Cisco TrustSec SGACL High Availability
Cisco TrustSec Security Group access control lists (SGACLs) support the high availability functionality in switches that support the Cisco StackWise technology. This technology provides stateful redundancy and allows a switch stack to enforce and process access control entries.
There is no Cisco TrustSec-specific configuration to enable this functionality, which is supported in Cisco IOS XE Denali 16.2.1 and later.
This chapter consists of these sections:
Prerequisites for Cisco TrustSec SGACL High Availability
This document assumes the following:
- An understanding of Cisco TrustSec and the SGACL configuration.
- Switches are configured to function as a stack. For more information, see the “ Managing Switch Stacks” chapter of the Software Configuration Guide, Cisco IOS XE Denali 16.1.1 (Catalyst 3850 Switches).
- All the switches in the stack are running an identical version of Cisco IOS XE software.
Restrictions for Cisco TrustSec SGACL High Availability
- When both active and standby switches fail simultaneously, stateful switchover of SGACL does not occur.
Information About Cisco TrustSec SGACL High Availability
High Availability Overview
In a switch stack, the stack manager assigns the switch with the highest priority as the active switch, and the switch with the next highest priority as the standby switch. During an automatic or a CLI-based stateful switchover, the standby switch becomes the active switch and the switch with the next highest priority becomes the standby switch and so on.
Operation data is synchronized from the active switch to the standby switch, during initial system bootup, changes in the operational data (also called Change of Authorization [CoA]), or operational data refresh.
During a stateful switchover, the newly active switch, requests and downloads the operation data. The environment data (ENV-data) and the Role-Based access control lists (RBACLs) are not updated until the refresh time is complete.
The following operation data is downloaded to the active switch:
- Environment Data (ENV-data)—A variable length field that consists of the preferred server list to get the RBACL information at the time of refresh or initialization.
- Protected Access Credential (PAC)—A shared secret that is mutually and uniquely shared between the switch and the authenticator to secure an Extensible Authentication Protocol Flexible Authentication via the Secure Tunneling (EAP-FAST) tunnel.
- Role-Based Policy (RBACL or SGACL)—A variable-length role-based policy list that consists of policy definitions for all the Security Group Tag (SGT) mappings on the switch.
Note Cisco TrustSec credential that consists of the device ID and password details is run as a command on the active switch.
Verifying Cisco TrustSec SGACL High Availability
To verify the Cisco TrustSec SGACL high availability configuration, run the show cts role-based permissions command on both the active and standby switches. The output from the command must be the same on both switches.
The following is sample output from the show cts role-based permissions command on the active switch:
Device# show cts role-based permissions
IPv4 Role-based permissions default (monitored):
IPv4 Role-based permissions from group 10:SGT_10 to group 15:SGT_15:
IPv4 Role-based permissions from group 14:SGT_14 to group 15:SGT_15:
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
The following is sample output from the show cts role-based permissions command on the standby switch:
Device-stby# show cts role-based permissions
IPv4 Role-based permissions default (monitored):
IPv4 Role-based permissions from group 10:SGT_10 to group 15:SGT_15:
IPv4 Role-based permissions from group 14:SGT_14 to group 15:SGT_15:
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
After a stateful switchover, run the following commands on the active switch to verify the feature:
The following is sample output from the show cts pacs command:
AID: A3B6D4D8353F102346786CF220FF151C
PAC-type = Cisco Trustsec
AID: A3B6D4D8353F102346786CF220FF151C
A-ID-Info: Identity Services Engine
Credential Lifetime: 17:22:32 IST Mon Mar 14 2016
PAC-Opaque: 000200B80003000100040010A3B6D4D8353F102346786CF220FF151C0006009C00030100E044B2650D8351FD06F23623C470511E0000001356DEA96C00093A80538898D40F633C368B053200D4C9D2422A7FEB4837EA9DBB89D1E51DA4E7B184E66D3D5F2839C11E5FB386936BB85250C61CA0116FDD9A184C6E96593EEAF5C39BE08140AFBB194EE701A0056600CFF5B12C02DD7ECEAA3CCC8170263669C483BD208052A46C31E39199830F794676842ADEECBBA30FC4A5A0DEDA93
Refresh timer is set for 01:00:05
The following is sample output from the show cts environment-data command:
Device# show cts environment-data
Installed list: CTSServerList1-000D, 1 server(s):
*Server: 10.78.105.47, port 1812, A-ID A3B6D4D8353F102346786CF220FF151C
auto-test = FALSE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Multicast Group SGT Table:
Security Group Name Table:
Environment Data Lifetime = 3600 secs
Last update time = 14:32:53 IST Mon Mar 14 2016
Env-data expires in 0:00:10:04 (dd:hr:mm:sec)
Env-data refreshes in 0:00:10:04 (dd:hr:mm:sec)
Cache data applied = NONE
The following is sample output from the show cts role-based permissions command after a stateful switchover:
Device# show cts role-based permissions
IPv4 Role-based permissions default:
IPv4 Role-based permissions from group 10:SGT_10 to group 15:SGT_15:
IPv4 Role-based permissions from group 14:SGT_14 to group 15:SGT_15:
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
Additional References for Configuring Cisco TrustSec SGACL High Availability
Technical Assistance
|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
http://www.cisco.com/cisco/web/support/index.html |
Feature Information for Cisco TrustSec SGACL High Availability
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Table 1 Feature Information for Cisco TrustSec SGACL High Availability
|
|
|
Cisco TrustSec SGACL High Availability |
Cisco IOS XE Denali 16.2.1 |
Cisco TrustSec Security Group access control lists (SGACLs) support the high availability functionality available on the switch stack manager. There is no Cisco TrustSec-specific configuration to enable this functionality. This functionality is only available on switches that have the stack manager architecture and use Cisco IOS XE Denali 16.2.1 and later. |