trustsec_Devices
unicast-unknown-98 : 80 -> Unknown
Any : 80 -> ANY

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
 Use Case - Campus
The Reality of SGACL Download – Server List
• There is one Server List defined in ISE

• The NAD can be configured to speak to ISE via real IP of PSN or SLB
Virtual IP address for CTS (this is supported)
• Regardless the NAD will download from the IPs in the server list
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
 Use Case - Campus
Server List with Real IP of ISE PSN
or Load Balanced Virtual IP (VIP)
1. NAD configured to talk to IP of real ISE VIP IP1 ISE Cluster PSN 1/2/3
PSN IP1 or Virtual IP (VIP) IP2
2. NAD downloads environmental data
and gets server list with ISE real IP4
3. User 802.1X authenticates and gets
SGT x
4. When ISE goes to pull down SGACLs
for policy it will adhere to the Server ISE PSN4 IP4
List and speak to ISE PSN4 real IP4

Payment Server
Trusted
Asset

• Due to this fact some customers dedicate a set

of ISE PSNs just for SGACL Policy Download RADIUS Authentication/authorization
• You can add the SLB VIP to the Server List Environmental Download with Server List
SGACL Policy Download

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
 Use Case - Campus
ISE SGACL Policy Push
UI interaction
Identity Services Engine SGACL COA
1. BYOD communicating with Development
Server SGACL Download
2. Administrator creates new Policy denying Administrator
access to BYOD to Development Server
3. Administrator triggers a push of policy
4. Network Device downloads new policy for
Development Server

Development
BYOD
Server

• Applies to SGACL, Environmental

Data, and Server-List

aaa server radius dynamic-author

client 10.200.100.39 server-key 7 01100F175804575D72
! PAN IP Address for SGT related COA/PSN opt. in 2.4+
client 10.200.100.40 server-key 7 060506324F41584B5
! PSN IP Address for 802.1X/MAB related COA

deny ip

* - Reminder to choose RADIUS COA or CLI

depending on needs
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
 Use Case - Campus
Viewing SGACL Policy on IOS Switch
Verify SGACL Content
C6K-CORE-1#show cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 3 to group 5:
Deny IP-00
IPv4 Role-based permissions from group 4 to group 5:
ALLOW_HTTP_HTTPS-20
IPv4 Role-based permissions from group 3 to group 20:
Deny IP-00
IPv4 Role-based permissions from group 4 to group 6:
Deny IP-00 SGACL Mapping Policy should
IPv4 Role-based permissions from group 3 to group 7:
Deny IP-00 match to one on ISE
IPv4 Role-based permissions from group 4 to group 7:
Permit IP-00

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
 Use Case - Campus
Alternative Policy View on IOS Switch

SW1-BRC1#sho cts policy sgt 4

CTS SGT Policy
===============
RBACL Monitor All : FALSE
RBACL IP Version Supported: IPv4
SGT: 4-06:Employees
-- continued --
SGT Policy Flag: 0x41400001
RBACL Destination List: Not exist
RBACL Source List:
RBACL Multicast List: Not exist
Source SGT: 4-06:Employees-0, Destination SGT: 4-06:Employees-0
RBACL Policy Lifetime = 86400 secs
rbacl_type = 80
RBACL Policy Last update time = 21:50:17 UTC
rbacl_index = 1
Sun Jan 28 2018
name = DenyIP_Log-10
Policy expires in 0:23:59:11 (dd:hr:mm:sec)
IP protocol version = IPV4
Policy refreshes in 0:23:59:11 (dd:hr:mm:sec)
refcnt = 2
Cache data applied = NONE
flag = 0x41000000
stale = FALSE
RBACL ACEs:
permit tcp dst eq 80
deny ip log
-- snip --

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
 Use Case - Campus
SGACL Monitoring – Best Effort Syslog
C9K-CORE-1#sho cts role-based permissions
IPv4 Role-based permissions from group 8:EMPLOYEE_FULL to group 8:EMPLOYEE_FULL:
Lateral_Prevention-11

C9K-CORE-1#show ip access-list
Role-based IP access list Deny IP-00 (downloaded)
10 deny ip
Role-based IP access list Lateral_Prevention-11 (downloaded)
10 deny icmp log
20 deny udp dst eq 445 log
30 deny tcp dst range 1 100 log (51 matches)
40 deny udp dst eq domain log

*Jan 27 13:33:43.355: %RBM-6-SGACLHIT: ingress_interface='GigabitEthernet1/0/24'

sgacl_name=‘Lateral_Prevention' action='Deny' protocol=‘tcp' src-vrf='default'
src-ip='10.10.18.101' src-port=‘0' dest-vrf='default' dest-ip='10.10.35.201' dest-
port='80' sgt='4' dgt='4' logging_interval_hits=‘1'

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
 Use Case - Campus
Verifying SGACL Drops

Use show cts role-based counter to show traffic drop by SGACL

C9K-CORE-1#show cts role-based counters
Role-based IPv4 counters
From To SW-Denied HW-Denied SW-Permitted HW_Permitted
* * 0 0 48002 369314
3 20 53499 53471 0 0
4 5 0 0 0 3777
3 6 0 0 0 53350
4 6 3773 3773 0 0
3 7 0 0 0 0 From * to * means Default Rule
4 7 0 0 0 0

show command displays the content statistics of RBACL enforcement. Separate

counters are displayed for HW and SW switched packets. The user can specify the
source SGT using the “from” clause and the destination SGT using the “to” clause.

Mostly SGACL is done in HW. Only if the packet needs to be punted to SW (e.g.
TCAM is full, marked to be logged) , SW counter increments

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
 Use Case - Campus
SGT/SGACL for WLC/APs
Destination BYOD Employees
Source (4) (5)
• Code 8.3 – allows SXP from WLC for FlexConnect Intra_Jabber_Sig Intra_Jabber_Sig
Employees (5)
Anti_Malware Anti_Malware
• Code version 8.4
Intra_Jabber_Sig Intra_Jabber_Sig
BYOD (4)
Anti_Malware Anti_Malware
• Models: 2800, 3700, 3800, 1850,1830, 1700, 2700
(AKA wave 1 and wave 2 APs)

• Wireless LAN Controllers: 8540 and 5520 only

• Supported for Centrally switched and FlexConnect SSIDs

www

• Additional support for inline and SXPv4 propagation to upstream

Devices WSA

Benefits
• Restrict Lateral Movement in WLAN natively Stealthwatch
• Restrict Lateral Movement to LAN as well
• Use classifications from WLC/AP in ASA, FTD,
FTD
WSA, StealthWatch policies

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
 Use Case - Campus
Central Authentication/Switch
WLAN User to WLAN User
1. Clients are authenticated and assigned an
SGT
2. WLAN Client-1 sends IP packet to WLAN ISE
Client-2
3. Ingress AP tags frame
4. Frame arrives at egress AP Switch
5. Egress AP derives S-SGT from frame
6. AP derives D-SGT from WLAN client table
7. AP finds SGACL for SGT/D-SGT match in
memory and applies policy

IP Address SGT
10.2.1.200 Full Access - 5
WLC Switch

SGT D-SGT SGACL

BYOD Full permit ip 3

Access SRC:10.2.1.100
DST: 10.2.1.200

Contractor – Full Access –

SGT 4 SGT 5

SRC:10.2.1.100
DST: 10.2.1.200

Full Access – BYOD – SGT 3

SGT 5

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Nexus 7000 SGT
Considerations
 Use Case - Campus
Nexus 7000 SGT/SGACL Capabilities
• SGT/SGACL supported on M series, F2, F2E cards as of 6.2(6a)
• SGT/SGACL support on F3 as of 6.2(10)*
• VPC and Fabric Path supported in 6.2(10) with IP/SGT only
• NXOS 7.3
• Subnet/SGT including local only 0.0.0.0/0 for ”Internet use cases”
• SXPv3 to receive/send subnet/SGT (no IPv6)
• SGACL Monitor Mode
• Enhanced SGACL Logging (action in log)
• NXOS 8.0 LOB1 LOB2 PCI_DB

• SXPv4 (no IPv6)

• SGACL per interface enforcement (”no cts role-based enforcement”)
• SGACL Egress Policy Overwrite(ISE SGACL takes precedence over CLI
SGACL)
* F3 can only tag on trunk ports. May require redesign from L3 to trunk/SVI
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
 Use Case - Campus
Nexus F3 Linecard Inline Tagging behavior
• Known behavior that dot1q header be present on links to support CMD header which carries SGT.
• Not an issue for L2 Trunks where the 802.1q header is present.
• Point to Point L3 links do not insert a 802.1q header.

• Two configuration options to provide an L3 interface exist that will impose the dot1q header.
• Interface configuration through the use of sub-interfaces with 802.1q encapsulation enabled.
• Use of a logical Switched Virtual Interface (SVI) used with interface configured as a L2 Trunk port carrying the VLAN to
which the SVI is assigned.

• Can impact L2 control traffic consists of protocols such as CDP, LLDP, LACP, PAgP, STP, BFD, etc working with

• Compatible with other N7K line cards

• Two fixes for better compatibility in NXOS 8.1(1) - CSCvc42685, CSCvb93553

• SGT Tagging Compatibility of F3 with ISR/ASR/Catalyst switches – Fixed in IOS-XE 16.10 for IOS-XE routers

• Compatibility Table published on CCO.

• https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus7000/sw/security/config/cisco_nexus7000_security_config_guide_8x/configuring_ci
sco_trustsec.html#concept_06EC3AC2909F4592BCB3862

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
 Use Case - Campus
Nexus 7000 Interface Configuration
feature cts
feature dot1x
cts Device-id N7K-DST1 password 7 wnyxlszh123
cts role-based counters enable
cts role-based sgt-map 10.39.1.30 17
……
cts role-based sgt-map 10.87.109.72 3
cts role-based enforcement

vlan 87
cts role-based enforcement
vlan 118
cts role-based enforcement
interface Ethernet1/25
description N5K connection
cts manual
policy static sgt 0x0002 trusted <- Later versions of NXOS allow a decimal for the SGT
switchport
switchport mode trunk
switchport trunk allowed vlan 90,118-120,124
spanning-tree port type normal
channel-group 10 mode active
no shutdown
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Common Issues
 Use Case - Campus
Device Tracking – The Engine that
802.1X/MAB Work for SGT
interface GigabitEthernet1/0/1
• Device Tracking was enabled by switchport access vlan 100 IOS-XE 3.x
default for 802.1X/MAB in IOS switchport mode access
authentication event fail action next-method
releases prior to 16.x authentication host-mode multi-auth
authentication open
• In 16.x IP Device Tracking is authentication order dot1x mab
authentication priority dot1x mab
enabled separately from authentication port-control auto
802.1X/MAB authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
snmp trap mac-notification change added
dot1x pae authenticator
dot1x timeout tx-period 10 Mandatory in
spanning-tree portfast
spanning-tree bpduguard enable IOS-XE 16.x
device-tracking attach-policy IPDT_MAX_10

device-tracking policy IPDT_MAX_10

limit address-count 10
no protocol udp
tracking enable

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
 Use Case - Campus
Device Tracking Entry Fundamental
to an IP/SGT Entry
DC-C4K-Sup8E#sho ip device tracking all
Global IP Device Tracking for clients = Enabled
Global IP Device Tracking Probe Count = 3
Global IP Device Tracking Probe Interval = 30
IOS-XE 3.x
Global IP Device Tracking Probe Delay Interval = 0
-----------------------------------------------------------------------------------------------
IP Address MAC Address Vlan Interface Probe-Timeout State Source
-----------------------------------------------------------------------------------------------
10.0.0.1 c471.feb7.f141 5 GigabitEthernet3/2 30 ACTIVE ARP

Total number interfaces enabled: 4

Enabled interfaces:
Gi3/1, Gi3/2, Gi3/46, Gi3/47
IOS-XE 16.x
SW1-BRC1#show device-tracking database
Binding Table has 1 entries, 1 dynamic (limit 100000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other
Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned

Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
ARP 10.0.0.1 0050.56b4.4760 Gi1/0/1 100 0005 4mn REACHABLE 42 s

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
 Use Case - Campus
IP/SGT Programming Happens after
Device Tracking Learning
SW1-BRC1#sho cts role-based sgt-map all det
Active IPv4-SGT Bindings Information

IP Address Security Group Source

======================================================================
10.1.100.100 3:Network_Services CLI
10.0.0.1 4:Employees LOCAL
10.10.35.255 2:TrustSec_Devices CLI
10.200.10.250 200:Printers CLI
10.200.100.39 3:Network_Services CLI
10.200.100.100 3:Network_Services CLI
10.200.100.222 11:Production_Servers CLI

IP-SGT Active Bindings Summary

============================================
Total number of CLI bindings = 6
Total number of LOCAL bindings = 1
Total number of active bindings = 7

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
 Use Case - Campus
CSCvh70725 - SGT Binding Removed After IPv6
Entry Goes to STALE in IPDT Database
device-tracking policy IPDT_MAX_10
no protocol ndp
9410#sh cts role-based sgt-map 10.0.0.1 no protocol dhcp6
IP Address SGT Source tracking enable
====================
10.0.0.1 18 LOCAL interface GigabitEthernet1/0/1
device-tracking attach-policy IPDT_MAX_10
9410#sh device-tracking dat int GigabitEthernet2/0/11
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
ND FE80::CE99:99FF:FE4E:FCE4 cc00.9100.fce4 Gi2/0/11 417 0005 4mn REACHABLE 18 s try 0
ARP 10.0.0.1 cc00.9100.fce4 Gi2/0/11 417 0005 69s REACHABLE 239 s try 0
ND FE80::DD99:7D5B:DE67:FE60 cc01.a200.cc38 Gi2/0/11 402 0005 7s REACHABLE 302 s try 0
ARP 10.0.0.2 cc01.a200.cc38 Gi2/0/11 402 0005 32s REACHABLE 271 s try 0

Once the IPv6 entry goes to STALE, the IPv4 SGT Binding gets removed from the table, causing the phone be considered
Unknown.

9410#sh device-tracking dat int GigabitEthernet2/0/11

Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
ND FE80::CE99:99FF:FE4E:FCE4 cc00.9100.fce4 Gi2/0/11 417 0005 6mn STALE 90472 s
ARP 10.0.0.1 cc00.9100.fce4 Gi2/0/11 417 0005 53s REACHABLE 249 s try 0
ND FE80::DD99:7D5B:DE67:FE60 cc01.a200.cc38 Gi2/0/11 402 0005 111s REACHABLE 198 s try 0
ARP 10.0.0.2 cc01.a200.cc38 Gi2/0/11 402 0005 42s REACHABLE 266 s try 0

9410#sh cts role-based sgt-map 10.0.0.1

9410#

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
 Use Case - Campus
SGACL Download Errors
• Validate AAA is reachable with “show aaa servers”
• Validate the device has a PAC with “show cts pac all”
• Validate the device can communicate with ISE by checking environmental data
“show cts environmental-data”
• Check ISE to make sure the SGACL is formatted properly
• No IP/SGT on switch because of an error in device tracking
• TrustSec communities Troubleshooting Guide
• https://communities.cisco.com/docs/DOC-69479

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Software Defined
Access (SD-
Access) –
SGT/VXLAN
 Use Case – SGT/VXLAN
What is SD-Access?
• Policy/Automation/Assurance for a set of technology innovations solving
• Subnet availability across access layers w/o stretched VLANs (i.e. spanning tree)
• Very common in manufacturing, medical, university environments
• Especially relevant as IoT enters the enterprise campus/WAN (building automation systems that only connect via L2
protocols, connected lighting, etc.)
• Simplified VRF deployment w/o MPLS
• Distribution/Core can be plain IP while the edges can be the VRF point of presences
• Simpler connection of VRFs via on demand tunnels as opposed to GRE, etc.
• More scalable VRF counts than DMVPN, etc.
• Security using SGT/SGACL – alternative to SXP that allows end to end tagging w/o “all Devices in the middle
being Cisco”
• Easy to handle 3rd party distribution/core layers
• Easy to handle topologies where the WAN router isn’t managed by the enterprise
• https://www.cisco.com/c/en/us/solutions/enterprise-networks/software-defined-access/compatibility-
matrix.html

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
 Use Case – SGT/VXLAN
SD-Access
Two Level Hierarchy – Macro Level

Network Virtual Network (VN)

First level Segmentation that ensures
zero communication between specific
groups. Ability to consolidate multiple
networks into one management plane.

Building Management
Campus Users
VN
VN

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
 Use Case – SGT/VXLAN
SD-Access
Two Level Hierarchy – Micro Level

Network
Scalable Group Tag (SGT)
Second level Segmentation ensures
role based access control between
two groups within a Virtual Network.
Provides the ability to segment the
network into either line of businesses
or functional blocks.

Building Management Finance SG Employee SG

VN Campus Users
VN

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
 Use Case – SGT/VXLAN
What is Unique About SD-Access?

1. LISP based Control-Plane

2. VXLAN based Data-Plane
3. Integrated SGT/SGACL
Virtual Routing & Forwarding
Scalable Group Tagging
VRF + SGT

ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
 Use Case – SGT/VXLAN
SD-Access – ISE/Cisco DNA FABRIC POLICIES

Center policy workflow Source Destination

Contract
Employees Production
PERMIT
Cisco
DNA Center

API
Employees Contractors Production Development

Cisco ISE

POLICY DOWNLOAD

FABRIC NODES
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
 Use Case – SGT/VXLAN
Policy Views in DNAC (Matrix View)

• Scaled and
Zoomed View
• Easy navigation
of large
policies

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
 Use Case – SGT/VXLAN
Policy Views in DNAC (Matrix View)

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
 Use Case – SGT/VXLAN
Policy Views in DNAC (List View)

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
 Use Case – SGT/VXLAN
SD-Access Example Topology
11.11.11.0/24
Data Center
1. LISP Routing Lookup for Cisco DNAC - ISE
destination IP. Tunnel LISP
location found - see Mapping System
BRKCRS for all the 10.10.10.0/24
SDA Fabric Site 1
details
Fabric Border
2. SGT Tagged traffic Routers Web App DB
encapsulated in VXLAN
and sent to tunnel IP Network
location over “non
SGT D-SGT SGACL

Full Contractor deny ip

SGT” capable Devices Access

3. Egress switch looks up

the DGT for IP 10.2.10.0/24
10.2.10.0/24
SDA Fabric Site 1 IP Address SGT

4. Egress switch looks up SDA Fabric Site 1 10.2.10.200 Contractor - 4

the policy for SGT/DGT 3

SRC:10.2.10.100
DST: 10.2.10.200

* Needs IOS IP Services license

10.2.10.100 – Full Access 10.2.10.200 - Contractor

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
 Use Case – SGT/VXLAN
SD-Access – SGT/VXLAN Configuration
router lisp
encapsulation vxlan
locator-table default
• Configuration can be done manually or locator-set rloc_5ac867cf-dcaf-4537-a043-da8b4c91c21f
IPv4-interface Loopback0 priority 10 weight 10
automated via Cisco DNAC exit
!
eid-table default instance-id 0
• Single command for turning on SGT being exit
!
carried in VXLAN via CLI eid-table vrf enterprise instance-id 10
dynamic-eid enterprise_10_240_1_0
database-mapping 10.240.1.0/24 locator-set
• SGT enabled automatically with Cisco rloc_5ac867cf-dcaf-4537-a043-da8b4c91c21f
DNAC !
exit

exit
• IPv4 any version of code, IPv6 16.9 !
eid-table vrf Guest instance-id 11
dynamic-eid Guest_10_241_1_0
database-mapping 10.241.1.0/24 locator-set
rloc_5ac867cf-dcaf-4537-a043-da8b4c91c21f
exit
!
exit
!
disable-ttl-propagate
ipv4 sgt
ipv4 use-petr 10.99.200.39
ipv4 itr map-resolver 10.99.200.39
ipv4 itr
ipv4 etr map-server 10.99.200.39 key uci
ipv4 etr
exit
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
 Use Case – SGT/VXLAN
Fabric Sites & Domains
Connecting Multiple Fabrics

First, you build a Later, you build

?
single Fabric Site another Fabric Site
VRF-LITE
C MPLS C
SD-Access
SD-WAN*
B B B B
Metro Area

Fabric Fabric
Site 1 Site 2

How do you connect them together? * Q2CY20

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
 Use Case – SGT/VXLAN
SD-Access for Distributed Campus
SD-Access Transit
CONTROL-PLANE

1
LISP LISP LISP

C C
B B B B
SDA Transit Network
Border Border

Cisco DNA-Center
DATA+POLICY-PLANE
12
VXLAN+SGT VXLAN+SGT VXLAN+SGT

SDA Fabric Site 1 SDA Fabric Site 2

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
 Use Case – SGT/VXLAN
SD-Access for Distributed Campus
SD-Access Transit SGT D-SGT SGACL

Full Contractor deny ip

Access

IP Address SGT
10.2.10.200 Contractor - 4

C C
B B B B
SDA Transit Network
SDA Fabric Site 1 SDA Fabric Site 2
Border Border

3
SRC:10.2.10.100
Cisco DNA-Center
DST: 10.2.10.200

10.2.10.100 – Full Access 10.2.10.200 - Contractor

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Firewall Integration
with SD-Access
 Use Case – SGT/VXLAN
Border Deployment Options -
Firewalls
Non-SGT aware Firewall: SGT aware Firewall :
• Firewall is connected externally to the • Firewall is connected externally to the Campus
Campus Fabric. Fabric.

• The prefixes from the local Campus • The prefixes from the local Campus Fabric domain
Fabric domain will be advertised to the will be advertised to the firewall with a routing
firewall with a routing protocol of protocol of choice.
choice.
• SXP connection between ISE and Firewall used for
• Firewall policy is based Interface or derivation of SGTs on the Firewall.
Subnet IP/mask and IP ACL’s.
• Firewall policy is based on SGT’s and SGACL’s
(Group Based Policy).

• Firewall also has Interface or Subnet IP based

policy, for brownfield integration
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
 Use Case – SGT/VXLAN
Border Deployment Options -
Firewalls
CONTROL PLANE TRAFFIC
LISP BGP/IGP

B
B
B
Firewall

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
 Use Case – SGT/VXLAN
Border Deployment Options -
Firewalls
DATA PLANE TRAFFIC
VXLAN VRF-LITE

B
B
B
Firewall

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
 Use Case – SGT/VXLAN
Border Deployment Options -
Firewalls ISE
POLICY-PLANE

SGT in VXLAN
Scalable Group Tags

SXP/PXGRID
B
B
B
Firewall

Firewall gets SGT from

ISE

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
 Use Case – SGT/VXLAN
Single VN - Endpoint to Application
POLICY-PLANE ISE

SGT in VXLAN
Scalable Group Tags

SXP/PXGRID
B Firewall
B 5
PCI_Users
SRC:10.1.10.10
DST: 11.11.11.100
B SRC:10.1.10.10
DST: 11.11.11.100
10.1.10.10 SGT: 5 PCI_App
11.11.11.100

IP Address SGT
10.1.10.10 PCI Users
12.1.10.10 LOB2 Users
11.11.11.4 PCI_DB
11.11.11.100 PCI_App

SGT DGT SGFW

PCI_Users PCI_App permit ip

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
 Use Case – SGT/VXLAN
Multiple VN - Endpoint to Endpoint
ISE
POLICY-PLANE
SGT in VXLAN
LOB1-VN Scalable Group Tags

SXP/PXGRID
B Firewall
B 5
LOB1_UsersSRC:10.1.10.10
DST: 12.1.10.10
B SRC:10.1.10.10
DST: 11.11.11.100
10.1.10.10 SGT: 5

IP Address SGT
10.1.10.1 LOB1_Users
12.1.10.10 LOB2_Users
11.11.11.4 PCI_DB
11.11.11.100 PCI_App
LOB2_Users
12.1.10.10 SGT DGT SGFW

LOB1_Users LOB2_Users deny ip

LOB2-VN
***FTD prior to 6.5 cannot use SGT for Destinations in Policies***
***FTD as of 6.5 CAN use SGT for Source and Destination in Policy***
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Meraki and 3rd
Party Interop
 Meraki and 3rd party Interop
Meraki* and 3rd Party Switch
Support with SGT MSFT
Active
Directory

IP Address SGT
Auditor 10.1.10.1 Auditor

ISE

Application
Servers App Servers
1
Trusted
Database DB Servers
Auditor Asset
Network
802.1x
Servers

• RADIUS Authentication/authorization/Accounting MUST go to ISE

• RADIUS Accounting MUST be in a format ISE can use to bind the IP and SGT
together
• * - MS390 and MR APs will support “Adaptive Policy” i.e. SGT/SGACL

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
 Meraki and 3rd party Interop
Common Questions about Deployment
with Non Cisco RADIUS or NAC Solutions
• ”What if I don’t have ISE for 802.1X/MAB AAA?”
• Any RADIUS server can return the SGT
• ISE just for SGACL management
• ISE proxy and does user authorization/SGACL management

• ”What if I am using a passive monitoring solution for NAC?”

• Current integration with several vendors
• Vendors chose one of two options for sharing their classification
• Some chose to write IP/SGT CLI to access Device
• Some chose to write to REST API in ISE or IOS API which then sends data to the network

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
 Meraki and 3rd party Interop
RADIUS Proxy
[Cisco RADIUS AVP] cts:security-group-tag-0064-0
Or
Any authorization attributes

Cisco ISE Generic RADIUS Server

0 SGACL downloaded from ISE

3
for ‘Protected Services’ 4

ACCESS ACCEPT 2
1 802.1X / MAC authentication 1
(and) SGT
request to Cisco ISE SGACL Policy
Auth Download
Request
ISE proxies the 802.1X / 5
2
MAB request to RADIUS
server 0
3 RADIUS Server returns
access accept with IETF Network
attribute [1] – username
User / Endpoint Access Switch Protected Services
DC Switch
4 ISE inspects username and
matches authorization Rule in
ISE for SGT assignment • ISE is authoritative for SGT assignment
and SGACL definitions. • More complex coexistence for
5 SGACL for SGT-100 (Hex • Migration to ISE for authorization easy authentications and authorizations
64) “Trusted Asset” is
downloaded from ISE
“if” desired

RADIUS RADIUS Proxy Policy download

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
 Meraki and 3rd party Interop
Delineated Policy Model Cisco DNA-C

0 SGACL downloaded from ISE

[Cisco RADIUS AVP] Generic RADIUS Server Cisco ISE
for ‘Protected Services’
cts:security-group-tag-0064-0
2
0
1 802.1X / MAC authentication ACCESS ACCEPT
request to RADIUS server (and) SGT 1
SGACL Policy
Auth Download
Request 3

2 RADIUS server sends

ACCESS-ACCEPT and Cisco
AVP: cts:security-group-tag-
xx
Network
SGACL for SGT-100 (Hex User / Endpoint Access Switch Protected Services
3 DC Switch
64) is downloaded from ISE

• Any/Existing RADIUS Server can assign • SGT number value needs to be entered
an SGT into the RADIUS authorization result by
• Simple coexistence hand
RADIUS Policy download

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
 Meraki and 3rd party Interop
Delineated Policy Model
Switch configurations

3850

!
aaa new-model
!
!
aaa group server radius GENERIC_RADIUS
server name RADIUS_Server_01
!
aaa group server radius ISE Authentication
server name ISE_01 authorization and
! Accounting
aaa authentication dot1x default group GENERIC_RADIUS
aaa authorization network default group GENERIC_RADIUS AAA
aaa authorization network cts-mlist group ISE
aaa accounting dot1x default start-stop group GENERIC_RADIUS
CTS
cts authorization list cts-mlist
!
radius server RASDIUS_Server_01
address ipv4 10.1.100.3 auth-port 1645 acct-port 1646
Generic RADIUS Server
key cisco123
!
Cisco ISE radius server ISE_01
address ipv4 10.1.100.3 auth-port 1812 acct-port 1813
pac key cisco123

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
 Meraki and 3rd party Interop
Overlay NAC - REST API: IP to SGT
Only officially supported method for SD-Access

0 SGACL downloaded from ISE Passive Monitoring System Cisco DNAC/ISE

for ‘Protected Services’
3
PxGrid SGACL Policy
1 Endpoint comes on to the
Download
network
RADIUS CoA to
2 4 Session for 0
SGT authz
2 Passive Monitoring System
classifies the endpoint
through its mechanisms

1
3 Passive Monitoring System
writes new classification to Network
ISE via PxGrid Access Switch Protected Services
User / Endpoint
DC Switch

4 ISE sends CoA to access

switch and this triggers and Very chatty, as and when endpoints
SGT assignment Simplified operations through automation connect/disconnect to the network, API
calls needs to be made to ISE.
Discovery/Classification Policy download
RADIUS/CoA PxGrid BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Use Case Review - WAN
 Use Case - WAN
Health Care Access Control -
Medical Devices (1/2)
• Business Problem/Background
• Isolate Medical Devices used for Patient Care
• Only Authorized users, Devices, and servers access to the medical Devices

• Solution Overview
• Multi-use workstations use 802.1X to distinguish the user (user experience change)
• 802.1X is a full machine or user login
• Windows Fast switching not supported if user identity is needed between desktop swaps.
• ISE deployed for profiling medical devices
• Distribution/Core does not support SGT
• Access Layer capable of bidirectional SXP and filtering on IP/SGT
• 3650/3850 have limited resource for IP/SGT (12K) and can’t hold all endpoints in network

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
 Use Case - WAN
Health Care Access Control -
Medical Devices (2/2)
• Solution Overview
• Resolved this by only applying SGT to users of medical Device, and servers explicitly allowed access
• All user or end Devices on network that don’t get an SGT assigned do not populate the IP/SGT
• Advertises a summary IP/SGT (10.0.0.0/8) in SXP.
• This means only explicitly known users and end Devices get an IP/SGT (/32) while everyone else in the enterprise falls
through to the summary IP/SGT (/8)
• This keeps the SXP total IP/SGT well under 12K for this particular network
• This allows the policy to be Known_SGT <-> Known_SGT = Permit and Summary_SGT<-> Known_SGT =
Deny
• Internet Traffic is not tagged. This allows the administrator to use a ”reserved” tag called “Unknown” to
handle traffic to medical resources.
• Alternative methods for handling ”Internet Traffic”
• Use “default route” classification on N7K, Cat9K to map to a specific ‘Internet SGT’
• Use a range of subnet/SGT on the edge for “public addresses” not owned by the enterprise (i.e. 1.0.0.0/8, 2.0.0.0/7,
4.0.0.0/6, etc…) to map to a specific ’Internet SGT’

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
 Use Case - WAN
Default Route Classification
cat9300-SDA-1(config)#cts role-based sgt-map 0.0.0.0/0 sgt 2500
%Please ensure default route is created using ip route 0.0.0.0 command
!
!
• New in IOS XE 16.11 csr1kv-nat#sho cts role-based sgt-map all details
Active IPv4-SGT Bindings Information
• Available on N7K in NXOS IP Address Security Group Source
7.3(0)D1(1) ======================================================================
0.0.0.0/0 2500:Internet_SGT CLI
• Default route (dynamic or !
static) must exist for proper !
cat9300-SDA-1#show ip route
classification and -- snip –
enforcement Gateway of last resort is 172.23.41.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.23.41.1
• 0.0.0.0/0 is not exported via !
!
SXP per design Cat9300-SDA-1#sh cts role-based permissions
specification on IOS XE --snip--
IPv4 Role-based permissions from group 60:IoT_Sensors to group 2500:Internet_SGT:
• “Except” N7K can allow it deny_log-01
!
via ”cts sxp allow default- !
route-sgt” Jun 9 20:44:29.700: %FMANFP-6-IPACCESSLOGSGDP: R0/0: fman_fp_image:
ingress_interface='GigabitEthernet1' sgacl_name='deny_log-01' action='Deny'
protocol='icmp' src-ip='172.23.41.144' dest-ip='172.23.41.1' type='2048' code='0'
sgt='60' dgt='2500' logging_interval_hits='1'
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
 Use Case - WAN
Access Control – Health Care Medical
Devices SXP Aggregation
IP Address

10.1.254.1(/32)
10.1.254.1(/32) --
10.1.254.1(/32) -D

10.1.254.10(/32) - D
D
D
SGT
Medical_Device– –
Medical_Device
Medical_Device
10
10
MedDevUser – 20
–
10
S – Static IP/SGT Definition
D – Dynamic IP/SGT Definition
Speaker/Listener 10.1.254.10(/32) -
10.1.254.10(/32) -DD

10.1.10.1(/32) - D
MedDevUser –
MedDevUser – 20
20

Medical_Device - 10
Medical_Device -
Medical_Device -
10.1.10.1(/32) -
10.1.10.1(/32) -DD
10.1.10.10(/32) - D 10
10 - 20
MedDevUser
10.1.10.10(/32) -
10.1.10.10(/32) -D
10.100.100.100(/32) D- S MedDevUser
MedDevUser - 20
EMR - 300- 20

IP Address SGT 10.100.100.100(/32) --

10.100.100.100(/32) -SS
S EMR -
EMR - 300
300
10.200.200.200(/32) Medical_App – 400
10.1.254.1(/32) Medical_Device – 10 10.200.200.200(/32)
10.200.200.200(/32)
10.0.0.0/8 - S --S
S Medical_App
Medical_App –30
Enterprise -– 400
400 ISE
10.1.254.10(/32) MedDevUser – 20 10.0.0.0/8
10.0.0.0/8 -
-SS Enterprise
Enterprise -
- 30
30
SXP Enabled
10.1.254.4
WLC
Listener

Electronic Medical
Records

Speaker/Listener

SXP Enabled SW Medical Dispenser

Server
IP Address SGT
Listener
10.1.10.1(/32) Medical_Device - 10

10.1.10.10(/32) MedDevUser - 20

10.1.10.4
Medical Application

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
 Use Case - WAN
Access Control – Health Care Medical
Devices SXP Aggregation
Speaker/Listener
IP Address SGT

Medical_Device –
10.1.254.1(/32) - D
10

10.1.254.10(/32) - D MedDevUser – 20

Medical_Device -
10.1.10.1(/32) - D
10

10.1.10.10(/32) - D MedDevUser - 20

SRC:10.1.254.10 10.100.100.100(/32) - S EMR - 300

DST: 10.100.100.100 10.200.200.200(/32) - S Medical_App – 400

10.0.0.0/8 - S Enterprise - 30 Listener

Electronic Medical
Records

SGT DGT SGACL

Speaker/Listener
MedDevUser(20) EMR(300) permit ip

Medical Dispenser
Server
Listener

Medical Application

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
 Use Case - WAN
Access Control – Health Care Medical
Devices SXP Aggregation
SGT DGT SGACL Speaker/Listener
Enterprise(30) Medical_App(400) deny ip

SRC:10.1.254.100
DST: 10.200.200.200 Listener
Electronic Medical
Records

Speaker/Listener

IP Address SGT
Medical Dispenser
10.1.254.1(/32) - D Medical_Device – 10
Server
10.1.254.10(/32) - D MedDevUser – 20 Listener
10.1.10.1(/32) - D Medical_Device - 10

10.1.10.10(/32) - D MedDevUser - 20

10.100.100.100(/32) - S EMR - 300

10.200.200.200(/32) - S Medical_App – 400

Medical Application
10.0.0.0/8 - S Enterprise - 30
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
 Use Case - WAN
Path Length – Design Consideration
CSCuz01059 –“Path Length Limit” – Integrated 3.6(5)/3.7(4)/16.3(1)/3.17(x)

SXP DB RBM DB
IP1/SGT1-S1 SXP IP1-SGT1 SXP DB RBM DB
IP1/SGT1-S1R2S2
IP1/SGT1-S1 SXP IP1/SGT1
IP1/SGT1-S1R2S3
IP1/SGT1-S1R1S2
IP1/SGT1-S1R2S4
IP1/SGT1-S1R1S3
IP1/SGT1-S1R2S5
IP1/SGT1-S1R1S4
IP1/SGT1-S1R1S5
R1 R2

Filter IP/SGT with a Filter IP/SGT with a

path length >= 2 path length >= 2

S1 S2 S3 S4 S5

SXP DB RBM DB
IP1/SGT1-S1R1 SXP IP1-SGT1 DC-ASR1K-1(config)#cts sxp limit import peer-sequence-nodes 2
------- DC-ASR1K-1(config)#cts sxp limit export peer-sequence-nodes 2
IP1/SGT1-S1R2
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
 Use Case - WAN
ASR1K Configuration – SXP to Inline SGT
Configure SXP as normal. Arriving IP
ASR1K-1#sho run | incl sxp packets will have the SGT associated with
cts sxp enable them and be tagged on exit via the Gig
cts sxp default source-ip 10.99.1.10 0/0/0 int.
cts sxp default password cisco123
cts sxp connection peer 10.99.10.12 source 10.99.1.10 password default mode local listener
cts sxp connection peer 10.99.10.13 source 10.99.1.10 password default mode local listener
cts sxp connection peer 10.99.188.1 source 10.99.1.10 password default mode local listener
cts sxp connection peer 10.99.200.10 source 10.99.1.10 password default mode local listener
cts sxp connection peer 10.1.36.2 source 10.99.1.10 password default mode local listener
cts sxp connection peer 10.3.99.2 source 10.99.1.10 password default mode local listener
cts sxp connection peer 10.99.200.21 source 10.99.1.10 password default mode local listener
cts sxp connection peer 10.0.1.2 source 10.99.1.10 password default mode local listener
cts sxp connection peer 10.10.1.30 source 10.99.1.10 password default mode local listener
!
ASR1K-1#sho run int g 0/0/0
!
interface GigabitEthernet0/0/0
ip address 10.1.46.2 255.255.255.0
shutdown
negotiation auto
cts manual Standard Tagging Configuration for the Gig
policy static sgt 2 trusted 0/0/0 interface connected to the N7K
no cts role-based enforcement
cdp enable
!

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
 Use Case - WAN
Considerations for SGT scaling on Cat 9K
9300#show platform hardware fed switch active fwd-asic resource tcam utilization • Total SGT it can
CAM Utilization for ASIC [0] enforce policy upon
Table Max Values Used Values
-------------------------------------------------------------------------------- • 255 prior to
Unicast MAC addresses 32768/1024 19/21
L3 Multicast entries 8192/512 0/7
17.1(1)
L2 Multicast entries
Directly or indirectly connected routes
8192/512
24576/8192
0/9
96/149
• 4K as of
QoS Access Control Entries 5120 85 17.1(1)
Security Access Control Entries 5120 162
Ingress Netflow ACEs 256 9 • IP/SGT Counter –
Policy Based Routing ACEs 1024 20 10K limit officially*
Egress Netflow ACEs 768 9
Flow SPAN ACEs 1024 13 • ACE Counter –
Control Plane Entries 512 255
Tunnels 512 17 ACEs are shared
Lisp Instance Mapping Entries 512 3 with like SGT/DGT
Input Security Associations 256 4
Output Security Associations and Policies 256 5
SGT_DGT
CLIENT_LE
8192/512
4096/256
4060/512
0/0
• SGT/DGT Hash
INPUT_GROUP_LE 1024 0 table – Cells from
OUTPUT_GROUP_LE
Macsec SPD
1024
256
0
2
the ISE Matrix

* - IP/SGT scales are per platform. Check limits in TrustSec Systems Bulletin
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
 Use Case - WAN
Health Care Evolution due to scale
Router SGACL and ISE as SXP Speaker IP Address

10.1.254.1
SGT
SGT

Medical_Device
Medical_Device –– 10
10

10.1.254.10 MedDevUser
MedDevUser –– 20
20

Speakers 10.1.10.1 Medical_Device

Medical_Device -- 10
10

10.1.10.10 MedDevUser
MedDevUser -- 20
20

SXP Enabled
WLC

Listener

Electronic Medical
Records
Listener

Medical Dispenser
Server
Listener

Remote Site
Medical Application SGT carried inband with ethernet frame

SXP
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
 Use Case - WAN
Configure Links for SGT Tagging
CTS Manual no encryption
ISR4K-1#sho cts interface brief
ISR4K-1
Global Dot1x feature is Enabled
Interface GigabitEthernet1/5
Interface GigabitEthernet1/1:
cts manual
CTS is enabled, mode: MANUAL
policy static sgt 2 trusted
IFC state: OPEN
no cts role-based enforcement
Authentication Status: NOT APPLICABLE
Peer identity: "unknown"
Catalyst 3850
Peer's advertised capabilities: ""
interface GigabitEthernet1/0/14
Authorization Status: SUCCEEDED
no switchport
Peer SGT: 2:Device_sgt
ip address 10.10.20.2 255.255.255.0
Peer SGT assignment: Trusted
cts manual
SAP Status: NOT APPLICABLE
policy static sgt 2 trusted
Propagate SGT: Enabled
no cts role-based enforcement
Cache Info:
Expiration : N/A
• port-channel support - cts is
Cache applied to link : NONE
configured on the physical interface
then added to the port channel
L3 IPM: disabled.
Best Practice - “shut” and “no shut” and interface for any cts manual change
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
 Use Case - WAN
How Do I Know if I am Tagging? SGT
and Flexible NetFlow (FNF)
flow record cts-v4 Interface vlan 10
match ipv4 protocol ip flow monitor cts-mon input
match ipv4 source address ip flow monitor cts-mon output
match ipv4 destination address
match transport source-port
Interface vlan 20
match transport destination-port
match flow direction
ip flow monitor cts-mon input
match flow cts source group-tag ip flow monitor cts-mon output
match flow cts destination group-tag
collect counter bytes Interface vlan 30
collect counter packets ip flow monitor cts-mon input
ip flow monitor cts-mon output
flow exporter EXP1
destination 10.2.44.15 Interface vlan 40
source GigabitEthernet3/1 ip flow monitor cts-mon input
ip flow monitor cts-mon output
flow monitor cts-mon
record cts-v4
exporter EXP1

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
 Use Case - WAN
Monitoring SGT/FNF Flow Cache
ASR1K-1#show flow mon cts-mon cache
Cache type: Normal
Cache size: 4096
Current entries: 1438
High Watermark: 1632
Flows added: 33831
Flows aged: 32393
- Active timeout ( 1800 secs) 0
- Inactive timeout ( 15 secs) 32393
- Event aged 0
- Watermark aged 0
- Emergency aged 0

IPV4 SOURCE ADDRESS: 192.168.30.209

IPV4 DESTINATION ADDRESS: 192.168.200.156
TRNS SOURCE PORT: 60952
TRNS DESTINATION PORT: 80
FLOW DIRECTION: Output
FLOW CTS SOURCE GROUP TAG: 30
FLOW CTS DESTINATION GROUP TAG: 0
IP PROTOCOL: 6
counter bytes: 56
counter packets: 1

IPV4 SOURCE ADDRESS: 192.168.20.140

IPV4 DESTINATION ADDRESS: 192.168.200.104
TRNS SOURCE PORT: 8233
TRNS DESTINATION PORT: 80
FLOW DIRECTION: Output
FLOW CTS SOURCE GROUP TAG: 20
FLOW CTS DESTINATION GROUP TAG: 0
IP PROTOCOL: 6
counter bytes: 56
counter packets: 1

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
 Use Case - WAN
Stealthwatch Flow Query

Use the SGT value to find

(and classify) network traffic

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
 Use Case - WAN
SXP and CMD Parsers in Wireshark via LUA

https://github.com/opendaylight/sxp/tree/master/sxp-dissector
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
 Use Case - WAN
SGFW or SGACL on Router
Platforms as of 16.3(3)
isr-43xx-5#sho cts role-based permissions
IPv4 Role-based permissions from group 1000 to group 4:Employees (configured):
Deny_Log
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE

isr-43xx-5#sho access-list test Role-based IP access list Deny_Log

10 deny ip log (732 matches)

*Jun 27 10:56:59.607: %FMANFP-6-IPACCESSLOGSGP: SIP0: fman_fp_image: ingress_interface='Tunnel10'

sgacl_name='test' action='Deny' protocol='udp' src-ip='10.1.100.100' src-port='53' dest-
ip='10.1.200.100' dest-port='62717' sgt='1000' dgt='4' logging_interval_hits=’20’

isr-43xx-5#sho cts environment-data

--snip--
Security Group Name Table:
0-00:Unknown
2-00:TrustSec_Devices
3-00:Network_Services
4-00:Employees
5-00:Contractors
--snip—

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
 Use Case - WAN
Monitoring SGACLs
• SGT/DGT Counters can be exported periodically via streaming telemetry as of IOSXE
16.10 and aggregated across the network
• SGACL Logs are exported via syslog and can be aggregated and parsed for reporting

Analytics/Reporting
Streaming Telemetry

Data storage

SGACL Syslog Parsing

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
 Use Case - WAN
SGACL Parsing – Logstash example
• Grok Parsing of SGACL syslogs to create DB values for
SGT/DGT/SGACL, etc.
• *Jan 27 13:33:43.355: %RBM-6-SGACLHIT: ingress_interface='GigabitEthernet1/0/24'
sgacl_name='DenyIP_Log-01' action='Deny' protocol='tcp' src-vrf='default' src-ip='10.10.18.101' src-
port='64382' dest-vrf='default' dest-ip='10.10.35.201' dest-port='80' sgt='4' dgt='4'
logging_interval_hits='1'

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Use Case - WAN
SGT/DGT Hit Counters via Streaming Telemetry
• NCC –
• https://github.com/CiscoDevNet/ncc
• ./ncc-establish-subscription.py --host=172.23.41.129 -u cisco -p nbv_1234 -x
/trustsec-state --period 50--callback sample > trustsec-state.txt
Subscription Result : notif-bis:ok {
Subscription Id : 2147483648 "dst-sgt": "4",
-->> "hardware-deny-count": "145",
Event time : 2019-01-27 22:26:46.910000+00:00 "hardware-monitor-count": "0",
Subscription Id : 2147483648 "hardware-permit-count": "0",
Type : 1 "last-updated-time": "1548631492542928",
Data : "monitor-mode": "false",
{ "num-of-sgacl": "1",
"datastore-contents-xml": { "policy-life-time": "86400",
"trustsec-state": { "sgacl-name": "dev_emp_deny_log-02;",
"cts-rolebased-policies": { "software-deny-count": "0",
"cts-rolebased-policy": [ "software-monitor-count": "0",
"software-permit-count": "0",
"src-sgt": "8",
"total-deny-count": "145",
"total-permit-count": "0"
},
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
 Use Case - WAN
Elasticsearch Example – SGACL Monitoring

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
 Use Case - WAN
Health Care Evolution due to scale
Move to full tagging DMVPN IP Address

10.1.254.1
SGT
SGT

Medical_Device
Medical_Device –– 10
10

10.1.254.10 MedDevUser
MedDevUser –– 20
20

10.1.10.1 Medical_Device
Medical_Device -- 10
10

10.1.10.10 MedDevUser
MedDevUser -- 20
20

Electronic Medical
Records

DMVPN

Medical Dispenser
Server

Remote Site
Medical Application SGT carried inband with frame/packet

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
 Use Case - WAN
SGT DMVPN Tagging Config
interface Tunnel10
bandwidth 1000000
ip address 10.210.0.129 255.255.255.128
no ip redirects
ip mtu 1360
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip flow monitor FLOW-MONITOR-1 input
ip flow monitor FLOW-MONITOR-1 output
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 301
ip nhrp holdtime 600
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1300
Enables SGT propagation on DMVPN. This command is valid for GRE and
cts sgt inline
tunnel interface mode only
cdp enable
tunnel source GigabitEthernet0/0/1
tunnel mode gre multipoint
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN-PROFILE

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
 Use Case - WAN
SGT DMVPN – Show Commands
ASR1K-1# show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 1.1.1.99 10.1.1.99 UP 00:00:01 SC

ipsec-1900b# show ip nhrp nhs detail

Legend: E=Expecting replies, R=Responding, W=Waiting

Tunnel0:
10.1.1.99 RE NBMA Address: 1.1.1.99 priority = 0 cluster = 0 req-sent 44 req-failed 0 repl-recv 43 (00:01:37 ago)
TrustSec Enabled Shows peer capability and TrustSec
negotiation

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Data Center
SGT/ACI
 SGT/ACI
Policy Federation ISE to APIC Flow:
SGT Policy used to Program ACI EPG Policy
SGT Policy Domain ISE
ACI Policy Domain
Cisco
DNAC ISE Retrieves: ISE Exchanges:

Controller Layer
Controller Layer

EPG Name: AppSGT EPG,

Name: BYOD
EPG Binding = 10.1.100.52
SGT Binding = 10.1.10.220

App EPG
Endpoint = 10.1.100.52

External EPG Name = BYOD

EPG binding = 10.1.10.220

Network Layer
Network Layer

BYOD x ACI Spine (N9K)

SRC:10.1.10.220 SRC:10.1.10.220
SRC:10.1.10.220 Enterprise DST: 10.1.100.52 DST: 10.1.100.52
DST: 10.1.100.52 Backbone
Plain EPG BYOD
SGT: BYOD ACI Border ACI Leaf App Server
Ethernet
BYOD SGT Policy (no SGT) Leaf (N9K) Enforcemen 10.1.100.52
Enforcement t
10.1.10.220
SGT Federated to ACI Policies

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
 SGT/ACI
Groups Provisioned from SD-Access to
ACI (via ISE)

ISE
dynamically
provisions
EPG and IP
mappings
into ACI

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
 SGT/ACI
Enforcement Scale in ACI
ACI 3.2 Scale
EX, FX and FX2 Hardware
SDA Domain ACI
No. of unique EEPGs 250
ISE dynamically Total Number of Mappings 64,000
provisions EEPGs and
IP mappings into ACI
C
Mappings per EEPG 8000
EXT-

SD-Access EPG1

B
Fabric Site EXT-
EPG3

Transaction rate (target) 100/s

Scalable Groups External Endpoint Groups

(SG) (EPG)

Recommend ISE 2.4 patch 6 or 2.6

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
 SGT/ACI
Policy Federation APIC to ISE:
ACI EPG Policy used to Program SGT Policy
SGT Policy Domain ISE
ACI Policy Domain
Cisco
DNAC

Controller Layer
Controller Layer

ISE Retrieves:
EPG Name: App EPG
EPG Binding = 10.1.100.52

App EPG
Endpoint = 10.1.100.52

Propagated with SXP

• SGT Name = BYOD
• EPG Binding = 10.1.100.52

Network Layer
Network Layer

BYOD ACI Spine (N9K)

SRC:10.1.10.220
DST: 10.1.100.52 Enterprise
SGT: BYOD Backbone
Plain ACI Leaf
Ethernet ACI Border App Server
BYOD Enforcemen
SGT Policy (no SGT) Leaf (N9K) 10.1.100.52
10.1.10.220 Enforcement t
EPG Federated to SGT Policies

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
 SGT/ACI
Groups Provisioned from ACI to SD-
Access (via ISE)

ISE
dynamically
provisions
SGT into
Cisco DNA
Center

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
 SGT/ACI
Scalable Groups in Cisco DNA Center

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
 SGT/ACI
ACI EPG Shared with SGT Infrastructure
C9K-CORE-1#$how flow monitor CYBER_MONITOR cache filter ipv4 C9K-CORE-1#sho cts environment-data
destination address 10.200.101.105 --snip--
--snip--
Security Group Name Table:
IPV4 SOURCE ADDRESS: 10.10.18.102 0-00:Unknown
IPV4 DESTINATION ADDRESS: 10.200.101.105 2-00:TrustSec_Devices
TRNS SOURCE PORT: 0 3-00:Network_Services
TRNS DESTINATION PORT: 2048
FLOW CTS SOURCE GROUP TAG: 100 4-00:Employees
FLOW CTS DESTINATION GROUP TAG: 0 5-00:Contractors
IP PROTOCOL: 1 6-00:Guests
tcp flags: 0x00 7-00:Production_Users
interface output: Te2/1
8-00:Developers
counter bytes: 1320
counter packets: 22 9-00:Auditors
timestamp first: 04:04:04.013 10-00:Point_of_Sale_Systems
timestamp last: 04:04:24.913 11-00:Production_Servers
12-00:Development_Servers
IPV4 SOURCE ADDRESS: 10.10.18.102
IPV4 DESTINATION ADDRESS: 10.200.101.105 13-00:Test_Servers
TRNS SOURCE PORT: 0 14-00:PCI_Servers
TRNS DESTINATION PORT: 2048 15-00:BYOD
FLOW CTS SOURCE GROUP TAG: 100
16-00:pci_users
FLOW CTS DESTINATION GROUP TAG: 10005
IP PROTOCOL: 1 255-00:Quarantined_Systems
tcp flags: 0x00 10001-00:EV_appProfile_LOB1_Web1EPG
interface output: Te2/1 10002-00:EV_appProfile_LOB1_App1EPG
counter bytes: 1440 10003-00:EV_appProfile_LOB1_DB1EPG
counter packets: 24
timestamp first: 04:04:04.013 10004-00:EV_appProfile_NetworkServicesEPG
timestamp last: 04:04:26.963 10005-00:EV_appProfile_LOB2_App1EPG
--snip--

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
 SGT/ACI
Extended Visibility in Stealthwatch
SGT & ACI Policy Groups in Flow Records

Source SGT Destination SGT learned

from APIC-DC policy
group sharing

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Cloud
 Use Case - Cloud
Security Controls for Cloud Applications
• Business Problem/Background
• Developers were buying VMs in cloud environments since IT was too slow to provision
• This led to untracked data being exposed in cloud environments
• This led to issues with production and development cross connections by employees corrupting data sets
• “De-provisioning” Applications/Servers never happen. Results in stale security rules
• “What does this rule do? We don’t know we better not remove it”
• Provisioning of workloads in minutes as opposed to days – “Fast IT”

• Solution Overview
• Provide automation for on prem and cloud environments with strict access controls
• Change provisioning to automatically reflect the existence of a new cloud instance
• Provide best path by tunnelling or peering to the cloud providers
• Provide access control on best path for development, user acceptance and production workloads

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
 Use Case - Cloud
Security Controls for Applications
Ticket – New Firewall Manager
Ticket – new App VLAN if New push during On Prem
for business App maintenance
window

Finance App
Ticket – Hand off IP
Ticket – New Server IP
to security to add
to security policy

HR App

Public Cloud
Employee

Ticket – new App

for business
Developer spins up
new App in Cloud ✗ Policy Violation

Dev App

Developer
New
© 2020 Production
Cisco and/or its affiliates. All rights reserved. Cisco Public App
138
 Use Case - Cloud
Developer and Production Controls for
Applications SXP Distributes On Prem
Developer spins up Ticket – new App
for business IP/SGT to border protection
new App in Cloud

Finance App
Developer Automation Provisions App
IP provisioned to ISE/CSR
via REST API

HR App

Public Cloud

Employee

Dev App

IT Best Path to Cloud providers via border protection path

VPN Tunnel Overlay or Direct Peering depending on cloud provider
New
© 2020 Production
Cisco and/or its affiliates. All rights reserved. Cisco Public App
139
 Use Case - Cloud
REST API - ISE 2.x - IP/SGT

Example script - https://github.com/vkatkade/ISE/blob/master/aws-ise.py

Credit – Vaibhav Katkade
BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
 Use Case - Cloud
AWS Transit VPC
dev App 1 pro App 2
App 3
VPC1 VPC2 VPC3

• Control Traffic between VPC’s

• Simplify Security Configurations
• Scale Security Group Control
• Single Control Point Control Access to spoke VPC’s
based on SGT Tags and Policy
Enforcement within the Transit
VPC Hub CSRv’s
AZ1 AZ2
Dynamic Route Peering
Transit VPC
App 1 App 2 App 3
(VPC1) (VPC2) (VPC3) Internet Direct Connect
Employee
X ✓ ✓ ✓ Employee Tag

Developer ✓ X ✓ ✓ ISE Developer Tag

✓ ✓
Guest Tag
Guest X X
Non-Compliant Tag
Non-Compliant X X ✓ ✓
Data Center BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
 Use Case - Cloud
Production and Dev Example IP
IP
IPAddress
Addressd
Address SGT
SGT

10.200.1.100
10.1.10.1 Employee_Web
Employee
Employee–––10
10
100

IP/SGT from API or Cloud Policy 10.1.254.10

10.1.10.10 PCI_Web
Dev -–20
200

Listener and Speaker 10.2.254.4

10.2.10.4 Dev_App
Admin –- 300
30

10.1.254.1 Employee
Employee–– 10
10

10.1.254.10 Dev - 20

IP Address SGT 10.2.254.4 Admin –

- 30

10.1.254.1 Employee – 10 Employee_Web –

10.200.1.100
100
10.1.254.10 Dev – 20
10.1.254.10 PCI_Web – 200

SGT Capable Enforcement

10.2.254.4 Admin– 30 10.2.254.4 Dev_App – 300

Listener Switch or Firewall

Employee Web

Speaker PCI _Web

SXP Enabled SW
IP Address SGT Cloud
10.1.10.1 Employee– 10

10.1.10.10 Dev - 20
Dev_App
10.2.10.4 Admin - 30

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Summary
Summary
• SGT is the foundation for the newly announce Cisco DNA/SD-Access
• SGT builds upon dynamic classification (802.1X/ACI/etc.), static classification
(IP/SGT) and orchestration - REST, Cloud Center to classify users and endpoints on
enterprise networks
• SGT provides a scalable enterprise network access control model that is deployed in
customer networks today
• SGT provides operational savings by decoupling security policy from the network
topology
• SGT has broad Cisco and 3rd party software and hardware support
• SGT has easily adopted migration strategies for deployment
• SGT is deployable today in your network

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
 ISE Diagonal Learning Map BRKSEC-3229 / Friday 9h00
ISE under magnifying glass.
How to troubleshoot ISE

BRKSEC-3690 / Thursday – 11h15

Advanced Security Group Tags: The Detailed Walk
Through

BRKSEC-1003 / Wednesday – 16h45

Cisco Platform Exchange Grid (pxGrid) Inside Out

BRKSEC-2140 / Friday -9h00

BRKSEC-2025 / Wednesday – 8H30 2 birds with 1 stone: DUO
Integrating Security Solutions with Software integration with Cisco ISE and
Defined Access Campus Networks Firewall solutions

BRKSEC-3432 / Thursday – 8h30

TECSEC-3416 / Monday – 8h30
Advanced ISE Architect, Design and
Walking on solid ISE: advanced use
Scale ISE for your production networks
cases and deployment best practices

BRKSEC-2111 / Wednesday – 14h45

Visibility and Segmentation: First steps
to secure Industrial Networks

BRKSEC-2430 / Tuesday – 14H30

ISE Deployment Staging and Planning

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Links
• Secure Access, TrustSec, and ISE on Cisco.com
• http://www.cisco.com/go/TrustSec
• http://www.cisco.com/go/ise
• http://www.cisco.com/go/isepartner

• TrustSec and ISE Deployment Guides:

• http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_Trust
Sec.html

• TrustSec Communities
• https://communities.cisco.com/community/technology/security/pa/trustsec

• YouTube: Fundamentals of TrustSec:

• http://www.youtube.com/ciscocin#p/c/0/MJJ93N-3Iew

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.

Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Continue your education

Demos in the
Walk-in labs
Cisco campus

Meet the engineer

Related sessions
1:1 meetings

BRKSEC-3690 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Thank you