(Pdf copy at the bottom)
Segmentation within SD-Access is enabled through the combined use of both Virtual Networks (VN), which are analogous to VRFs, and Cisco Scalable Group Tags (SGTs). VNs, like VRFs, provide complete isolation between traffic and devices in one VN and those in other VNs. While segmentation can be accomplished through the use of virtual networks alone, SGTs provide logical segmentation based upon group membership. Thus, SGTs provide an additional layer of granularity, allowing you to use multiple SGTs within a single VN to provide micro-segmentation within the VN.
Per the above diagram, traffic from groups within the IOT are completely isolated from the groups with the Corporate VNs. However, by default, traffic between groups (SGTs) within each VN can freely communicate. For example, employees can freely communicate with the developers, the contractors, and the suppliers. In a SD-Access fabric, micro-enforcement with SGTs, also known as Group-Based policy enforcement, is used to filter communications between SGTs.
A group-based policy consists of a source SGT, destination SGT, and a contract. A contract may be as simple as permit/deny ip or it may be based on Layer 4 access control entries explicitly permitting/denying specific TCP/UDP ports.
Cisco DNA Center uses a matrix view to define these policies.
The policies are deployed to ISE and then ISE updates the edge nodes with only those policies for SGTs associated with the attached devices. Enforcement occurs upon egress where the destination is attached (more detail on egress enforcement will be covered later).
In the world of computing and network security enforcement, there are generally two types of policy enforcement models. These are often referred to as blocked list (default allow) and allowed list (default deny). When an allowed list policy model is used all traffic is denied access, except that which is explicitly included in the allowed list policy.
Whether to choose a default permit or deny policy, it largely depends on the requirement. If the requirement is to permit most traffic on the network, then there will be a smaller number of total policies required by using a default permit with explicit deny rules. Conversely, if the requirement is to deny most traffic on the network then fewer policies will be needed by using a default deny with explicit permit rules.
blocked list vs allowed list Policies
Everything is forbidden
Specifically block-list those applications and traffic that you are concerned about.
Write access controls just for those types of traffic and applications that want to permit
Someone needs to put the problematic item in the list. For example, if it is a virus, the IT specialist will add it to the list after detection which could be too late.
Prevents communications unless entries allow-list items. It can stop work because a needed item is not on the list.
Let’s say that we have SGTs for employees, developers, quarantined_users and network_services. Logically, quarantined_users should be restricted from almost every group with bi-directionally defined policies.
In this example, we can see that a blocked list policy is being used because the default policy is to Permit IP. Because all traffic between SGTs is permitted by default, we need to add deny policies for the quarantined_users SGT and all other SGTs that have been defined. This example uses a small number of SGTs, but in a network with hundreds (or whatever), the number of policy definitions would be large.
Alternatively, with an allowed list approach there would be fewer policies to define, as shown in Figure 4.
In this example, we can see that an allow-list policy is being used because the default policy is to Deny IP. Because all traffic between SGTs is deny by default, so by default quarantined_users can’t communicate with anything. This example uses a small number of SGTs, but in a network with hundreds (or whatever), the number of policy definitions would be large.
Figure 5: Test Topology
DNA Center 1.3.3
Catalyst 9K running 17.1.1+
As a SD-Access best practice, ISIS is the recommended protocol for underlay traffic in a SD-Access network. However by design, SGT based enforcement blocks broadcast traffic. Therefore, it is a MUST to disable enforcement for switch-to-switch communications (underlay) by configuring “no cts role-based enforcement” on all switch-to-switch links.
Note: See Appendix for logs generated when this configuration is skipped
Currently Cisco DNA Center enables enforcement on the AP VLAN (2045). As a result, SGT assignment and pre-configured policies are required to allow the AP to connect when the default policy denies communication. You will need to make configurations in two places. First on the fabric edge that the AP is connected to. Secondly, configuration of a group-based policy in Cisco DNAC to allow communications between the unknown SGT(0) and the SGT assigned to the APs as shown below.
Note: Enforcement on VLAN 2045 can be disabled. However, a re-provisioning attempt from DNA Center would simply re-enable enforcement
Note: SGT=0 (Unknown SGT) is used here since the WLC is unclassified
Or via SSH:
Edge(config)#cts role-based sgt-map vlan-list 2045 sgt 2
Note: This command assigns the SGT=2:TrustSec_Devices as the SGT for the AP. This SGT could be anything but for the reasons cited in the “Recommendations” section, I’ve used SGT=2.
Note: A contract that’s more specific can be used in place of “permit ip”. Please reference the
“Securing Communications Further” section below for more details
Currently Cisco DNA Center enables enforcement on VLAN chosen for policy extended node (PEN) management. However, there is not a reserved vlan id for a PEN and Cisco DNA Center does not provision a SGT to a PEN which make it difficult to create a policy to allow the PEN to initalize. Therefore, the current workaround is to disable enforcement on the uplink that connects the PEN to the edge.
In the diagram below, the PEN is connected to interface g1/0/1. Configure “no cts role-based enforcement” on the interface PRIOR TO going through the PEN configuration on Cisco DNA Center.
By default, the SGT values of things outside a fabric are unknown (SGT=0). This includes site-to-site and north-to-south communications. Therefore, you must configure contracts to allow outside traffic (SGT=0) to any SGTs assigned within the fabric.
For example, for an employee (SGT=4) to communicate with a DNS server that is hosted outside of the fabric, a contract is necessary to permit SGT 0 to SGT 4.
Note: Using SGT=0 in a contract allows any type of communication from any unclassified device.
Like other network endpoints, SDA fabric devices must be authenticated and authorized by ISE to download SGTs and group-based policies. As part of this process, the fabric devices be assigned to an SGT. By default, ISE configures this SGT to SGT=0 (Unknown). This SGT is known as the “device SGT”.
Currently, the device SGT has no relevance in the fabric.
However, when considering an allow-list policy model, it is recommended to assign SGT with the value =2: TrustSec_Devices or some SGT value other than 0 to avoid the need to have a catch all policy allowing 0:Unknown to 0:Unknown communications.
Note: In a future ISE release, the device SGT will be 2:TrustSec_Devices by default
Navigate to Work Center-->TrustSec-->TrustSec Policy--> Network Device Authorization and set the default rule to assign the security group to “TrustSec_Devices”
Commands that enable enforcement:
cts role-based enforcement<---Enables SGT-based enforcement globally
cts role-based enforcement vlan-list 1027,1030<---Enabled SGT-based enforcement on specific VLANs
When a default deny is deployed:
*Feb 6 11:27:05.572: %BFDFSM-6-BFD_SESS_DOWN: BFD-SYSLOG: BFD session ld:1 handle:1,is going Down Reason: RX DOWN
*Feb 6 11:27:05.576: %CLNS-5-ADJCHANGE: ISIS: Adjacency to Border (GigabitEthernet1/0/21) Down, bfd neighbor down
Edge(config)# int g1/0/21<---Uplink to next hop switch
Edge(config-if)#no cts role-based enforcement
*Feb 6 11:30:50.997: %BFDFSM-6-BFD_SESS_UP: BFD-SYSLOG: BFD session ld:1 handle:1 is going UP
*Feb 6 11:30:51.006: %CLNS-5-ADJCHANGE: ISIS: Adjacency to Border (GigabitEthernet1/0/21) Up, new adjacency