Cisco TrustSec is a system that provides security for Cisco TrustSec-enabled network devices at each routing hop. In this system, each network device works to authenticate and authorize its neighbor devices, and then apply some level of security (group tagging, role-based access control lists (ACLs), encryption, and so on) to traffic between the devices. The Cisco TrustSec-enabled device acts as a border router. Cisco Identity Service Engine (ISE) is the designated domain manager for the Cisco TrustSec device. Cisco ISE is the primary source of group namespace and role-based policy information for Cisco TrustSec devices. Cisco ISE authenticates and authorizes end points into Security Groups (SGs).
Cisco Application Centric Infrastructure (ACI) automates IT tasks and accelerates data center application deployments. It accomplishes this using a business-relevant software defined networking (SDN) policy model across networks, servers, storage, security, and services.
Cisco TrustSec and Application Centric Infrastructure (ACI) networks are similar in semantics of group-based policy framework. Users and resources in both networks are categorized into groups and access is provided across groups. However, Cisco TrustSec and ACI differ in syntax and representation of group identity, and its propagation across the network. For instance, Cisco TrustSec networks use security group tagging, while ACI networks use end-point group (EPG).
Earlier to release Cisco IOS XE Everest 16.5.1 and Cisco ISE 2.2, the interaction between TrustSec and ACI was limited to:
In this system, Cisco ISE 2.1 exchanged information with API through REST calls to the Application Policy Infrastructure Controller-Data Center (APIC-DC) API.
Effective with Cisco IOS XE Everest 16.5.1 and Cisco ISE 2.2, the mapping of security group tag with an ACI VNID that is used to represent an EPG is done dynamically. The same is true for traffic sourced from the ACI domain, wherein the VNID is translated into SGT for enforcement in the TrustSec domain. Hence, the TrustSec and ACI integration feature leverages the initial group information exchange to provide a data plane integration, where traffic source from either domain is dynamically translated into the destination domain's policy group structure - that is, source security group tag (SGT) is translated to ACI EPG and vice versa. This exchange allowed these new Security Groups or Endpoint Groups to be used in policies within the respective domains.
Cisco ISE interfaces with ACI Controller, which is also called APIC-DC, to learn EPG names, share SG names and corresponding EPG value, SGT value and VRF Name. This allows Cisco ISE to create and populate SG-EPG translation tables, which are obtained by the border device to translate TrustSec-ACI identifiers as traffic passes across the domains.
Cisco TrustSec device communicates with Cisco ISE through a RADIUS server using PAC Provisioning and Environment Data download. Refer to the sections titled "Protected Access Credential (PAC)" and "PAC Provisioning" in this chapter for more information about PAC.
For more information on TrustSec–ACI Policy Plane Integration, refer TrustSec – ACI Policy Plane Integration