Published On: September 18ᵗʰ, 2020 10:40

Cisco TrustSec Configuration Guide, Cisco IOS XE Amsterdam 17.3.x (Catalyst 9500 Switches)

Contents

The Security Group Tag (SGT) Exchange Protocol (SXP) is one of the several protocols that supports Cisco TrustSec. SXP is a control protocol for propagating IP-to-SGT binding information across network devices that do not have the capability to tag packets. SXP passes IP-to-SGT bindings from authentication points to upstream devices in a network. This process allows security services on switches, routers, or firewalls to learn user identity information from access devices.

The IP-Prefix and SGT-Based SXP Filtering feature allows IP-to-SGT bindings to be filtered, when they are exported or imported. This filtering can be done based on the IP prefix, SGT, or a combination of both.

Restrictions for IP-Prefix and Security Group Tag (SGT)-Based Security Exchange Protocol (SXP) Filtering

  • No high availability support for the stateful synchronization of IP-Security Group Tag (SGT) bindings in an Security Exchange Protocol (SXP) database between active and standby devices.

  • Filters applied to an existing connection will take effect only on the subsequent bindings that are exported or imported. The filters do not apply to any bindings that have been exported or imported prior to applying the filters.

  • Virtual Routing and Forwarding (VRF)-specific filtering is not supported, and a filter specified for a peer IP is applicable across all VRFs on the device.

  • SGT values in filter rules will be a list of single SGT numbers. SGT ranges are not supported.

Information About IP-Prefix and SGT-Based SXP Filtering

Overview

The IP-Prefix and SGT-Based SXP Filtering feature allows IP-to-SGT bindings to be filtered, when they are exported or imported. This filtering can be done based on the IP prefix, SGT, or a combination of both.

The Security Group Tag (SGT) Exchange Protocol (SXP) is one of the several protocols that supports Cisco TrustSec. SXP is a control protocol for propagating IP-to-SGT binding information across network devices that do not have the capability to tag packets. SXP passes IP-to-SGT bindings from authentication points to upstream devices in a network. This process allows security services on switches, routers, or firewalls to learn user identity information from access devices.

The IP-to-SGT filtering allow systems to selectively import or export only bindings of interest. In an SXP connection, a filter can be configured on a device that acts either as a speaker or a listener, based on the filtering that happens during the export or import of bindings.

In the case of bidirectional SXP connections, filters are applied in either of the directions, based on whether a speaker or listener filter is configured. If a peer is a part of both the speaker and the listener filter groups, then filtering is applied in both directions.

Filters can be applied either on a peer-to-peer basis or globally (applicable to all SXP connections). In both cases, the filter can be applied on the speaker or the listener.

Filter Rules

A filter that needs to be applied on a device is created with a set of filter rules. Each filter rule specifies the action or actions to be taken for bindings with specific SGT values and/or IP-prefix values. Each binding is matched against the values specified in the filter rules; if a match is found, the corresponding action specified in the filter rule is applied. An action that can be applied on a selected binding is either a permit or a deny action. When a filter is enabled on the speaker or listener during the export or import of IP-SGT bindings, the bindings are filtered based on the filter rules.

If a rule is not specified for a binding in a filter list, the catch-all rule that is configured in the filter-list is executed. In the absence of a catch-all rule, the corresponding binding is implicitly denied.

Types of SXP Filtering

IP-SGT bindings are filtered in one of the following ways:

  • SGT-based filtering: Filters IP-SGT bindings in an SXP connection based on the SGT value.

  • IP-prefix based filtering: Filters IP-SGT bindings in an SXP connection based on the IP-prefix value.

  • SGT and IP-prefix based filtering: Filter IP-SGT bindings in an SXP connection based on the SGT value and IP-prefix value.

A filter rule is applied on each of the IP-SGT binding.

How to Configure IP-Prefix and SGT-Based SXP Filtering

This section describes how to configure IP-prefix and SGT-cased SXP filtering.

Configuring an SXP Filter List

In this step, a filter list is created to hold a set of rules. These rules filter the IP-SGT bindings by allowing bindings that are permitted, and blocking bindings that are denied. Each rule can be based on an SGT, IP prefix, or a combination of both the SGT and IP prefix.

If a filter list does not have a rule that matches a specific IP-SGT binding, the binding is implicitly denied unless a default or catch-all ruled is defined.

Procedure

  Command or Action Purpose
Step 1

enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Enters global configuration mode.

Step 3

cts sxp filter-list filter-name

Configures a Cisco TrustSec filter list and enters filter-list configuration mode.

Step 4

sequence-number permit ipv4 ip-address/prefix deny sgt sgt-value

Configures a filter list rule.

Step 5

exit

Exits filter-list configuration mode and returns to global configuration mode.

Step 6

cts sxp filter-list filter-name

Configures a Cisco TrustSec filter list and enters filter list configuration mode.

Step 7

[sequence-number] deny sgt sgt-value permit ipv6 ipv6-address/prefix

Configures a filter list rule.

Step 8

exit

Exits filter-list configuration mode and returns to global configuration mode.

Step 9

cts sxp filter-list filter-name

Configures a Cisco TrustSec filter list and enters filter list configuration mode.

Step 10

[sequence-number] permit ipv6 ipv6-address/prefix permit sgt-value permit

Configures a filter list rule.

Step 11

end

Exits filter-list configuration mode and returns to privileged EXEC mode.

Configuring an SXP Filter Group

In this step, a set of peers are combined into a group, and a filter list is applied to the group. A filter-group can either be defined as a speaker group or listener group. To apply the same filter list to all speakers or all listeners, you can create a global speaker filter group or a global listener filter group.


Note

Only one filter list can be attached to a filter group.


Procedure

  Command or Action Purpose
Step 1

enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Enters global configuration mode.

Step 3

cts sxp filter-group listener listener-name

Configures an SXP filter-group listener, and enters filter-group configuration mode.

Step 4

filter filter-list-name

Configures a filter list rule.

Step 5

peer ipv4-address

Configures the IP address of a peer.

Step 6

exit

Exits filter-group configuration mode and returns to global configuration mode.

Step 7

cts sxp filter-group speaker speaker-name

Configures a voice VLAN on a multiple VLAN access port.

Step 8

filter filter-list-name

Configures a filter list name.

Step 9

peer ipv4-address

Configures the IP address of a peer.

Step 10

end

Exits filter-group configuration mode and returns to privileged EXEC mode.

Configuring a Global Listener or Speaker Filter Group

When configuring a global listener and global speaker filter group, the filter is applied to across the box for all SXP connections that are in listener or speaker mode.

When adding a filter-list to a filter group the currently configured set of filter lists on the box is displayed as a help string.


Note

The peer command is not available for the global listener and global speaker filter-group.


Procedure

  Command or Action Purpose
Step 1

enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Enters global configuration mode.

Step 3

cts sxp filter-group listener global filter-list-name

Configures a global listener filter group.

Step 4

cts sxp filter-group speaker global filter-list-name

Configures a global speaker filter group.

Step 5

end

Exits global configuration mode and returns to privileged EXEC mode.

Enabling SXP Filtering

After the SXP filter list and filter groups are configured, you must enable filtering.

Procedure

  Command or Action Purpose
Step 1

enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Enters global configuration mode.

Step 3

cts sxp filter enable

Configures a source template for the interface.

Step 4

exit

Exits global configuration mode and returns to privileged EXEC mode.

Step 5

show cts sxp filter-list filter_name

Displays the filter lists configured on the device along with the filter rules in each of the filter list.

Configuring the Default or Catch-All Rule

The default or catch-all rule is applied on IP-SGT bindings for which there was no match with any of the rules in the filter list. If a default rule is not specified, these IP-SGT bindings are denied.

Define the default or catch-all rule in the filter-list configuration mode of the corresponding filter list.

Procedure

  Command or Action Purpose
Step 1

enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Enters global configuration mode.

Step 3

cts sxp filter-list filter-name

Configures a Cisco TrustSec filter list and enters filter-list configuration mode.

Step 4

permit ipv4 ip-address/prefix

Permits access if the conditions are matched.

Step 5

deny ipv6 ipv6-address/prefix

Denies access if the conditions are matched.

Step 6

permit sgt all

Permits bindings corresponding to all SGTs.

Step 7

end

Exits filter-list configuration mode and returns to privileged EXEC mode.

Configuration Examples for IP-Prefix and SGT-Based SXP Filtering

The following sections show configuration examples of IP-prefix and SGT-based SXP filtering.

Example: Configuring an SXP Filter List

Device> enable
Device# configure terminal
Device(config)# cts sxp filter-list filter1
Device(config-filter-list)# permit ipv4 10.1.1.0/24 deny sgt 3 4
Device(config-filter-list)# exit
Device(config)# cts sxp filter-list filter2
Device(config-filter-list)# permit sgt all
Device(config-filter-list)# exit
Device(config)# cts sxp filter-list filter3
Device(config-filter-list)# deny ipv6 2001:db8::1/64 permit sgt 67
Device(config-filter-list)# end

Example: Configuring an SXP Filter Group

Device> enable
Device# configure terminal
Device(config)# cts sxp filter-group listener group1
Device(config-filter-group)# filter filter1
Device(config-filter-group)# peer 172.16.0.1 192.168.0.1
Device(config-filter-group)# exit
Device(config)# cts sxp filter-group listener global group2
Device(config)# end

Example: Enabling SXP Filtering

Device> enable
Device# configure terminal
Device(config)# cts sxp filter-enable
Device(config)# end

Example: Configuring the Default or Catch-All Rule

The following example shows how to create a default prefix rule that permits bindings corresponding to all IPv4 and IPv6 addresses:

Device(config)# cts sxp filter-list filter1
Device(config-filter-list)# permit ipv4 10.0.0.0/0
Device(config-filter-list)# deny ipv6 2001:db8::1/0


The following example shows how to create a default SGT rule that permits bindings corresponding to all SGTs:

Device(config)# cts sxp filter-list filter_1
Device(config-filter-list)# permit sgt all

Verifying IP-Prefix and SGT-Based SXP Filtering

To verify the configuration, use the following commands:

The debug cts sxp filter events command is used to log events related to the creation, removal, and update of filter-lists and filter-groups. This command is also used to capture events related to the matching actions in a filtering process.

Device# debug cts sxp filter events

The following sample output from the show cts sxp filter-group speaker command displays SXP speaker filter groups:

Device# show cts sxp filter-group speaker group1
   Filter-group: group1
   Filter-name: filter1
   Peer-list: 172.16.0.1 192.168.0.1


The following sample output from the show cts sxp filter-group listener command displays SXP speaker listener groups:

Device# show cts sxp filter-group listener

Global Listener Filter: Not configured
   Filter-group: group1
   Filter-name: filter1
   Peer-list: 172.16.0.1 192.168.0.1
   Filter-group: group2
   Filter-name: filter1
   Peer-list: 192.0.2.1, 198.51.100.1, 203.0.113.1


The following sample output from the show cts sxp filter-group speaker detailed command displays detailed information about SXP speaker filter groups:

Device# show cts sxp filter-group speaker group1 detailed

   Filter-group: group1
   Filter-name: filter1
   Filter-rules:
      10 deny sgt 30
      20 deny prefix 10.1.0.0/16
      30 permit sgt 60-100
   Peer-list: 172.16.0.1 192.168.0.1


The following sample output from the show cts sxp filter-group command displays information about all configured filter groups:

Device# show cts sxp filter-group

Global Listener Filter: Not configured

Global Speaker Filter: Not configured

Listener Group:
   Filter-group: group1
   Filter-name: filter1
   Peer-list: 172.16.0.1 192.168.0.1
   Filter-group: group2
   Filter-name: filter1
   Peer-list: 192.0.2.1, 198.51.100.1, 203.0.113.1

Speaker Group:
   Filter-group: group3
   Filter-name: filter1
   Peer-list: 172.16.0.1 192.168.0.13
   Filter-group: group2
   Filter-name: filter1
   Peer-list: 192.0.2.1, 198.51.100.1, 203.0.113.1

The following sample output from the show sxp filter-group detailed command displays detailed information about all configured SXP filter groups:

Device# show cts sxp filter-group detailed

Global Listener Filter: Configured
   Filter-name: global1
   Filter-rules:
      10 deny 192.168.0.13/32
      20 deny sgt 100-200

Global Speaker Filter: Configured
   Filter-name: global2
   Filter-rules:
      10 deny 192.168.0.13/32
      20 deny sgt 100-200

Listener Group:
   Filter-group: group1
   Filter-name: filter1
   Filter-rules:
      10 deny sgt 30
      20 deny prefix 172.16.0.0/16
      30 permit sgt 60-100
   Peer-list: 172.16.0.1, 192.168.0.13

   Filter-group: group2
   Filter-name: filter1
   Filter-rules:
      10 deny sgt 30
      20 deny prefix 172.16.0.0/16
      30 permit sgt 60-100
   Peer-list: 192.0.2.1, 198.51.100.1, 203.0.113.1

Speaker Group
   Filter-group: group3
   Filter-name: filter1
   Filter-rules:
      10 deny sgt 30
      20 deny prefix 172.16.0.0/16
      30 permit sgt 60-100
   Peer-list: 10.10.10.1, 172.16.0.1, 192.168.0.13

   Filter-group: group2
   Filter-name: filter1
   Filter-rules:
      10 deny sgt 30
      20 deny prefix 172.16.0.0/16
      30 permit sgt 60-100
   Peer-list: 192.0.2.1, 198.51.100.1, 203.0.113.1


Syslog Messages for SXP Filtering

Syslog messages for SXP filtering are generated to indicate the various events related to filtering.

Syslog Messages for Filter Rules

The maximum number of rules that can be configured in a single filter is 128. The following message is generated every time the number of filter rules that is configured in a single filter increases by 20% of the limit:

CTS SXP filter rules exceed %[ ] threshold. Reached count of [count] out of [max] in filter [filter-name].

The following message is generated when the number of rules configured in a single filter reaches 95% of the maximum number of rules allowed for a filter list:

CTS SXP filter rules exceed [ ] threshold. Reached count of [count] out of [max] in filter [filter-name].

The following message is generated when the number of rules configured in a single filter reaches the maximum number of allowed rules, and no more rules can be added.

Reached maximum filter rules. Could not add new rule in filter [filter-name]

Syslog Messages for Filter Lists

The maximum number of filter lists that can be configured is 256. The following message is generated every time the number of filter lists that is configured increases by 20% of this limit:

CTS SXP filter rules exceed %[ ] threshold. Reached count of [count] out of [max] in filter [filter-name].

The following message is generated when the number of filter lists that is configured reaches 95% of the maximum number of allowed filter lists:

CTS SXP filter rules exceed %[ ] threshold. Reached count of [count] out of [max]

The following message is generated when the number of filter lists that is configured reaches the maximum number of allowed filter lists, and no more filter lists can be added:

Reached maximum filter count. Could not add new filter

Feature History for IP-Prefix and SGT-Based SXP Filtering

This table provides release and related information for features explained in this module.

These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.

Release

Feature

Feature Information

Cisco IOS XE Everest 16.5.1a

IP-Prefix and SGT-Based SXP Filtering

The IP-Prefix and SGT-Based SXP Filtering feature provides a filtering mechanism to solve the high IP-SGT bindings scale issue.

Support for this feature was introduced only on the C9500-12Q, C9500-16X, C9500-24Q, C9500-40X models of the Cisco Catalyst 9500 Series Switches.

Cisco IOS XE Fuji 16.8.1a

IP-Prefix and SGT-Based SXP Filtering

Support for this feature was introduced on the C9500-32C, C9500-32QC, C9500-48Y4C, and C9500-24Y4C models of the Cisco Catalyst 9500 Series Switches.

Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.