Cisco TrustSec enables you to avoid the extensive manual maintenance required for traditional network segmentation, which uses VLANs and access control lists (ACLs) that are based on IP addresses. Cisco TrustSec simplifies network segmentation by dynamically organizing machines into logical groups, called security groups, and enabling security policies to be written using security group tags.
Cisco TrustSec uses the Cisco Identity Services Engine as a centralized policy management platform to gather contextual data about who and what is accessing your network. You can then use this information to create security groups and to assign access rights based on role, function, location, and other criteria. For more information about Cisco TrustSec, see Cisco TrustSec “At-a-Glance”.
The following support for the Cisco TrustSec functionality is included in ASA Device Package 1.2(5):
AAA server group - Configures the AAA server parameters for the ASA to communicate with the ISE server.
– Server group used for environment data retrieval, specifically the Security Group table from ISE
Configuring the Security Exchange Protocol (SXP) involves enabling the protocol in the ASA and setting the following values for SXP:
– The source IP address of SXP connections and SXP peer IP address and their role
Security groups in an access control entry to leverage SGT-to-IP mapping
Security object group
In the example below, only IP addresses that belong to the Security Group “Engineering” are allowed to access EPG App, while denying all other Security Groups.
Figure 1-1 Example Configuration
The PAC file from the ISE will need to be imported as part of pre-provisioning. Refreshing the environment data from the ISE will need to be done out-of-band.
For details about Configuring the ASA to Integrate with Cisco TrustSec, see: http://www.cisco.com/ c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/aaa_trustsec.pdf
Note Cisco Application Centric Infrastructure (ACI) does not have native support of the Security-group eXchange Protocol (SXP). Therefore, in order to use TrustSec in ASA for ACI, you must have an SXP-capable switch.
Cisco ACI is a distributed, scalable, multi-tenant infrastructure with external end-point connectivity controlled and grouped through application-centric policies. SXP is the protocol used to propagate the IP-to-SGT mapping database across network devices that do not have SGT-capable hardware support. The Cisco Application Policy Infrastructure Controller (APIC) is a unified point of automation, management, monitoring, and programmability for the Cisco ACI.
Tip To use TrustSec in ASA for ACI, changes to your network topology might be required. For details about the required topology and configuration examples, see the Cisco listing page shown below. This information will be available by March 14, 2016.
For more information about the features and benefits of Cisco TrustSec and Cisco ASA Device Package Software for ACI, see:
To upgrade, you do not need to remove the previous package if your APIC release has the fix for CSCuv4353. Otherwise, to upgrade from an older version to a newer, you need to remove the old version from APIC first, then install the new version.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation as an RSS feed and delivers content directly to your desktop using a reader application. The RSS feeds are a free service
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.