Published On: August 3ʳᵈ, 2020 08:22

Cisco TrustSec Configuration Guide, Cisco IOS XE Amsterdam 17.3.x (Catalyst 9500 Switches)

Using security group access control lists (SGACLs), you can control the operations that users can perform based on the security group assignments of users and destination resources. Policy enforcement within the Cisco TrustSec domain is represented by a permissions matrix, with source security group numbers on one axis and destination security group numbers on the other axis. Each cell in the body of the matrix can contain an ordered list of SGACLs which specifies the permissions that should be applied to packets originating from the source security group and destined for the destination security group.

Restrictions for Configuring SGACL Policies

  • Due to hardware limitations, Cisco TrustSec SGACLs cannot be enforced for punt (CPU bound) traffic in hardware. SGACL enforcement in software is bypassed for CPU bound traffic for SVI, layer 2 and layer 3 Location Identifier Separation Protocol (LISP), and loopback interfaces.

  • When configuring SGACL policies, if you change the IP version dynamically from IPv4 or IPv6 to Agnostic (applies to both IPv4 and IPv6) and vice-versa, the corresponding SGACL policies for IPv4 and IPv6 are not downloaded completely via the management VRF interface.

  • When configuring SGACL policies, if you change the existing IP version to any other version (IPv4 or IPv6 or Agnostic) and vice-versa, Change of Authorization (CoA) from Cisco Identity Services Engine (ISE) should not be performed using RADIUS. Instead, use SSH and run the cts refresh policy command to perform a manual policy refresh.

  • When using an SGT white list model with default action as deny all , in some cases, Cisco TrustSec policies are partially downloaded from the ISE server after a device reload.

    To prevent this, define a static policy on the device. Even if the deny all option is applied, the static policy permits traffic which allows the device to download policies from the ISE server and overwrite the defined static policies. For device SGT, configure the following commands in global configuration mode:

    • cts role-based permissions from <sgt_num> to unknown

    • cts role-based permissions from unknown to <sgt_num>

Information About SGACL Policies

The following sections provide information about configuring SGACL policies.

ACL Logging

The device can provide logging messages about packets permitted or denied by a standard IP access list. That is, any packet that matches the ACL causes an informational logging message about the packet to be sent to the console. The level of messages logged to the console is controlled by the logging console command controlling the syslog messages. In releases prior to Cisco IOS XE 17.3.1, ACL logging was done in a CPU intensive mechanism. Starting Cisco IOS XE 17.3.1 release, ACL logging has been enhanced to use NetFlow hardware which allows much higher logging rates.


Note

ACL logging in hardware is only supported for Role-Based access control list (RBACL).


The first packet that triggers the ACL creates a flow and logging is done at the NetFlow timeout of 30-seconds and 1-minute for inactive and active flow respectively. Subsequent packets are collected over 5-minute intervals before they are logged. The logging message includes the access list number, whether the packet was permitted or denied, the source and destination IP addresses of the packet, the interface on which the packet was ingressed, and the number of packets from that source permitted or denied in the prior 5-minute interval.


Note

  • As ACL logging in the hardware is done using NetFlow, if a NetFlow based feature is applied to an interface, logging for that interface falls back to the old mechanism. Logging through NetFlow hardware starts again for that interface after the NetFlow based feature is removed. The rest of the interfaces continue logging through NetFlow hardware.

  • Only 15 NetFlow monitors can be attached to the device at a given time. ACL logging requires one NetFlow monitor each for IPv4 and IPv6 logging. In case of unavailability of NetFlow monitors for logging, ACL logging is done through the older mechanism. Once the required number of NetFlow monitors are available, run the cts role-based permissions command to trigger logging through the NetFlow hardware again.

  • If a log ACE has fields other than 5-tuple (source IP address/port number, destination IP address/port number and the protocol in use), logging is done through the older mechanism.


How to Configure SGACL Policies

The following sections provide information on various SGACL policy configurations.

SGACL Policy Configuration Process

Follow these steps to configure and enable Cisco TrustSec Security Group ACL (SGACL) policies:

  1. Configuration of SGACL policies should be done primarily through the Policy Management function of the Cisco Secure Access Control Server (ACS) or the Cisco Identity Services Engine (ISE).

    If you are not using AAA on a Cisco Secure ACS or a Cisco ISE to download the SGACL policy configuration, you can manually configure the SGACL mapping and policies.


    Note

    An SGACL policy downloaded dynamically from the Cisco Secure ACS or a Cisco ISE will override any conflicting locally-defined policy.


  2. To enable SGACL policy enforcement on egress traffic on routed ports, enable SGACL policy enforcement globally as described in the Enabling SGACL Policy Enforcement Globally section.

  3. To enable SGACL policy enforcement on switched traffic within a VLAN, or on traffic that is forwarded to an SVI associated with a VLAN, enable SGACL policy enforcement for specific VLANs as described in the Enabling SGACL Policy Enforcement on VLANs section.

Enabling SGACL Policy Enforcement Globally

You must enable SGACL policy enforcement globally for Cisco TrustSec-enabled routed interfaces.

To enable SGACL policy enforcement on routed interfaces, perform this task:

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device# enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

cts role-based enforcement

Example:

Device(config)# cts role-based enforcement

Enables Cisco TrustSec SGACL policy enforcement on routed interfaces.

Step 4

end

Example:

Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Enabling SGACL Policy Enforcement Per Interface

You must first enable SGACL policy enforcement globally for Cisco TrustSec-enabled routed interfaces. This feature is not supported on Port Channel interfaces.

To enable SGACL policy enforcement on Layer 3 interfaces, perform this task:

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device# enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface type slot/port

Example:

Device(config)# interface gigabitethernet 6/2

Configures an interface and enters interface configuration mode.

Step 4

cts role-based enforcement

Example:

Device(config-if)# cts role-based enforcement

Enables Cisco TrustSec SGACL policy enforcement on routed interfaces.

Step 5

end

Example:

Device(config-if)# end

Exits interface configuration mode and returns to privileged EXEC mode.

Step 6

show cts interface

Example:

Device# show cts interface

(Optional) Displays Cisco TrustSec states and statistics per interface.

Enabling SGACL Policy Enforcement on VLANs

You must enable SGACL policy enforcement on specific VLANs to apply access control to switched traffic within a VLAN, or to traffic that is forwarded to an SVI associated with a VLAN.

To enable SGACL policy enforcement on a VLAN or a VLAN list, perform this task:

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device# enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

cts role-based enforcement vlan-list vlan-list

Example:

Device(config)# cts role-based enforcement vlan-list 31-35,41

Enables Cisco TrustSec SGACL policy enforcement on the VLAN or VLAN list.

Step 4

end

Example:

Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Configuring SGACL Monitor Mode

Before configuring SGACL monitor mode, ensure the following:

  • Cisco TrustSec is enabled

  • Counters are enabled

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device# enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

cts role-based monitor all

Example:

Device(config)# cts role-based monitor all

Enables the global monitor mode.

Step 4

cts role-based monitor permissions from {sgt_num} to {dgt_num} [ipv4 | ipv6]

Example:

Device(config)# cts role-based permissions from 2 to 3 ipv4

Enables monitor mode for IPv4/IPv6 Role Based Access Control List (RBACL) (Security Group Tag (SGT)- Destination Group Tag (DGT) pair).

Step 5

end

Example:

Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Step 6

show cts role-based permissions from {sgt_num} to {dgt_num} [ipv4 | ipv6] [details]

Example:

Device# show cts role-based permissions from 2 to 3 ipv4 details

(Optional) Displays the SGACL policies and details about the monitor mode feature for each pair. The command output displays monitored if per cell monitor mode is enabled for the <SGT-DGT> pair

Step 7

show cts role-based counters [ipv4 | ipv6]

Example:

Device# show cts role-based counters ipv4

(Optional) Displays all SGACL enforcement statistics for IPv4 and IPv6 events.

Manually Configuring SGACL Policies

A role-based access control list bound to a range of SGTs and DGTs forms an SGACL, a Cisco TrustSec policy enforced on egress traffic. Configuration of SGACL policies are best done through the policy management functions of the Cisco ISE or the Cisco Secure ACS. To manually (that is, locally) configure SGACL policies, configure a role-based ACL and bind the role-based ACL to a range of SGTs.


Note

An SGACL policy downloaded dynamically from the Cisco ISE or Cisco ACS overrides any conflicting manually configured policy.


Configuring and Applying IPv4 SGACL Policies


Note

When configuring SGACLs and Role-Based access control lists (RBACLs), the named access control lists (ACLs) must start with an alphabet.


Procedure
  Command or Action Purpose
Step 1

enable

Example:
Device# enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:
Device# configure terminal

Enters global configuration mode.

Step 3

ip access-list role-based rbacl-name

Example:
Device(config)# ip access-list role-based allow_webtraff

Creates a Role-based ACL and enters Role-based ACL configuration mode.

Step 4

{[ sequence-number] | default | permit | deny | remark}

Example:
Device(config-rb-acl)# 10 permit tcp dst eq 80 dst eq 20

Specifies the access control entries (ACEs) for the RBACL.

You can use most of the commands and options allowed in extended named access list configuration mode, with the source and destination fields omitted.

Press Enter to complete an ACE and begin the next.

The following ACE commands or keywords are not supported:

  • reflect

  • evaluate

  • time-range

Step 5

exit

Example:
Device(config-rb-acl)# exit

Exits role-based ACL configuration mode and returns to global configuration mode.

Step 6

cts role-based permissions {default | [from {sgt_num | unknown} to {dgt_num | unknown }] {rbacls | ipv4 rbacls}

Example:
Device(config)# cts role-based permissions from 55 to 66 allow_webtraff

Binds SGTs and DGTs to the RBACL. The configuration is analogous to populating the permission matrix configured on the Cisco ISE or the Cisco Secure ACS.

  • Default: Default permissions list

  • sgt_num : 0 to 65,519. Source Group Tag.

  • dgt_num : 0 to 65,519. Destination Group Tag

  • unknown: SGACL applies to packets where the security group (source or destination) cannot be determined.

  • ipv4: Indicates the following RBACL is IPv4.

  • rbacls : Name of RBACLs

Step 7

end

Example:
Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Step 8

show cts role-based permissions

Example:
Device# show cts role-based permissions

(Optional) Displays permission to RBACL configurations.

Step 9

show ip access-lists {rbacls | ipv4 rbacls}

Example:
Device# show ip access-lists allow_webtraff

(Optional) Displays ACEs of all RBACLs or a specified RBACL.

Configuring IPv6 SGACL Policies

To manually configure IPv6 SGACL policies, perform this task:

Procedure
  Command or Action Purpose
Step 1

enable

Example:
Device# enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:
Device# configure terminal

Enters global configuration mode.

Step 3

ipv6 access-list role-based sgacl-name

Example:
Device(config)# ipv6 access-list role-based sgaclname

Creates a named IPv6 SGACL and enters IPv6 role-based ACL configuration mode.

Step 4

{permit | deny } protocol [dest-option | dest-option-type {doh-number | doh-type}] [dscp cp-value] [flow-label fl-value] [mobility | mobility-type {mh-number | mh-type}] [routing | routing-type routing-number] [fragments] [log | log-input] [sequence seqno]

Example:
Device(config-ipv6rb-acl)# permit 33 dest-option dscp af11

Specifies the access control entries (ACEs) for the RBACL.

You can use most of the commands and options allowed in extended named access list configuration mode, with the source and destination fields omitted.

The following ACE commands or keywords are not supported:

  • reflect

  • evaluate

  • time-range

Step 5

end

Example:
Device(config-ipv6rb-acl)# end

Exits IPv6 role-based ACL configuration mode and returns to privileged EXEC mode.

Manually Applying SGACL Policies

To manually apply SGACL policies, perform this task:

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device# enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

cts role-based permissions default [ipv4 | ipv6] sgacl-name1 [sgacl-name2 [sgacl-name3 ...]]]

Example:

Device(config)# cts role-based permissions default MYDEFAULTSGACL

Specifies the default SGACLs. The default policies are applied when no explicit policy exists between the source and destination security groups.

Step 4

cts role-based permissions from {source-sgt | unknown} to {dest-sgt | unknown} [ipv4 | ipv6] sgacl-name1 [sgacl-name2 [sgacl-name3 ...]]]

Example:

Device(config)# cts role-based permissions from 3 to 5 SRB3 SRB5

Specifies the SGACLs to be applied for a source security group (SGT) and destination security group (DGT). Values for source-sgt and dest-sgt range from 1 to 65533. By default, SGACLs are considered to be IPv4.

  • from : Specifies the source SGT.

  • to : Specifies the destination security group.

  • unknown : SGACL applies to packets where the security group (source or destination) cannot be determined.

Note 

An SGACL policy downloaded dynamically from the ACS will override any conflicting manual policy.

Step 5

end

Example:

Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Displaying SGACL Policies

After configuring the Cisco TrustSec device credentials and AAA, you can verify the Cisco TrustSec SGACL policies downloaded from the authentication server or configured manually. Cisco TrustSec downloads the SGACL policies when it learns of a new SGT through authentication and authorization on an interface, from SXP, or from manual IP address to SGT mapping.

Using the keywords, you can display all or part of the permissions matrix:

  • If the from keyword is omitted, a column from the permissions matrix is displayed.

  • If the to keyword is omitted, a row from the permissions matrix is displayed.

  • If the from and to keywords are omitted, the entire permissions matrix is displayed.

  • If the from and to keywords are specified, a single cell from the permissions matrix is displayed and the details keyword is available. When details is entered, the ACEs of the SGACL of the single cell are displayed.

To display the contents of the SGACL policies permissions matrix, perform this task:

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

show cts role-based permissions default [ipv4 | ipv6 | details]

Example:

Device# show cts role-based permissions default MYDEFAULTSGACL

Displays the list of SGACL of the default policy.

Step 3

show cts role-based permissions from {source-sgt | unknown} to {dest-sgt | unknown}] [ipv4 | ipv6 | details]

Example:

Device# show cts role-based permissions from 3

Specifies the SGACLs to be applied for a source security group (SGT) and destination security group (DGT). Values for source-sgt and dest-sgt range from 1 to 65533. By default, SGACLs are considered to be IPv4.

  • from : Specifies the source SGT.

  • to : Specifies the destination security group.

  • unknown : SGACL applies to packets where the security group (source or destination) cannot be determined.

Note 

An SGACL policy downloaded dynamically from the ACS will override any conflicting manual policy.

Step 4

exit

Example:

Device# exit

Exits privileged EXEC mode.

Refreshing the Downloaded SGACL Policies

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

cts refresh policy {peer [peer-id] | sgt [sgt_number | default | unknown]}

Example:

Device# cts refresh policy peer my_cisco_ise

Performs an immediate refresh of the SGACL policies from the authentication server.

  • If a peer-id is specified, only the policies related to the specified peer connection are refreshed. To refresh all peer policies, press Enter without specifying an ID.

  • If an SGT number is specified, only the policies related to that SGT are refreshed. To refresh all security group tag policies, press Enter without specifying an SGT number. Select default to refresh the default policy. Select unknown to refresh unknown policy.

Step 3

exit

Example:

Device# exit

Exits privileged EXEC mode.

Configuration Examples for SGACL Policies

The following sections provide information on various SGACL policy configuration examples.

Example: Enabling SGACL Policy Enforcement Globally

The following example shows how to enable SGACL policy enforcement globally:

Device> enable
Device# configure terminal
Device(config)# cts role-based enforcement

Example: Enabling SGACL Policy Enforcement Per Interface

The following example shows how to enable SGACL policy enforcement per interface:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 1/0/2
Device(config-if)# cts role-based enforcement
Device(config-if)# end

Example: Enabling SGACL Policy Enforcement on VLANs

The following example shows how to enable SGACL policy enforcement on VLANs:

Device> enable
Device# configure terminal
Device(config)# cts role-based enforcement vlan-list 31-35,41
Device(config)# exit

Example: Configuring SGACL Monitor Mode

The following example shows how to configure SGACL monitor mode:

Device> enable
Device# configure terminal
Device(config)# cts role-based monitor enable
Device(config)# cts role-based permissions from 2 to 3 ipv4
Device# show cts role-based permissions from 2 to 3 ipv4

IPv4 Role-based permissions from group 2:sgt2 to group 3:sgt3 (monitored):
        denytcpudpicmp-10
        Deny IP-00

Device# show cts role-based permissions from 2 to 3 ipv4 details

IPv4 Role-based permissions from group 2:sgt2 to group 3:sgt3 (monitored):
        denytcpudpicmp-10
        Deny IP-00
Details:
Role-based IP access list denytcpudpicmp-10 (downloaded)        
        10 deny tcp
        20 deny udp
        30 deny icmp
Role-based IP access list Permit IP-00 (downloaded)
        10 permit ip

Device# show cts role-based counters ipv4

Role-based IPv4 counters
From     To     SW-Denied  HW-Denied  SW-Permitt  HW_Permitt  SW-Monitor  HW-Monitor
*         *     0          0          8           18962       0           0
2         3     0          0          0           0           0           341057


Example: Manually Configuring SGACL Policies

The following example shows how to manually configure SGACL policies:

Device> enable
Device# configure terminal
Device(config)# ip access role allow_webtraff
Device(config-rb-acl)# 10 permit tcp dst eq 80
Device(config-rb-acl)# 20 permit tcp dst eq 443
Device(config-rb-acl)# 30 permit icmp
Device(config-rb-acl)# 40 deny ip
Device(config-rb-acl)# exit
Device(config)# cts role-based permissions from 55 to 66 allow_webtraff

Device# show ip access allow_webtraff

Role-based IP access list allow_webtraff
    10 permit tcp dst eq www
    20 permit tcp dst eq 443
    30 permit icmp
    40 deny ip

Device# show cts role-based permissions from 2 to 5

Role-based permissions from group 2 to group 5:
srb2
srb5

Example: Manually Applying SGACLs

The following example shows how to manually apply SGACL policies:

Device> enable
Device# configure terminal
Device(config)# cts role-based permissions default MYDEFAULTSGACL
Device(config)# cts role-based permissions from 3 to 5 SRB3 SRB5
Device(config)# exit

Example: Displaying SGACL Policies

This example shows how to display the content of the SGACL policies permissions matrix for traffic sourced from security group 3:

Device> enable
Device# show cts role-based permissions from 3

Role-based permissions from group 3 to group 5:
        SRB3
        SRB5
Role-based permissions from group 3 to group 7:
        SRB4

Feature History for Security Group ACL Policies

This table provides release and related information for features explained in this module.

These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.

Release

Feature

Feature Information

Cisco IOS XE Everest 16.5.1a

Security Group ACL Policies

Using SGACLs you can control the operations that users can perform based on the security group assignments of users and destination resources.

Support for this feature was introduced only on the C9500-12Q, C9500-16X, C9500-24Q, C9500-40X models of the Cisco Catalyst 9500 Series Switches.

Cisco IOS XE Fuji 16.8.1a

Security Group ACL Policies

Support for this feature was introduced on the C9500-32C, C9500-32QC, C9500-48Y4C, and C9500-24Y4C models of the Cisco Catalyst 9500 Series Switches.

Cisco IOS XE Amsterdam 17.3.1

Enhanced ACL Logging

Enhanced ACL logging allows logging to be done at much higher rates using the NetFlow hardware.

Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.