DACL VS SGACL

elite2010 · ‎10-11-2015

Hi ,

what are the differences between DACL VS SGACL .

does it require separate license if we want to implement in ise

thanks

Marvin Rhoads · ‎10-11-2015

DACL is a downloadable ACL. It is a classic ip access-list that uses 5-tuple arguments (source and destination address and port plus protocol type).

SGACL or Security Group ACL uses Security Group Tags (SGTs) as its arguments. Change of Authorization via either dACL or SGACL with SGT are included in ISE Base licensing as of version 1.3. (When SGACLs were introduced in ISE 1.2.1 they required Plus licensing.)

The benefit of SGACLs is that they do not take as many resources (TCAM) in switches as DACLs do. Also they can be more simply crafted and visualized. Downside is that you need to be a bit more careful in selecting the right software level and that not every device in the path might support the SGTs or SGACLs.

You typically need to have an SG-aware firewall at the edge of your domain (like an ASA) to ensure the intended isolation is maintained when entering or leaving the domain.

I have found them not as well documented (not surprising since IP access lists have been around for decades while SGTs are only a couple of years old) and setting them up properly may take a bit more research on your part.

Those caveats aside, SGACLs are encouraged as a more scalable solution. Most engineers haven't worked with the, yet though so there aren't as many writings on their use and lessons learned in real life implementations.

elite2010 · ‎10-11-2015

Hi Marvin

Thank you for the informative reply .

. Since we have lot of contractors , and we create account for them in our active directory .So they can access both wireless and wired . Now we have separate vlan for them and ip access list . Since we use same vlan and acl for all the contractors ,all can access everything permitted in the ACL . If i have ise and Base license ,can i do sgacl or dacl based on the identity in the active directory ?

Does it applicable for both wired and wireless access ?

if the end user connected to 4500 edge switches , does it require any additional license to implement sgacl .

Since you said every device in the path should support SGT , can we use DACL .Does it require anything like that ?

" You typically need to have an SG-aware firewall at the edge of your domain (like an ASA) to ensure the intended isolation is maintained when entering or leaving the domain.".

What is the purpose of having trustsec in ASA

Thanks a million

Marvin Rhoads · ‎10-12-2015

Assigning an endpoint a SGT (and by implication use of separately defined SGACL) and pushing a dACL to an interface are both Authorization (or technically Change of Authorization) actions we can can as a result of authentication polices, posture, etc being met. The authentication can be via any of the supported identity stores, including AD with AD identity and/or group membership used as criteria.

It is applicable to wired and wireless use cases, constrained only by the network access devices' (NADs = switches, WLCs and firewalls) capability to support the Trustsec feature set. Cisco publishes a compatibility matrix so you can check your equipment. WLCs typically are more constrained in what they can support SGT-wise (as noted in the matrix). Trustsec does not require an additional license on the NADs per se but it may be included as part of a given license type - for instance the Catalyst 4500s require IP Base for Trustsec support.

You can always choose among dACL or SGT or something else altogether (like VLAN assignment) depending on your requirements and preferences. For a more thorough analysis of the advantages of SGT with SGACL I recommend the chapter in the "Cisco ISE for BYOD and Secure Unified Access" book by Aaron Woland and Jamie Heary. You may also want to refer to Cisco Live presentation BRKCRS-2981 ""Enterprise Network Segmentation with Cisco Trustsec" (free to download as long as you register at the Cisco Live portal for a free account).

I mentioned the ASA as we often are introducing Trustsec in a few segments or a subsection of the network. The ASA is a good enforcement point where we can ensure that the separation we built between users and segments with SGTs and SGACLs is not lost as we egress from that domain as it can combine SGTs with traditional IP access-lists for traffic going to the rest of the world (or rest of the network anyway).