Trustsec: Digging into SGT bindings, priority, and SXP

In this video, we’re going to dig into Trustsec a little bit further by discussing some of the different IP-to-SGT bindings are done, how to configure various static bindings, how the network access device prioritizes different SGT binding types and why SXP is so important.

Notes from this video:

  • Different SGT Classification Options:

    • Dynamic – Usually assigned at the time of the connection by ISE as part of the authorization policy

      • Best type of SGT assignment

      • Important: Make sure that IP device tracking is turned on the switch

      • ISE uses cisco-av-pair=cts:security-group-tag to deliver the tag with RADIUS

      • To view the bindings, you can use the show cts role-based sgt-map all command for more details

    • Static – Usually done for servers, topology-based policy, or brownfield sites that you haven’t converted over to use ISE for AAA yet. Best to use with hosts that aren’t changing IP addresses regularly.

      • Static tags can be assigned by:

        • IP address

        • Subnet

        • VLAN

        • Layer 2 interface

        • Layer 3 interface

        • Any of the above in their own separate VRFs

        • Statically defined in ISE and pushed out via SXP

  • How are bindings done?

    • VLAN – Snooped ARP packets on a VLAN that has the static sgt mapping configured

      • Command: cts role-based sgt-map vlan vlan-number sgt sgt-number

    • IP address – Static configuration from the command line

      • Command: cts role-based sgt-map ip-address sgt sgt-number

    • Subnet – Can define a whole subnet for static assignment

      • Command: cts role-base sgt-map subnet/mask sgt sgt-number

    • Layer 3 interface – Bindings added due to FIB entries that have a path through that interface

      • Command:
        interface g1/0/1
        cts role-based sgt-map sgt
        sgt-number

    • Layer 2 interface – This can be statically configured with the following command

      • Command:
        interface g1/0/1
        sgt manual
        policy static sgt
        sgt-number

    • SXP – Bindings are learned through SXP peers

    • IP_ARP – Bindings learned through tagging ARP packets received on a CTS capable link

    • LOCAL – This is for dynamic SGT assignment. Bindings of authenticated hosts are learned via IP device tracking. This type of binding includes hosts that are learned via ARP snooping on Layer 3 ports

  • What happens if a device is configured with conflicting static & dynamic mappings for an endpoint? What tag does it get then?

    • There is a SGT Classification Binding Source Priority - Order of operations:

      • Internal – Between locally configured IP address and the network device’s own SGT

      • Local – Authenticated hosts learned via EPM and device tracking. Also includes hosts learned via ARP snooping on layer 2

      • IP_ARP – Bindings learned when tagging ARP packets are received

      • SXP – Bindings from an SXP peer

      • Layer 3 interface – Bindings added from the FIB

      • Static IP address or subnet bindings configured in the CLI

      • VLAN bindings learned from snooped ARP packets when a VLAN sgt mapping has been configured

  • SGT Propagation:

    • Inline propagation:

      • Tagging done in hardware

      • Requires Trustsec-capable device

      • Tag continues to be passed along to the next device in the network path

      • When the packet gets to the enforcement point, that enforcement point compares the tag to the SG policy and makes decision on what to do with it

      • One thing to note: Trustsec goes against how we used to do ACL where we blocked closest to the source instead of the destination.

      • Since it’s using unused layer 2 space, it really doesn’t affect the frame size greatly – at most ~40 bytes. Since it’s only layer 2, it doesn’t require changing the IP MTU for layer 3 devices.

      • If a switch or device in the path doesn’t understand SGTs, they’ll drop the frame unless you strip the SGT first

      • So how do we enable our SGTs to work over pockets of non-Trustsec-capable devices or a layer 3 boundary? SXP!

    • SXP

      • Control plane protocol – passes IP to SGT map of authenticated hosts to different points in the network

      • TCP 64999 by default

      • Two roles with SXP:

        • Speaker (the initiator)

        • Listener (the receiver)

      • Some switches can do both roles

      • ISE can also communicate as a speaker and listener