Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
677
Views
5
Helpful
2
Replies

Trustsec questions

Go to solution
carl_townshend
Spotlight
Spotlight

‎11-25-2022 09:23 AM - edited ‎11-25-2022 10:26 AM

Hi guys

I have some questions on trustsec

Can the tag be carried in IP packets or is via the L2 cmd field only?

if L3 what field is it?

why do we need SXP? Is it for sharing ip to sgt mappings? What happens if we don’t have it,,is that where inline tagging has to be used?

Where does the sxp map from ip to sgt come from normally, is it from ISE?

Where does the policy for the sgacl get pulled from, is it Cisco ISE?

Do all switches need to talk to Cisco use to pull the policy if so?

are these sgacls pulled when the switch is added to ise?

Does the policy look like an acl on the switch?

Can the sgacl be viewed from the switch ?

is there a limit on number of sgacl similar to acl limits due to the tcam space?

cheers

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-11-2022 03:18 PM

Please first review the ISE webinars on

  • Group-Based Segmentation Basics
  • Group-Based Segmentation Advanced
 

View solution in original post

Go to solution
thomas
Cisco Employee
Cisco Employee

‎12-13-2022 02:14 PM

As @hslai said, we covered a lot of these topics in this ISE Webinar. Jonathan also points you to the Cisco Segmentation Strategy document.

Group-Based Segmentation Basics

Speaker: Jonathan Eaves, Technical Marketing Engineer
01:20 Where to Start : Cisco Segmentation Strategy
03:35 Intent is Unclear with IP ACLs
04:45 Security Groups and Security Group Tags (SGTs)
05:37 Business Intent is clear with groups in the CLI
07:41 Classification | Propagation | Enforcement
10:51 Source and Destination Groups for Group-Based Policies
11:31 Use 802.1X or MAB to Dynamically Classify Endpoints with SGTs for Visibility
15:48 Visibility/Classification Scenario Demo Overview
16:48 - ISE Policy and Catalyst 9300 Initial State (CTS == Cisco TrustSec)
18:35 - Doctor Authentication on Gig1/0/2
19:24 - IP-to-SGT Mapping
19:35 - ISE LiveLogs
20:04 - ISE SXP Mapping Table
20:50 - Switch Configuration Reference
21:03 Switch Configuration for Enforcement :

cts credentials id {id} password {password}
show cts credentials
show cts pac
show cts environment-data

22:58 Dynamic Group Policy Download from ISE for Enforcement at Egress
26:03 Enforcement Demo
26:08 - ISE TrustSec Policy Matrix

show cts pac
show cts environment-data
show auth sessions
show auth session interface {interface} details
show cts role-based sgt-map all
show cts role-based permissions

27:33 - Enable Scanner
27:47 - ISE LiveLogs

show auth session mac {mac} details
show cts role sgt-map all
show cts role-based permissions
show cts role-based counters

30:01 - Change SGACL in ISE From permit ip to deny ip
31:12 Enforcement on Multiple Platforms
34:07 Peer-to-Peer SXP (SGT-to-IP Exchange Protocol)
35:08 SXP from ISE
35:35 IP-to-SGT Propagation Options: SXP, pxGrid, Inline Tagging, WAN protocols, VXLAN
37:26 SXP Propagation and Enforcement: Doctors and Cameras
40:16 - Add Propagation from ISE to the Destination Switch
41:13 - Add SXP to Destination Switch

show cts sxp connections brief
cts sxp connection peer {ip} source {ip} password {password} mode local listener
show cts role-based sgt-map all

43:58 - Change and Deploy Updated Group Policy in ISE
44:29 Demo: Inline Tagging Propagation and Enforcement (manual/static configuration)

cts manual policy static sgt 2 trusted

47:35 - Monitor Capture:

monitor capture {name} interface {interface} both
monitor capture {name} match any
monitor capture {name} clear
monitor capture {name} start
monitor capture {name} stop
monitor capture {name} buffer | include ICMP
monitor capture {name} buffer detail | begin frame {#}

49:34 Best Practices for Enforcement Design:
Assets ~ Classification Mechanism ~ Enforcement Points ~ Propagation Methods
51:15 Cisco DNAC with AI Endpoint Analytics
52:54 ISE Resources and Related Documents

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-11-2022 03:18 PM

Please first review the ISE webinars on

  • Group-Based Segmentation Basics
  • Group-Based Segmentation Advanced
 

Go to solution
thomas
Cisco Employee
Cisco Employee

‎12-13-2022 02:14 PM

As @hslai said, we covered a lot of these topics in this ISE Webinar. Jonathan also points you to the Cisco Segmentation Strategy document.

Group-Based Segmentation Basics

Speaker: Jonathan Eaves, Technical Marketing Engineer
01:20 Where to Start : Cisco Segmentation Strategy
03:35 Intent is Unclear with IP ACLs
04:45 Security Groups and Security Group Tags (SGTs)
05:37 Business Intent is clear with groups in the CLI
07:41 Classification | Propagation | Enforcement
10:51 Source and Destination Groups for Group-Based Policies
11:31 Use 802.1X or MAB to Dynamically Classify Endpoints with SGTs for Visibility
15:48 Visibility/Classification Scenario Demo Overview
16:48 - ISE Policy and Catalyst 9300 Initial State (CTS == Cisco TrustSec)
18:35 - Doctor Authentication on Gig1/0/2
19:24 - IP-to-SGT Mapping
19:35 - ISE LiveLogs
20:04 - ISE SXP Mapping Table
20:50 - Switch Configuration Reference
21:03 Switch Configuration for Enforcement :

cts credentials id {id} password {password}
show cts credentials
show cts pac
show cts environment-data

22:58 Dynamic Group Policy Download from ISE for Enforcement at Egress
26:03 Enforcement Demo
26:08 - ISE TrustSec Policy Matrix

show cts pac
show cts environment-data
show auth sessions
show auth session interface {interface} details
show cts role-based sgt-map all
show cts role-based permissions

27:33 - Enable Scanner
27:47 - ISE LiveLogs

show auth session mac {mac} details
show cts role sgt-map all
show cts role-based permissions
show cts role-based counters

30:01 - Change SGACL in ISE From permit ip to deny ip
31:12 Enforcement on Multiple Platforms
34:07 Peer-to-Peer SXP (SGT-to-IP Exchange Protocol)
35:08 SXP from ISE
35:35 IP-to-SGT Propagation Options: SXP, pxGrid, Inline Tagging, WAN protocols, VXLAN
37:26 SXP Propagation and Enforcement: Doctors and Cameras
40:16 - Add Propagation from ISE to the Destination Switch
41:13 - Add SXP to Destination Switch

show cts sxp connections brief
cts sxp connection peer {ip} source {ip} password {password} mode local listener
show cts role-based sgt-map all

43:58 - Change and Deploy Updated Group Policy in ISE
44:29 Demo: Inline Tagging Propagation and Enforcement (manual/static configuration)

cts manual policy static sgt 2 trusted

47:35 - Monitor Capture:

monitor capture {name} interface {interface} both
monitor capture {name} match any
monitor capture {name} clear
monitor capture {name} start
monitor capture {name} stop
monitor capture {name} buffer | include ICMP
monitor capture {name} buffer detail | begin frame {#}

49:34 Best Practices for Enforcement Design:
Assets ~ Classification Mechanism ~ Enforcement Points ~ Propagation Methods
51:15 Cisco DNAC with AI Endpoint Analytics
52:54 ISE Resources and Related Documents

0 Helpful
Customers Also Viewed These Support Documents