CTS SGACL Support

CTS SGACL support feature provides state-less access control mechanism based on the security association or security group tag value instead of IP addresses.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to https://cfnng.cisco.com/. An account on Cisco.com is not required.

Prerequisites for CTS SGACL Support

For CTS SGACL support, ensure that Protected Access Credential (PAC) and environmental data download is configured on the device for dynamic SGACL.

Restrictions for CTS SGACL Support

  • For the list of supported TrustSec features per platform and the minimum required IOS release, see the Cisco TrustSec Platform Support Matrix at the following URL: http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html

  • SGACL enforcement is not supported on management interfaces.

  • Dynamic SGACL download size is limited to 6 KB

  • There is no validation of SGACL enforcement on Port-Channel interfaces.

  • In a VRF aware SGT configuration, Cisco IOS XE Denali 16.3 supports ISE communication though non management VRF interface. ISE communication through management interface is not supported.

  • Scale limit of 6 KB is only for dynamic SGACL. Static SGACL can support higher scale like 256*256 matrix.

  • SGACL enforcement is by-passed for the IPv6 packets with link-local IPv6 source/destination address.

  • The SGACL enforcement for IPv6 multicast traffic is by-passed.

Information About CTS SGACL Support

CTS SGACL Support

Security group access control lists (SGACLs) is a policy enforcement through which the administrator can control the operations performed by the user based on the security group assignments and destination resources. Policy enforcement within the Cisco Trustsec domain is represented by a permissions matrix, with source security group number on one axis and destination security group number on the other axis. Each cell in the matrix contains an ordered list of SGACLs which specifies the permissions that should be applied to packets originating from an IP belonging to a source security group and having a destination IP that belongs to the destination security group.

SGACL provides state-less access control mechanism based on the security association or security group tag value instead of IP addresses and filters the traffic based on match class. There are three ways to provision the SGACL policy:
  • Static policy provisioning - The SGACL policies are defined by the user using the command cts role-based permission .

  • Dynamic policy provisioning - Configuration of SGACL policies should be done primarily through the policy management function of the Cisco Secure ACS or the Cisco Identity Services Engine - Cisco Identity Services Engine User Guide

  • Change of Authorization (CoA) - The updated policy is downloaded when the SGACL policy is modified on the ISE and CoA is pushed to the CTS device.

SGACL Monitor Mode

During the pre-deployment phase of Cisco TrustSec, an administrator will use the monitor mode to test the security policies without enforcing them to make sure that the policies function as intended. If the security policies do not function as intended, the monitor mode provides a convenient mechanism for identifying that and provides an opportunity to correct the policy before enabling SGACL enforcement. This enables administrators to have increased visibility to the outcome of the policy actions before they enforce it, and confirm that the subject policy meets the security requirements (access is denied to resources if users are not authorized).

The monitoring capability is provided at the SGT-DGT pair level. When you enable the SGACL monitoring mode feature, the deny action is implemented as an ACL permit on the line cards. This allows the SGACL counters and logging to display how connections are handled by the SGACL policy. Since all the monitored traffic is permitted, there is no disruption of service due to SGACLs while in the SGACL monitor mode.

How to Configure CTS SGACL Support

Enabling SGACL Policy Enforcement Globally

To enable SGACL policy enforcement on Cisco TrustSec-enabled routed interfaces, perform this task:

enable
configure terminal
cts role-based enforcement

Enabling SGACL Policy Enforcement Per Interface

You can enable SGACL enforcement globally and disable on a specific interface with cts role-based enforcement command. SGACL enforcement can also be enabled on specific interfaces without enabling it globally.

To enable SGACL policy enforcement on interfaces, perform this task:


enable
configure terminal
interface GigabitEthernet 0/1/1
cts role-based enforcement

Configuring IPv6 SGACL Access Control Entries

An SGACL is defined similar to the extended named ACL using the following command:


Device(config)#ipv6 access-list role-based sgacl1
IPV6 Role-based Access List Configuration commands:
  default   Set a command to its defaults
  deny      Specify packets to reject
  exit      Exit from access-list configuration mode
  no        Negate a command or set its defaults
  permit    Specify packets to forward
  remark    Access list entry comment
  sequence  Sequence number for this entry

Attaching SGACLs to Permission Matrix Cell


Device(config)#cts role-based permissions from 100 to 200
  WORD  Role-based Access-list name
  ipv4  Protocol Version - IPv4
  ipv6  Protocol Version - IPv6

This command defines, replaces, or deletes the list of RBACLs for a given <SGT, DGT> pair. This policy comes into an effect when there is no dynamic policy for the same SGT, DGT. By default, you can attach only an IPv4 type RBACL. To add an IPv6 SGACL, specify ipv6 explicitly.

Manually Configuring SGACL Policies

To manually configure SGACL policies, perform the following tasks:


enable
configure terminal
ip access-list role-based allow_webtraff
10 permit tcp dst eq 80
20 permit tcp dst eq 443
cts role-based permissions from 55 to 66 allow_webtraff
end

Refreshing the Downloaded SGACL Policies

To refresh the downloaded SGACL policies, perform the following task:



enable
cts refresh policy

Or



enable
cts refresh policy sgt 10

Configuring SGACL Monitor Mode

Before configuring SGACL monitor mode, ensure that Cisco TrustSec is enabled.


Note

The device level monitor mode is not enabled by default unless any one of the configurations are applied. In case of SGACL's downloaded from ISE, the monitor mode state from ISE takes precedence always. This is applicable for both per-cell monitor mode or global monitor mode which is applicable for all cell.


 
configure terminal
cts role-based monitor enable
cts role-based monitor permissions from 2 to 3 ipv4
show cts role-based permissions from 2 to 3 ipv4
show cts role-based counters ipv4

Configuring IPv6 SGACL ACE

The following CLI is used to define Access Control Entries (ACEs) of an IPv6 SGACL.


Device(config)#ipv6 access-list role-based sgacl1
Device(config-ipv6rb-acl)#permit ipv6
Device(config-ipv6rb-acl)#exit
Device(config)#cts role-based permissions from 100 to 200 ipv6 sgacl1
  

Note

IPv6 ACL configuration is for static SGACL whereas for dynamic SGACL, ACEs are configured on the ISE.


Configuration Examples for CTS SGACL Support

Example: CTS SGACL Support

The following is a sample output of the show cts role-based permissions command.


Router# show cts role-based permissions 

IPv4 Role-based permissions default:
        default_sgacl-02
        Permit IP-00
IPv4 Role-based permissions from group 55:SGT_55 to group 66:SGT_66 (configured):
        allow_webtraff
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE


Router#sh cts role-based permissions ipv6
IPv6 Role-based permissions from group 2103:Cisco_UC_Servers to group 2104:Exchange_Servers:
        SGACL_5-10-ipv6
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE

The following is a sample output, applicable only to dynamic SGACL, of the show cts policy sgt command.


Router# show cts policy sgt   
                                            
CTS SGT Policy                                                             
==============                                                             
RBACL Monitor All : FALSE
RBACL IP Version Supported: IPv4
SGT: 0-02:Unknown
SGT Policy Flag: 0xc1408801
RBACL Source List: Empty
RBACL Destination List: Not exist
RBACL Multicast List: Not exist
RBACL Policy Lifetime = 1800 secs
RBACL Policy Last update time = 20:58:28 IST Wed Jul 13 2016
Policy expires in 0:00:24:05 (dd:hr:mm:sec)
Policy refreshes in 0:00:24:05 (dd:hr:mm:sec)
Cache data applied = NONE

SGT: 65535-46:ANY
SGT Policy Flag: 0x41400001
RBACL Source List:
  Source SGT: 65535-46:ANY-0, Destination SGT: 65535-46:ANY-0
  rbacl_type = 80
  rbacl_index = 1
  name   = default_sgacl-02
  IP protocol version = IPV4
  refcnt = 1
  flag   = 0x40000000
  stale  = FALSE
  RBACL ACEs:
    permit icmp
    permit ip
  Source SGT: 65535-46:ANY-0, Destination SGT: 65535-46:ANY-0
  rbacl_type = 80
  rbacl_index = 2
  name   = Permit IP-00
  IP protocol version = IPV4
  refcnt = 1
  flag   = 0x40000000
  stale  = FALSE
  RBACL ACEs:
    permit ip
RBACL Destination List: Not exist
RBACL Multicast List: Not exist
RBACL Policy Lifetime = 1800 secs
RBACL Policy Last update time = 20:58:28 IST Wed Jul 13 2016
Policy expires in 0:00:24:05 (dd:hr:mm:sec)
Policy refreshes in 0:00:24:05 (dd:hr:mm:sec)
Cache data applied = NONE

The following is a sample output, applicable only to dynamic SGACL, of the show cts rbacl command.


Router# show cts rbacl   
            
CTS RBACL Policy                    
================
RBACL IP Version Supported: IPv4 & IPv6
  name   =multple_ace-16
  IP protocol version = IPV4
  refcnt = 4
  flag = 0x40000000
  stale = FALSE
  RBACL ACEs:
      permit icmp
      deny tcp

  name   =default_sgacl-02
  IP protocol version = IPV4
  refcnt = 2
  flag = 0x40000000
  stale = FALSE
  RBACL ACEs:
      permit icmp
      permit ip

  name   =SGACL_256_ACE-71
  IP protocol version = IPV4

Example: Configuring SGACL Monitor Mode

The following is a sample configuration example for SGACL Monitor Mode:


Device# configure terminal 
Device(config)# cts role-based monitor enable 
Device(config)# cts role-based permissions from 2 to 3 ipv4 
Device# show cts role-based permissions from 2 to 3 ipv4 

								IPv4 Role-based permissions from group 2:sgt2 to group 3:sgt3 (monitored):
								denytcpudpicmp-10
								Deny IP-00

Device# show cts role-based permissions from 2 to 3 ipv4 details 

								IPv4 Role-based permissions from group 2:sgt2 to group 3:sgt3 (monitored):
								denytcpudpicmp-10
								Deny IP-00
								Details:
								Role-based IP access list denytcpudpicmp-10 (downloaded)
								10 deny tcp
								20 deny udp
								30 deny icmp
								Role-based IP access list Permit IP-00 (downloaded)
								10 permit ip
Device# show cts role-based permissions ipv6 
IPv6 Role-based permissions from group 201 to group 22 (configured):
        g6
IPv6 Role-based permissions from group 100 to group 200 (configured):
        sgacl1
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE

Device# show cts role-based counters ipv4 
Role-based IPv4 counters
From    To      SW-Denied  HW-Denied  SW-Permitt HW-Permitt SW-Monitor HW-Monitor
100     200     0          0          0          0          0          0
101     201     0          0          0          0          0          0

Device# show cts role-based counters ipv6 
Role-based IPv6 counters
From    To      SW-Denied  HW-Denied  SW-Permitt HW-Permitt SW-Monitor HW-Monitor
201     22      0          0          0          0          0          0
100     200     0          0          0          0          0          0
                       

Example: Refreshing the Downloaded SGACL Policies

The following is a sample configuration example for refreshing the downloaded SGACL policies. The command is run in a privileged EXEC mode.

Router#cts refresh policy
Router#cts refresh policy sgt

Additional References for CTS SGACL Support

Related Documents

Related Topic

Document Title

MIBs

MIB

MIBs Link

CISCO-MIB

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for CTS SGACL Support

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for CTS SGACL Support

Feature Name

Releases

Feature Information

CTS SGACL Support

Cisco IOS Release 16.3

The CTS SGACL Support feature provides state-less access control mechanism based on the security association or security group tag value instead of IP addresses.

In Cisco IOS Release 16.3, this feature was introduced for Cisco Aggregation Service Router 1000 series and Integrated Services Router 4000 series.

The following commands were introduced by this feature: cts role-based enforcement, ip access-list role-based, cts role-based permissions, show cts role-based permissions, show cts rbacl .

TrustSec SGACL Monitor Mode

Cisco IOS XE Everest 16.4.1

TrustSec SGACL Monitor Mode feature monitors the security policies without enforcing that the policies function as intended. The monitor mode provides a convenient mechanism for identifying the security policies that do not function and provide an opportunity to correct the policy before enabling SGACL enforcement.

The following commands were introduced by this feature: cts role-based monitor enable, cts role-based monitor permissions .

IPv6 enablement - SGACL Enforcement

Cisco IOS XE Fuji 16.8.1

The support for IPv6 is introduced.