nil.com © 201 1 · © 2019 nil, security tag: protected 18 sd-access fabric: overlay benefit...


Marija Škoda in Maja Podbevšek

Poenostavitev segmentacije omrežja s Cisco SD-Access

© 2019 NIL, Security Tag: PROTECTED 3 3

BYOD

BYODVLAN

Supplier

GuestVLAN

VoiceVLAN

Voice

DataVLAN

Employee

Traditional Security Policy

Access Layer

EnterpriseBackbone

Aggregation Layer

Non-Compliant

QuarantineVLAN

VLAN

Address

DHCP Scope

Redundancy

Routing

Static ACL

VACL

Security Policy based on Topology

Manual, time-consumingsecurity and maintenance

Policy inconsistencies across devices and networks

Complicated access management

access-list 102 permit ip 8.88.141.113 0.0.0.127 lt 2437 105.145.196.67 0.0.1.255 lt 4167access-list 102 permit udp 60.242.95.62 0.0.31.255 eq 3181 33.191.71.166 255.255.255.255 lt 2422access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392access-list 102 permit ip 96.174.38.79 0.255.255.255 eq 1917 1.156.181.180 0.0.31.255 eq 1861access-list 102 deny icmp 236.123.67.53 0.0.31.255 gt 1181 31.115.75.19 0.0.1.255 gt 2794access-list 102 deny udp 14.45.208.20 0.0.0.255 lt 419 161.24.159.166 0.0.0.255 lt 2748access-list 102 permit udp 252.40.175.155 0.0.31.255 lt 4548 87.112.10.20 0.0.1.255 gt 356access-list 102 deny tcp 124.102.192.59 0.0.0.255 eq 2169 153.233.253.100 0.255.255.255 gt 327access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533

Traditional Segmentation


DDI

Branch IWAN DC IWAN Internet

MPLS MPLS I-NET

Services Block

WAN Block

DC Block

Internet Block

Super Core

Core Core

Aggregation Layer

Aggregation Layer

Aggregation Layer

Layer-2 LinkLayer-3 Link

Traditional Segmentation Example


Traditional Segmentation Example

300 segments

3 VRFs

10 VLANs

10 distribution

points


Unleashes the true power within a Cisco secure network

ISE + SW Visibility Context

Written Security Policy

Dramatically reduces the attack surface

and is manageable

Cisco Digital Network Architecture (DNA)

Segmentation Enforcement

Segmentation 2.0


Easen the process with SD-Access


SD-AccessQuick Intro


CB B

IoT Network Employee Network

User Mobility

Policy follows User

Outside

Cisco DNA Center

AssuranceAutomationPolicy

SD-AccessExtension

Automated Network Fabric

Single fabric for Wired and Wireless with full automation

Insights and Telemetry

Analytics and insights into User and Application experience

Identity-Based Policy and Segmentation

Policy definition decoupled from VLAN and IP address

Cisco Software Defined AccessThe Foundation for Cisco’s Intent-Based Network


SD-Access Terminology


Overlay Control Plane

Underlay Control PlaneUnderlay Network

Hosts

(End-Points)

Edge DeviceEdge Device

Overlay Network

Encapsulation

Cisco SD-Access: Fabric Roles & Terminology


NCP

ISE NDP

▪ Control-Plane Nodes – Map System that manages Endpoint to Device relationships

▪ Fabric Edge Nodes – A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SDA Fabric

▪ Identity Services – NAC & ID Systems (e.g. ISE) for dynamic Endpoint to Group mapping and Policy definition

▪ Fabric Border Nodes – A Fabric device (e.g. Core) that connects External L3 network(s) to the SDA Fabric

Identity Services

Intermediate Nodes (Underlay)

Fabric Border Nodes

Fabric Edge Nodes

▪ Cisco DNA Automation – provides simple GUI management and intent based automation (e.g. NCP) and context sharing

Cisco DNA Automation

▪ Cisco DNA Assurance – Data Collectors (e.g. NDP) analyze Endpoint to App flows and monitor fabric status

Cisco DNA Assurance

Control-PlaneNodes

▪ Fabric Wireless Controller – A Fabric device (WLC) that connects APs and Wireless Endpoints to the SDA Fabric

Fabric Wireless

Controller

CampusFabric

B

C

B

Cisco DNA Center

Cisco SD-Access: Fabric Roles & Terminology


B B APICEM

APIC-EM Identity Service

DHCP/DNS

Shared ServicesFusion

Router or Firewall

Cisco SD-Access:Outside of the Fabric


SD-Access Operation


1. Control-Plane based on LISP

2. Data-Plane based on VXLAN

3. Policy-Plane based on CTSC

B B

SD-Access FabricCampus Fabric - Key Components


SD-Access FabricControl-Plane Nodes – A Closer Look

Control-Plane Node runs a Host Tracking Database to map location information

UnknownNetworks

KnownNetworks

• A simple Host Database that mapsEndpoint IDs to a current Location, along with other attributes• EID and RLOC info

• Receives Endpoint ID map registrations from Edge and/or Border Nodes for “known” IP prefixes

• Resolves lookup requests from Edge and/or Border Nodes, to locate destination Endpoint IDs

B

C

B

172.16.101.11/16

192.168.1.11/32 192.168.1.13/32

172.16.101.12/16

172.16.101.11/16 → 192.168.1.11

172.16.101.12/16 → 192.168.1.13


SD-Access Fabric:Edge Nodes – A Closer Look

Edge Node provides first-hop services for Users / Devices connected to a Fabric

UnknownNetworks

KnownNetworks

• Responsible for Identifying and AuthenticatingEndpoints (e.g. Static, 802.1X, Active Directory)

• Register specific Endpoint ID info (e.g. /32 or /128) with the Control-Plane Node(s)

• Provide an Anycast L3 Gateway for the connected Endpoints (same IP address on all Edge nodes)

• Performs encapsulation / de-encapsulation of data traffic to and from all connected Endpoints

B

C

B

VXLAN VXLAN


SD-Access Fabric:Overlay Benefit

Stretched Subnets allow an IP subnet to be “stretched” via the Overlay

• Fabric Dynamic EID mapping allows Host-specific (/32, /128, MAC) advertisement and mobility

• Host 1 connected to Edge A can now use the same IP subnet to communicate with Host 2 on Edge B

• No longer need a VLAN to connect Host 1 and 2 ☺

• When a Host moves from Edge 1 to Edge 2, it does not need to change it’s Default Gateway ☺

DynamicEID

UnknownNetworks

KnownNetworks

B

C

B

GW GW GWGW GW

Segments

VRFs

VLANs

Distributionpoints


Fabric Control Plane5.1.1.1

Branch

10.2.2.2/32 → (2.1.2.1)

Cache Entry

Fabric Edge

Subnet 10.2.0.0 255.255.0.0 stretched across

2.1.1.1 2.1.2.1 3.1.1.1 3.1.2.1

10.2.2.2/32 → ( 2.1.2.1)

Database Mapping Entry10.2.2.4/32 → ( 3.1.2.1)

Database Mapping Entry Fabric Edges

10.2.2.2/1610.2.2.3/16 10.2.2.4/1610.2.2.5/16

Where is 10.2.2.2?

SD-Access FabricControl-Plane and Edge Nodes Operation Example


Segmentation in SD-Access


Virtual Network maintains a separate Routing & Switching table for each instance

• VN Instance ID to maintain separate VRF topologies

• Nodes add a VNID to the Fabric encapsulation

• Endpoint ID prefixes (Host Pools) are routed and advertised within a Virtual Network

VNCampu

s

VNIOT

VNGuest

UnknownNetworks

KnownNetworks

B

C

B

SD-Access MacrosegmentationVirtual Network – A Closer Look

Segments

VRFs

VLANs

Distributionpoints


SD-Access Macrosegmentation

Building Management VN

SD-AccessFabric

Campus Users VN

First level Segmentation ensures zero communication between forwarding domains. Ability to consolidate multiple networks into one management plane.

Virtual Network (VN)

UnknownNetworks

KnownNetworks

VN“A”

VN“B”

VN“C”

By default access is blocked between the

virtual networks in the fabric.


SD-Access MicrosegmentationScalable Groups – A Closer Look

Scalable Group is a logical policy object to “group” Users and/or Devices

• Nodes use “Scalable Groups” to ID and assign a unique Scalable Group Tag (SGT) to Endpoints

• Nodes add a SGT to the Fabric encapsulation

• SGTs are used to manage address-independent “Group-Based Policies”

• Edge or Border Nodes use SGT to enforce local Scalable Group ACLs (SGACLs)

UnknownNetworks

KnownNetworks

B

C

B

SGT17

SGT3

SGT23

SGT4 SGT

8

SGT12

SGT11

SGT19

SGT25

Segments

VRFs

VLANs

Distributionpoints


SD-Access Microsegmentation

Building Management VN

Campus Users VN

Second level Segmentation ensures role based access control between two groups within a Virtual Network. Provides the ability to segment the network into either line of businesses or functional blocks.

Scalable Group (SG)

UnknownNetworks

KnownNetworks

SG1

SG2

SG3

SG4

SG5

SG6

SG7

SG8

SG9

SD-AccessFabric


FABRIC

VN: THINGSVN: USERS

Employees Contractors Cameras Printers

Contracts (SGACLs)

Macro segmentation with ‘Virtual Networks’

Micro segmentation with ‘Scalable Groups’

Contracts control access between SGTs

SD-Access Segmentation


IP Network

Edge Node 1 Edge Node 2

Encapsulation Decapsulation

VXLAN

VN ID SGT ID

VXLAN

VN ID SGT ID

PropagationCarry VN and Group context across the network

EnforcementGroup Based Policies ACLs, Firewall Rules

ClassificationStatic or Dynamic VN and SGT assignments

SD-Access Segmentation ParametersVN and SGT Propagation


How Does This Work


Campus Fabric

Authentication

Authorization Policies

Fabric Management

Policy Authoring Workflows

Groups and Policies

pxGridREST APIs

Cisco Identity Services Engine

Cisco DNA Center

SD-Access MicrosegmentationISE Integration


ISE-PAN ISE-PXG

ISE-MNT

ISE-PSN

Employee SGT 10if then

Contractor SGT 20if then

Things SGT 30if then

Authorization Policy Exchange Topics

TrustSecMetaData

SessionDirectory*

SGT Name: Employee = SGT 10SGT Name: Contractor = SGT 20...

Bob with Win10 on CorpSSID

* Future Plan

Network Devices

Users

Config Sync Context

DNA-Center

REST pxGrid

Admin/Operate

Users

Devices

Things

SD-Access MicrosegmentationISE Integration


SD-Access SegmentationWorkflow is Simple


SD-Access SegmentationSGACL Example on ISE


SGACL - Name Table Policy matrix to be pushed down to the network devices

SGT & SGT NamesCentrally defined Endpoint ID Groups

Dynamic SGTAssignment

ISE dynamically authenticates endpoint users and devices, and assigns SGTs

Static SGT Assignment

SGACL Name Table

So

urc

es

Destinations

✕ ✓ ✕ ✓ ✓ ✓

✓ ✓ ✕ ✓ ✕ ✕

✕ ✓ ✓ ✕ ✕ ✕

Scalable Group ACL

AAA

SGT & SGT Names 3: Employee

4: Contractors8: PCI_Servers9: App_Servers

Scalable Group Tags

ISE authenticates Network Devices for a trusted domain

Cisco ISE

MAB, 802.1x,Easy Connect

SD-Access Microsegmentation


▪ Border Nodes– Enforce policy for traffic leaving the fabric, such as user to DC Access Control

NCP

ISE

Fabric Border Nodes

Fabric Edge Nodes

CampusFabric

B

C

B

DNA Center

▪ Edge Nodes– Enforce policy for traffic within the fabric, user to user flows

SD-Access Policy Enforcement Points


SGT Inside the FabricEgress Switch Enforcement Flow

Employee SGT (5)10.1.100.1

Employee SGT (5)10.2.200.6

Egress switches enforce policy : • Stores IP-SGT for adjacent hosts • Downloads policies for local groups (e.g.

Employee & Contractor)• Programs policies to ‘protect’ the SGTs

of adjacent endpoints

Contractor SGT (10)10.2.200.6


IP Network

Edge Node 1 Border Node Host Pool 10 Shared Services

Data Center

BGP

• SG ACLS’s are enforced at the Border or at the Fusion router

• Destination IP subnets needs to be mapped to SGT’s

• Manually

• Via SXP/pxGrid

BGP

Fusion Router

Control-Plane NodeC

B

SGT Outside the Fabric


POLICY-PLANE

SGT in VXLAN

B B

C

APICEM

APIC-EM Identity ServiceDHCP/DNS

Shared Services/Data Center

cts role-based sgt-map 10.10.10.0/30 sgt 101cts role-based sgt-map 10.11.11.0/29 sgt 11111cts role-based sgt-map 172.168.1.0/28 sgt 65000cts role-based sgt-map 10.10.12.0/30 sgt 101cts role-based sgt-map 10.11.12.0/29 sgt 11111cts role-based sgt-map 172.168.12.0/28 sgt 65000cts role-based sgt-map 10.10.13.0/30 sgt 101cts role-based sgt-map 10.11.13.0/29 sgt 11111cts role-based sgt-map 172.168.13.0/28 sgt 65000cts role-based sgt-map 10.10.14.0/30 sgt 101cts role-based sgt-map 10.11.14.0/29 sgt 11111cts role-based sgt-map 172.168.14.0/28 sgt 65000

Router gets Group Based Tags statically assigned

Destination Group Tags

SourceGroup Tags

SXP

ISE

SGT in-line Tagging

SGT Outside the FabricFusion Router


Firewall

POLICY-PLANE

SGT in VXLAN

Group Tags

SXP/PXGRID

Firewall gets Group Based Tags from ISE

ISE

B B

C

APICEM

APIC-EM Identity ServiceDHCP/DNS

Shared Services/Data Center

SGT Outside the FabricFirewall as Fusion Router

SGT in-line Tagging


Can also combine with Network Object (Host, Range, Network (subnet), or

FQDN) AND / OR the SGT

Security Group definitions from ISE

Trigger FirePower services by SGT matches

SGT Outside the FabricExample: ASA Policy Configuration


To Sum it Up …


Key Take-Aways

Before SD-Access After SD-Access

• VLAN and IP address based

• Numerous IP segments

• Create IP based ACLs for access policy

• Deal with policy violations and errors manually

• No VLAN or subnet dependency for segmentation and access control

• One stretched subnet

• Define one consistent policy

• Policy follows Identity

Group-Based Policy Policy follows Identity

Completely Automated

Drag policy to apply

Users

Devices

Apps

Employee Virtual Network

IoT Virtual Network

Guest Virtual Network

Group 5

Group 3

Group 1

Group 6

Group 4

Group 2


Simplifying Segmentation

Access Layer

EnterpriseBackbone

VoiceVLAN

Voice

DataVLAN

Employee

Aggregation Layer

Supplier

GuestVLAN

Non-Compliant

QuarantineVLAN

VLAN

Address

DHCP Scope

Redundancy

Routing

Static ACL

VACL

Security Policy based on VLAN/Topology

VoiceVLAN

Voice

DataVLAN

Employee SupplierNon-Compliant

Automated security policy, works independently of VLANs/topology

No VLAN Change

No Topology Change

Central Policy Provisioning

Micro/Macro Segmentation

Access Layer

EnterpriseBackbone

DC Firewall / Switch

DC Servers

Policy

With SGT/VNsTraditional Segmentation

CAMPUS VNBuilding

Management VN

Employee Tag

Supplier Tag

Non-Compliant Tag

Cameras Tag

Cameras

CamerasVLAN

Lighting

LightingVLAN

CamerasLighting

Intent


access-list 102 deny icmp 76.176.66.41 0.255.255.255 lt 278 169.48.105.37 0.0.1.255 gt 968access-list 102 permit ip 8.88.141.113 0.0.0.127 lt 2437 105.145.196.67 0.0.1.255 lt 4167access-list 102 permit udp 60.242.95.62 0.0.31.255 eq 3181 33.191.71.166 255.255.255.255 lt 2422access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392access-list 102 permit ip 96.174.38.79 0.255.255.255 eq 1917 1.156.181.180 0.0.31.255 eq 1861access-list 102 deny icmp 236.123.67.53 0.0.31.255 gt 1181 31.115.75.19 0.0.1.255 gt 2794access-list 102 deny udp 14.45.208.20 0.0.0.255 lt 419 161.24.159.166 0.0.0.255 lt 2748access-list 102 permit udp 252.40.175.155 0.0.31.255 lt 4548 87.112.10.20 0.0.1.255 gt 356access-list 102 deny tcp 124.102.192.59 0.0.0.255 eq 2169 153.233.253.100 0.255.255.255 gt 327access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533access-list 102 deny tcp 154.57.128.91 0.0.0.255 lt 1290 106.233.205.111 0.0.31.255 gt 539access-list 102 deny ip 9.148.176.48 0.0.1.255 eq 1310 64.61.88.73 0.0.1.255 lt 4570

Key Take-Aways


Cisco SD-Access SupportDigital Platforms for your Cisco Digital Network Architecture

WirelessRoutingSwitching Extended

Catalyst 3560-CX

Cisco IE 4K/5K

ISR 4430

ISR 4451

ISR 4330

BETA

Wave 1 APs* (1700,2700,3700)

AIR-CT5520

AIR-CT8540

AIR-CT3504

Cisco Digital Building

Catalyst 9200Catalyst 9400

Catalyst 9300

Catalyst 3650 & 3850

Catalyst 9500 Catalyst 9800

Catalyst 4500E Catalyst 6800 Nexus 7700

ASR-1000-X

ASR-1000-HX

ENCS 5400

Wave 2 APs (1800,2800, 3800)

4800

nil.com © 201 1 · © 2019 nil, security tag: protected 18 sd-access fabric: overlay benefit...

Documents