Learning TrustSec – An Introduction to Inline Tagging

In my last article, Basic TrustSec – Implementing Manual SGTs and SGACLs,
we talked about a basic TrustSec configuration. In that example, we shared the understanding of having two devices connected to a single switch and enforcing traffic policies via SGACL. We know that there are more scalable and automated ways to configure TrustSec enabled networks, but our goal is to work toward understanding the building blocks.

In today’s article, we will expand our knowledge and connect the two devices to different switches. The trunks between these switches will be configured to carry the associated source SGT’s (Security Group Tags). The topology used for this discussion is as follows.

Topology

To demonstrate the topic of inline SGT, we will need to accomplish the following.

  1. Configure and Confirm that 192.168.254.11 (connected to c9kSW1) is recognized by its switch with an SGT of 2.
  2. Configure and Confirm that 192.168.254.100 (connected to c9kSW2) is recognized by its switch with an SGT of 3.
  3. Configure the trunk between the switches to carry SGTs
  4. Configure an enforcement policy to demonstrate overall functionality

Configuration Steps

c9kSW1 configuration/confirmation for host port

//We are using static SGT and need to do IP Device Tracking
//Syntax confirmed on Catalyst 9300

device-tracking policy Default
 tracking enable reachable-lifetime 120
 device-tracking attach-policy Default

//interface configuration

interface GigabitEthernet1/0/2
 description connection to hast @192.168.254.11
 device-tracking attach-policy Default
 cts manual
  policy static sgt 2
  no propagate sgt


//Confirmation and validation

//device-tracking database

c9kSW1#show device-tracking database
Binding Table has 1 entries, 1 dynamic (limit 100000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned


    Network Layer Address               Link Layer Address Interface        vlan prlvl  age   state     Time left
ARP 192.168.254.11                          001b.2a1e.de36  Gi1/0/2           1  0005   16s  REACHABLE  104 s

//SGT-MAP

c9kSW1#show cts role-based sgt-map all
Active IPv4-SGT Bindings Information

IP Address              SGT     Source
============================================
192.168.254.11          2       LOCAL

IP-SGT Active Bindings Summary
============================================
Total number of LOCAL    bindings = 1
Total number of active   bindings = 1

c9kSW2 configuration/confirmation for host port

//We are using static SGT and need to do IP Device Tracking
//Syntax confirmed on Catalyst 9300

device-tracking policy Default
 tracking enable reachable-lifetime 120
 device-tracking attach-policy Default

//interface configuration

interface GigabitEthernet1/0/2
 description connection to hast @192.168.254.100
 device-tracking attach-policy Default
 cts manual
  policy static sgt 3
  no propagate sgt

//Confirmation and validation

//device-tracking database

c9kSW2#show device-tracking database
Binding Table has 1 entries, 1 dynamic (limit 100000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned


    Network Layer Address               Link Layer Address Interface        vlan prlvl  age   state     Time left
ARP 192.168.254.100                         001b.2a1e.de37  Gi1/0/2           1  0005   60s  REACHABLE  62 s try 0

//SGT-MAP

c9kSW2#show cts role-based sgt-map all
Active IPv4-SGT Bindings Information

IP Address              SGT     Source
============================================
192.168.254.100         3       LOCAL

IP-SGT Active Bindings Summary
============================================
Total number of LOCAL    bindings = 1
Total number of active   bindings = 1

c9kSW1 to c9kSW2 Trunk Configuration

//configuration on c9kSW1
//manual configuration, trust received security group tags
//tag untagged to 100

interface GigabitEthernet1/0/1
 description trunk to c9kSW2
 switchport mode trunk
 cts manual
  policy static sgt 100 trusted

//configuration on c9kSW2
//manual configuration, trust received security group tags
//tag untagged to 100

interface GigabitEthernet1/0/1
 description trunk to c9kSW1
 switchport mode trunk
 cts manual
  policy static sgt 100 trusted

//validation

c9kSW1#show cts interface gig 1/0/1
Global Dot1x feature is Disabled
Interface GigabitEthernet1/0/1:
    CTS is enabled, mode:    MANUAL .  <<<<<< Manually Enabled for CTS
    IFC state:               OPEN
    Interface Active for 00:09:29.006
    Authentication Status:   NOT APPLICABLE
        Peer identity:       "unknown"
        Peer's advertised capabilities: ""
    Authorization Status:    SUCCEEDED
        Peer SGT:            100 .  <<<<<< SGT for frames not having an SGT
        Peer SGT assignment: Trusted .  <<<<<< Trust SGT on frames with assigned SGT's
    SAP Status:              NOT APPLICABLE
    Propagate SGT:           Enabled .  <<<<<< Frames to peer should get an SGT
    Cache Info:
        Expiration            : N/A
        Cache applied to link : NONE

Enforcement and Confirmation

//for validation, we will build a policy that allows ICMP
//and denies all else. We can prove this with ping and telnet

//enforcement configuration (c9kSW2)

ip access-list role-based ICMP_ONLY
 permit icmp
 deny   ip
cts role-based enforcement
cts role-based enforcement vlan-list 1
cts role-based permissions from 2 to 3 ICMP_ONLY

//validation testing (Host_SGT2)

Host_SGT2#ping 192.168.254.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.254.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Host_SGT2#telnet 192.168.254.100
Trying 192.168.254.100 ...
% Connection timed out; remote host not responding

//validation counters (c9kSW2)

c9kSW2#show cts role-based counters
Role-based IPv4 counters
From    To      SW-Denied  HW-Denied  SW-Permitt HW-Permitt SW-Monitor HW-Monitor
2       3       0          4          0          5          0          0

Conclusion

This is a very simple example of using SGTs inline between two Catalyst switches. These tags can be leveraged as an identifier and something to which policy may be applied. As we continue through this series of articles, we will continue to share more interesting use cases and methods for simplifying the segmentation and overall operation of a campus network.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To. Bookmark the permalink.

One Response to Learning TrustSec – An Introduction to Inline Tagging

  1. Pingback: Validating SGT Inline with Netflow and Embedded Packet Capture | The Packet University

Comments are closed.