Ordering GuideOverview of TrustSecJanuary 2014 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 1 of 58

ContentsWhat You Will Learn . 3Ingress Access Control Challenges . 3VLAN Assignment . 3Ingress ACLs . 5So, What Is a SGT? . 7Defining the SGTs . 8Classification . 11Dynamic SGT Classification . 11Static Classification . 12IP to SGT . 12Subnet to SGT . 12VLAN to SGT . 12Layer 2 Interface to SGT (L2IF-SGT) . 12Layer 3 Logical Interface to SGT (L3IF-SGT) . 13Port to SGT. 13Port Profile to SGT . 13Manually Binding IP Addresses to SGTs Using the Cisco ISE . 13Propagation . 14Propagation: Inline . 15Configuring Native SGT Propagation (Tagging) . 16Ingress Reflector Mode . 18Egress Reflector Mode . 18Propagation: SGT Exchange Protocol (SXP) . 21SXPv4: Loop Detection . 23Configuring SXP . 23Configuring SXP on Cisco IOS Software-Based Switches . 24Configuring SXP on Wireless LAN Controllers . 25Configuring SXP on the Cisco ASA Firewall . 28Enforcement. 31SGACL . 31Creating the SGACL in the Cisco ISE . 34Configuring the Cisco ISE to Allow the SGACLs to Be Downloaded . 40Security Group Firewalls . 45Security Group Firewall on the Cisco ASA . 45Configuring Cisco TrustSec Downloads from the Cisco ISE Through the Cisco ASDM. 46Configuring SGFW Policies Through the Cisco ASDM . 53Security Group Firewall on the Cisco ISR and ASR. 55Configuring SGFW on the Cisco ASR and ISR . 55 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 2 of 58

What You Will Learn If you have read the Cisco Secure Access How-To Guides, you have been exposed to many ways of controllingnetwork access based on the context of user and device. VLAN assignment controls network access at the Layer 3edge or by isolating that VLAN into a segmented virtual network. Additionally, access control list (ACL) assignment,which can be a local ACL, can be called into action by a RADIUS attribute or a downloaded ACL (dACL). TheseACLs are applied at the switch port ingress or at the virtual port in the case of the wireless LAN controller (WLC).These are all very good access-control methods, but controlling access only at the point of network ingress canleave room for a more desirable and scalable solution. In this guide, we will discuss a Cisco innovation that makesaccess control more scalable and powerful Cisco TrustSec.Cisco TrustSec is defined in three phases: classification, propagation, and enforcement. This guide will focus onthese fundamentals as well as the configuration of the many devices available for use in a Cisco TrustSecenvironment. Basic use cases will be presented where scalable security policy can be implemented with switches,Security Group ACLs (SGACLs), and Security Group Firewalls (SGFWs).Ingress Access Control ChallengesVLAN assignments and dACLs are fantastic ways of controlling access to a network. However, when a networkgrows, so do the challenges of keeping up with the ingress access controls. Let’s take a look at each one of thesestandard use cases individually and discuss the challenges.VLAN AssignmentVLAN assignment based on the context of a user or device is a very common way to control access to a network.Let’s use the hypothetical scenario of controlling access to servers that contain credit card data. This access fallsunder Payment Card Industry (PCI) compliance standards.1.A user is a member of the Retail Managers group in Windows Active Directory.2.The posture of the system is compliant.3.Therefore the Cisco Identity Services Engine (ISE) assigns the user to the PCI-allowed VLAN on the switch or WLC.Now, an ACL must be applied somewhere to enable VLAN assignment to control access to the servers that housethe PCI data (Figure 1). Let’s assume that the ACL is applied at a firewall between the campus or branch networkand the data center.1.The ACL on the data center firewall must be updated to include all the source IP addresses of PCI-allowedVLANs throughout the entire network infrastructure.Figure 1.Controlling Access with VLANs on a Single Switch 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 3 of 58

Next, the company has decided to control access to the human relations (HR) department server, so that onlymembers of that department may talk to HR servers (Figure 2). Another set of rules will need to be built that assignthe HR VLAN, and another set of entries must be made in the ACL.Figure 2.Controlling Access with Two VLANs on a Single SwitchNow, consider how this can scale as we continue to add VLANs and we continue to add switches and WLCs to theequation. One of our large customers has more than 50,000 switches in the access layer. That is a tremendousnumber of VLANs to create and addresses to maintain in an access list on a firewall. That same customer had 15full-time employees managing the firewall rules. The company needed to find a better mechanism to control accessthat would lower its operational expenses tremendously.What if you had 100 remote sites? A hundred new IP subnets could easily modify your existing route strategy.When that is the case, the route summarization alone can cause a network redesign, which will add even moreoperational cost (Figure 3).Figure 3.Operationally Taxing VLAN Control 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 4 of 58

The number of access control entries (ACEs) in an ACL can be determined by a formula. The formula takes thenumber of sources multiplied by the number of destinations multiplied by the permissions of the ACL.(sources) * (destinations) * permissions ACEsSo with the environment depicted in Figure 3, we would need 32 ACEs for only four sources, two destinations, andfour permissions. Now with 100 remote sites it is easy to visualize the explosion of ACEs.Ingress ACLsAnother way to control access is to use access lists applied at ingress (inbound) at the port (or virtual port) that theuser or device is using to access the network (Figure 4). These could be locally defined ACLs that are called byusing the Filter-ID RADIUS attribute, or they could be dACLs, in which the entire ACL is defined on the Cisco ISEand downloaded to the port.Obviously, dACLs provide a better operational model, because you have to update an ACL only once. Additionally,the number of ACEs required is lower when the ACL is applied to a switch port than it would be if the ACL wereapplied to a centralized location. Because the ACL is being applied at the point of ingress, there is only a singlesource IP address (theoretically). Cisco switches perform source substitution on these ACLs to make it eveneasier. With source substitution, the “any” keyword in the source field of an ACL is replaced with the actual IPaddress of the host on the switch port.Using the same formula for six destinations and four permissions, we have:1 source * 6 destinations * 4 permissions 24 ACEsHowever, there are a few complications with using ACLs on access layer devices. Two major complications are thesize of the access lists and the need to regularly maintain them.If ACLs are used to explicitly defend host networks, they must be updated regularly for all the new destinations thatget added to the network. This maintenance can cause an exorbitant amount of operational expense. Additionally,a switch will be able to apply a limited number of ACEs.ACLs get loaded into and executed from ternary content addressable memory (TCAM). Access layer switcheshave a limited amount of TCAM, which is usually assigned per application-specific integrated circuit (ASIC).Therefore the number of ACEs that can be loaded depends on a number of factors, such as the number of hostsper ASIC and the amount of free TCAM space.Due to that limited amount of TCAM, ACLs cannot be overly large, especially when the access layer may be amixture of different switches, each switch having a different level of TCAM per ASIC. The best-practicerecommendation is to keep the ACEs less than 64 per dACL. This figure may need to be adjusted for your specificenvironment, but it is a good place to start. 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 5 of 58

Figure 4.Ingress ACLsWhat Is Cisco TrustSec Technology?The Cisco TrustSec solution simplifies the provisioning and management of highly secure access to networkservices and applications. Unlike access control mechanisms that are based on network topology, Cisco TrustSecpolicies use logical groupings. Highly secure access is consistently maintained even as resources are moved inmobile and virtualized networks. Decoupling access entitlements from IP addresses and VLANs simplifies securitypolicy maintenance tasks, lowers operational costs, and allows common access policies to be consistently appliedto wired, wireless, and VPN access. Cisco TrustSec classification and policy enforcement functions are embeddedin Cisco switching, routing, wireless LAN, and firewall products. By classifying traffic according to the contextualidentity of the endpoint instead of its IP address, the Cisco TrustSec solution enables more flexible access controlsfor dynamic networking environments and data centers.The ultimate goal of Cisco TrustSec technology is to assign a tag (known as a Security Group Tag, or SGT) to theuser’s or device’s traffic at