Trustsec questions

carl_townshend — Fri, 25 Nov 2022 18:26:28 GMT

Hi guys

I have some questions on trustsec

Can the tag be carried in IP packets or is via the L2 cmd field only?

if L3 what field is it?

why do we need SXP? Is it for sharing ip to sgt mappings? What happens if we don’t have it,,is that where inline tagging has to be used?

Where does the sxp map from ip to sgt come from normally, is it from ISE?

Where does the policy for the sgacl get pulled from, is it Cisco ISE?

Do all switches need to talk to Cisco use to pull the policy if so?

are these sgacls pulled when the switch is added to ise?

Does the policy look like an acl on the switch?

Can the sgacl be viewed from the switch ?

is there a limit on number of sgacl similar to acl limits due to the tcam space?

cheers

Re: Trustsec questions

hslai — Sun, 11 Dec 2022 23:18:20 GMT

Please first review the ISE webinars on

Group-Based Segmentation Basics
Group-Based Segmentation Advanced

Re: Trustsec questions

thomas — Tue, 13 Dec 2022 22:14:30 GMT

As @hslai said, we covered a lot of these topics in this ISE Webinar. Jonathan also points you to the Cisco Segmentation Strategy document.

Group-Based Segmentation Basics

Speaker: Jonathan Eaves, Technical Marketing Engineer
01:20 Where to Start : Cisco Segmentation Strategy
03:35 Intent is Unclear with IP ACLs
04:45 Security Groups and Security Group Tags (SGTs)
05:37 Business Intent is clear with groups in the CLI
07:41 Classification | Propagation | Enforcement
10:51 Source and Destination Groups for Group-Based Policies
11:31 Use 802.1X or MAB to Dynamically Classify Endpoints with SGTs for Visibility
15:48 Visibility/Classification Scenario Demo Overview
16:48 - ISE Policy and Catalyst 9300 Initial State (CTS == Cisco TrustSec)
18:35 - Doctor Authentication on Gig1/0/2
19:24 - IP-to-SGT Mapping
19:35 - ISE LiveLogs
20:04 - ISE SXP Mapping Table
20:50 - Switch Configuration Reference
21:03 Switch Configuration for Enforcement :

cts credentials id {id} password {password}
show cts credentials
show cts pac
show cts environment-data

22:58 Dynamic Group Policy Download from ISE for Enforcement at Egress
26:03 Enforcement Demo
26:08 - ISE TrustSec Policy Matrix

show cts pac
show cts environment-data
show auth sessions
show auth session interface {interface} details
show cts role-based sgt-map all
show cts role-based permissions

27:33 - Enable Scanner
27:47 - ISE LiveLogs

show auth session mac {mac} details
show cts role sgt-map all
show cts role-based permissions
show cts role-based counters

30:01 - Change SGACL in ISE From permit ip to deny ip
31:12 Enforcement on Multiple Platforms
34:07 Peer-to-Peer SXP (SGT-to-IP Exchange Protocol)
35:08 SXP from ISE
35:35 IP-to-SGT Propagation Options: SXP, pxGrid, Inline Tagging, WAN protocols, VXLAN
37:26 SXP Propagation and Enforcement: Doctors and Cameras
40:16 - Add Propagation from ISE to the Destination Switch
41:13 - Add SXP to Destination Switch

show cts sxp connections brief
cts sxp connection peer {ip} source {ip} password {password} mode local listener
show cts role-based sgt-map all

43:58 - Change and Deploy Updated Group Policy in ISE
44:29 Demo: Inline Tagging Propagation and Enforcement (manual/static configuration)

cts manual policy static sgt 2 trusted

47:35 - Monitor Capture:

monitor capture {name} interface {interface} both
monitor capture {name} match any
monitor capture {name} clear
monitor capture {name} start
monitor capture {name} stop
monitor capture {name} buffer | include ICMP
monitor capture {name} buffer detail | begin frame {#}

49:34 Best Practices for Enforcement Design:
Assets ~ Classification Mechanism ~ Enforcement Points ~ Propagation Methods
51:15 Cisco DNAC with AI Endpoint Analytics
52:54 ISE Resources and Related Documents

Cisco Segmentation Strategy
53:31 Question: DNAC and Stealthwatch

topic Re: Trustsec questions in Network Access Control

Trustsec questions

Re: Trustsec questions

Re: Trustsec questions

Group-Based Segmentation Basics