In this video, we’re going to dig into Trustsec a little bit further by discussing some of the different IP-to-SGT bindings are done, how to configure various static bindings, how the network access device prioritizes different SGT binding types and why SXP is so important.
Notes from this video:
Different SGT Classification Options:
Dynamic – Usually assigned at the time of the connection by ISE as part of the authorization policy
Best type of SGT assignment
Important: Make sure that IP device tracking is turned on the switch
ISE uses cisco-av-pair=cts:security-group-tag to deliver the tag with RADIUS
To view the bindings, you can use the show cts role-based sgt-map all command for more details
Static – Usually done for servers, topology-based policy, or brownfield sites that you haven’t converted over to use ISE for AAA yet. Best to use with hosts that aren’t changing IP addresses regularly.
Static tags can be assigned by:
Layer 2 interface
Layer 3 interface
Any of the above in their own separate VRFs
Statically defined in ISE and pushed out via SXP
How are bindings done?
VLAN – Snooped ARP packets on a VLAN that has the static sgt mapping configured
Command: cts role-based sgt-map vlan vlan-number sgt sgt-number
IP address – Static configuration from the command line
Command: cts role-based sgt-map ip-address sgt sgt-number
Subnet – Can define a whole subnet for static assignment
Command: cts role-base sgt-map subnet/mask sgt sgt-number
Layer 3 interface – Bindings added due to FIB entries that have a path through that interface
cts role-based sgt-map sgt sgt-number
Layer 2 interface – This can be statically configured with the following command
policy static sgt sgt-number
SXP – Bindings are learned through SXP peers
IP_ARP – Bindings learned through tagging ARP packets received on a CTS capable link
LOCAL – This is for dynamic SGT assignment. Bindings of authenticated hosts are learned via IP device tracking. This type of binding includes hosts that are learned via ARP snooping on Layer 3 ports
What happens if a device is configured with conflicting static & dynamic mappings for an endpoint? What tag does it get then?
There is a SGT Classification Binding Source Priority - Order of operations:
Internal – Between locally configured IP address and the network device’s own SGT
Local – Authenticated hosts learned via EPM and device tracking. Also includes hosts learned via ARP snooping on layer 2
IP_ARP – Bindings learned when tagging ARP packets are received
SXP – Bindings from an SXP peer
Layer 3 interface – Bindings added from the FIB
Static IP address or subnet bindings configured in the CLI
VLAN bindings learned from snooped ARP packets when a VLAN sgt mapping has been configured
Tagging done in hardware
Requires Trustsec-capable device
Tag continues to be passed along to the next device in the network path
When the packet gets to the enforcement point, that enforcement point compares the tag to the SG policy and makes decision on what to do with it
One thing to note: Trustsec goes against how we used to do ACL where we blocked closest to the source instead of the destination.
Since it’s using unused layer 2 space, it really doesn’t affect the frame size greatly – at most ~40 bytes. Since it’s only layer 2, it doesn’t require changing the IP MTU for layer 3 devices.
If a switch or device in the path doesn’t understand SGTs, they’ll drop the frame unless you strip the SGT first
So how do we enable our SGTs to work over pockets of non-Trustsec-capable devices or a layer 3 boundary? SXP!
Control plane protocol – passes IP to SGT map of authenticated hosts to different points in the network
TCP 64999 by default
Two roles with SXP:
Speaker (the initiator)
Listener (the receiver)
Some switches can do both roles
ISE can also communicate as a speaker and listener