IP-Prefix and SGT-Based SXP Filtering
Revised: May 31, 2017
The Security Group Tag (SGT) Exchange Protocol (SXP) is one of the several protocols that supports Cisco TrustSec. SXP is a control protocol for propagating IP-to-SGT binding information across network devices that do not have the capability to tag packets. SXP passes IP-to-SGT bindings from authentication points to upstream devices in a network. This process allows security services on switches, routers, or firewalls to learn user identity information from access devices.
The IP-Prefix and SGT-Based SXP Filtering feature allows IP-to-SGT bindings to be filtered, when they are exported or imported. This filtering can be done based on the IP prefix, SGT, or a combination of both.
This module describes this feature and consists of these sections:
Restrictions for IP-Prefix and SGT-Based SXP Filtering
- No high availability support for the stateful synchronization of IP-SGT bindings in an SXP database between active and standby devices.
- Filters applied to an existing connection will take effect only on the subsequent bindings that are exported or imported. The filters do not apply to any bindings that have been exported or imported prior to applying the filters.
- Virtual Routing and Forwarding (VRF)-specific filtering is not supported, and a filter specified for a peer IP is applicable across all VRFs on the device.
- SGT values in filter rules will be a list of single SGT numbers. SGT ranges are not supported.
Information About IP-Prefix and SGT-Based SXP Filtering
Overview
The IP-to-SGT filtering allow systems to selectively import or export only bindings of interest. In an SXP connection, a filter can be configured on a device that acts either as a speaker or a listener, based on the filtering that happens during the export or import of bindings.
In the case of bidirectional SXP connections, filters are applied in either of the directions, based on whether a speaker or listener filter is configured. If a peer is a part of both the speaker and the listener filter groups, then filtering is applied in both directions.
Filters can be applied either on a peer-to-peer basis or globally (applicable to all SXP connections). In both cases, the filter can be applied on the speaker or the listener.
Filter Rules
A filter that needs to be applied on a device is created with a set of filter rules. Each filter rule specifies the action or actions to be taken for bindings with specific SGT values and/or IP-prefix values. Each binding is matched against the values specified in the filter rules; if a match is found, the corresponding action specified in the filter rule is applied. An action that can be applied on a selected binding is either a permit or a deny action. When a filter is enabled on the speaker or listener during the export or import of IP-SGT bindings, the bindings are filtered based on the filter rules.
If a rule is not specified for a binding in a filter list, the catch-all rule that is configured in the filter-list is executed. In the absence of a catch-all rule, the corresponding binding is implicitly denied.
Types of SXP Filtering
IP-SGT bindings are filtered in one of the following ways:
- SGT-based filtering: Filters IP-SGT bindings in an SXP connection based on the SGT value.
- IP-prefix based filtering: Filters IP-SGT bindings in an SXP connection based on the IP-prefix value.
- SGT and IP-prefix based filtering: Filter IP-SGT bindings in an SXP connection based on the SGT value and IP-prefix value.
A filter rule is applied on each of the IP-SGT binding.
How to Configure IP-Prefix and SGT-Based SXP Filtering
Configuring an SXP Filter List
In this step, a filter list is created to hold a set of rules. These rules filter the IP-SGT bindings by allowing bindings that are permitted, and blocking bindings that are denied. Each rule can be based on an SGT, IP prefix, or a combination of both the SGT and IP prefix.
If a filter list does not have a rule that matches a specific IP-SGT binding, the binding is implicitly denied unless a default or catch-all ruled is defined.
|
|
|
Step 1 |
|
Enables privileged EXEC mode.
- Enter your password if prompted.
|
Step 2 |
Device#
configure terminal
|
Enters global configuration mode. |
Step 3 |
Device(config)#
cts sxp
filter-list
filter-name
|
Configures a Cisco TrustSec filter list and enters filter-list configuration mode. |
Step 4 |
Device(config-filter-list)#
sequence-number
permit
ipv4
ip-address/prefix
deny
sgt
sgt-value
|
Configures a filter list rule. |
Step 5 |
Device(config-filter-list)#
exit
|
Exits filter-list configuration mode and returns to global configuration mode. |
Step 6 |
Device(config)#
cts sxp
filter-list
filter-name
|
Configures a Cisco TrustSec filter list and enters filter list configuration mode. |
Step 7 |
Device(config-filter-list)#
[
sequence-number
]
deny
sgt
sgt-value
permit
ipv6
ipv6-address/prefix
|
Configures a filter list rule. |
Step 8 |
Device(config-filter-list)#
exit
|
Exits filter-list configuration mode and returns to global configuration mode. |
Step 9 |
Device(config)#
cts sxp
filter-list
filter-name
|
Configures a Cisco TrustSec filter list and enters filter list configuration mode. |
Step 10 |
Device(config-filter-list)#
[
sequence-number
]
permit
ipv6
ipv6-address/prefix
permit
sgt-value
permit
|
Configures a filter list rule. |
Step 11 |
Device(config-filter-list)#
end
|
Exits filter-list configuration mode and returns to privileged EXEC mode. |
Configuring an SXP Filter Group
In this step, a set of peers are combined into a group, and a filter list is applied to the group. A filter-group can either be defined as a speaker group or listener group. To apply the same filter list to all speakers or all listeners, you can create a global speaker filter group or a global listener filter group.
Note Only one filter list can be attached to a filter group.
|
|
|
Step 1 |
|
Enables privileged EXEC mode.
- Enter your password if prompted.
|
Step 2 |
Device#
configure terminal
|
Enters global configuration mode. |
Step 3 |
Device(config)#
cts sxp filter-group listener
listener-name
|
Configures an SXP filter-group listener, and enters filter-group configuration mode. |
Step 4 |
Device(config-filter-group)#
filter
|
Configures a filter list name. |
Step 5 |
Device(config-filter-group)#
peer
|
Configures the IP address of a peer. |
Step 6 |
Device(config-filter-group)#
exit
|
Exits filter-group configuration mode and returns to global configuration mode. |
Step 7 |
Device(config)#
cts sxp filter-group
|
Configures a voice VLAN on a multiple VLAN access port. |
Step 8 |
Device(config-filter-group)#
filter
|
Configures a filter list name. |
Step 9 |
Device(config-filter-group)#
peer
|
Configures the IP address of a peer. |
Step 10 |
Device(config-filter-group)#
end
|
Exits filter-group configuration mode and returns to privileged EXEC mode. |
Configuring a Global Listener or Speaker Filter Group
When configuring a global listener and global speaker filter group, the filter is applied to across the box for all SXP connections that are in listener or speaker mode.
When adding a filter-list to a filter group the currently configured set of filter lists on the box is displayed as a help string.
Note The peer command is not available for the global listener and global speaker filter-group.
|
|
|
Step 1 |
|
Enables privileged EXEC mode.
- Enter your password if prompted.
|
Step 2 |
Device#
configure terminal
|
Enters global configuration mode. |
Step 3 |
Device(config)#
cts sxp filter-group listener global
filter-list-name
|
Configures a global listener filter group. |
Step 4 |
Device(config)#
cts sxp filter-group speaker global
filter-list-name
|
Configures a global speaker filter group. |
Step 5 |
|
Exits global configuration mode and returns to privileged EXEC mode. |
Enabling SXP Filtering
After the SXP filter list and filter groups are configured, you must enable filtering.
|
|
|
Step 1 |
|
Enables privileged EXEC mode.
- Enter your password if prompted.
|
Step 2 |
Device#
configure terminal
|
Enters global configuration mode. |
Step 3 |
Device(config)#
cts sxp filter enable
|
Configures a source template for the interface. |
Step 4 |
|
Exits global configuration mode and returns to privileged EXEC mode. |
Step 5 |
Device#
show cts sxp filter-list
filter_name
|
Displays the filter lists configured on the device along with the filter rules in each of the filter list. |
Configuring the Default or Catch-All Rule
The default or catch-all rule is applied on IP-SGT bindings for which there was no match with any of the rules in the filter list. If a default rule is not specified, these IP-SGT bindings are denied.
Define the default or catch-all rule in the filter-list configuration mode of the corresponding filter list.
|
|
|
Step 1 |
|
Enables privileged EXEC mode.
- Enter your password if prompted.
|
Step 2 |
Device#
configure terminal
|
Enters global configuration mode. |
Step 3 |
Device(config)#
cts sxp filter-list
filter-name
|
Configures a Cisco TrustSec filter list and enters filter-list configuration mode. |
Step 4 |
Device(config-filter-list)#
permit ipv4
ip-address/prefix
|
Permits access if the conditions are matched. |
Step 5 |
Device(config-filter-list)#
deny ipv6
ipv6-address/prefix
|
Denies access if the conditions are matched. |
Step 6 |
Device(config-filter-list)#
permit sgt all
|
Permits bindings corresponding to all SGTs. |
Step 7 |
Device(config-filter-list)#
end
|
Exits filter-list configuration mode and returns to privileged EXEC mode. |
Configuration Examples for IP-Prefix and SGT-Based SXP Filtering
Example: Configuring an SXP Filter List
Device# configure terminal
Device(config)# cts sxp filter-list filter1
Device(config-filter-list)# permit ipv4 10.1.1.0/24 deny sgt 3 4
Device(config-filter-list)# exit
Device(config)# cts sxp filter-list filter2
Device(config-filter-list)# permit sgt all
Device(config-filter-list)# exit
Device(config)# cts sxp filter-list filter3
Device(config-filter-list)# deny ipv6 2001:db8::1/64 permit sgt 67
Device(config-filter-list)# end
Example: Configuring an SXP Filter Group
Device# configure terminal
Device(config)# cts sxp filter-group listener group1
Device(config-filter-group)# filter filter1
Device(config-filter-group)# peer 172.16.0.1 192.168.0.1
Device(config-filter-group)# exit
Device(config)# cts sxp filter-group listener global group2
Example: Enabling SXP Filtering
Device# configure terminal
Device(config)# cts sxp filter-enable
Example: Configuring the Default or Catch-All Rule
The following example shows how to create a default prefix rule that permits bindings corresponding to all IPv4 and IPv6 addresses:
Device(config)# cts sxp filter-list filter1
Device(config-filter-list)# permit ipv4 10.0.0.0/0
Device(config-filter-list)# deny ipv6 2001:db8::1/0
The following example shows how to create a default SGT rule that permits bindings corresponding to all SGTs:
Device(config)# cts sxp filter-list filter_1
Device(config-filter-list)# permit sgt all
Verifying IP-Prefix and SGT-Based SXP Filtering
To verify the configuration, use the following commands:
The debug cts sxp filter events command is used to log events related to the creation, removal, and update of filter-lists and filter-groups. This command is also used to capture events related to the matching actions in a filtering process.
Device# debug cts sxp filter events
The following sample output from the show cts sxp filter-group speaker command displays SXP speaker filter groups:
Device# show cts sxp filter-group speaker group1
Peer-list: 172.16.0.1 192.168.0.1
The following sample output from the show cts sxp filter-group listener command displays SXP listener filter groups:
Device# show cts sxp filter-group listener
Global Listener Filter: Not configured
Peer-list: 172.16.0.1 192.168.0.1
Peer-list: 192.0.2.1, 198.51.100.1, 203.0.113.1
The following sample output from the show cts sxp filter-group speaker detailed command displays detailed information about SXP speaker filter groups:
Device# show cts sxp filter-group speaker group1 detailed
20 deny prefix 10.1.0.0/16
Peer-list: 172.16.0.1 192.168.0.1
The following sample output from the show cts sxp filter-group command displays information about all configured filter groups:
Device# show cts sxp filter-group
Global Listener Filter: Not configured
Global Speaker Filter: Not configured
Peer-list: 172.16.0.1 192.168.0.1
Peer-list: 192.0.2.1, 198.51.100.1, 203.0.113.1
Peer-list: 172.16.0.1 192.168.0.13
Peer-list: 192.0.2.1, 198.51.100.1, 203.0.113.1
The following sample output from the show sxp filter-group detailed command displays detailed information about all configured SXP filter groups:
Device# show cts sxp filter-group detailed
Global Listener Filter: Configured
Global Speaker Filter: Configured
20 deny prefix 172.16.0.0/16
Peer-list: 172.16.0.1, 192.168.0.13
20 deny prefix 172.16.0.0/16
Peer-list: 192.0.2.1, 198.51.100.1, 203.0.113.1
20 deny prefix 172.16.0.0/16
Peer-list: 10.10.10.1, 172.16.0.1, 192.168.0.13
20 deny prefix 172.16.0.0/16
Peer-list: 192.0.2.1, 198.51.100.1, 203.0.113.1
Syslog Messages for SXP Filtering
Syslog messages for SXP filtering are generated to indicate the various events related to filtering.
Syslog Messages for Filter Rules
The maximum number of rules that can be configured in a single filter is 128. The following message is generated every time the number of filter rules that is configured in a single filter increases by 20% of the limit:
CTS SXP filter rules exceed %[ ] threshold. Reached count of [count] out of [max] in filter [filter-name].
The following message is generated when the number of rules configured in a single filter reaches 95% of the maximum number of rules allowed for a filter list:
CTS SXP filter rules exceed [ ] threshold. Reached count of [count] out of [max] in filter [filter-name].
The following message is generated when the number of rules configured in a single filter reaches the maximum number of allowed rules, and no more rules can be added.
Reached maximum filter rules. Could not add new rule in filter [filter-name]
Syslog Messages for Filter Lists
The maximum number of filter lists that can be configured is 256. The following message is generated every time the number of filter lists that is configured increases by 20% of this limit:
CTS SXP filter rules exceed %[ ] threshold. Reached count of [count] out of [max] in filter [filter-name].
The following message is generated when the number of filter lists that is configured reaches 95% of the maximum number of allowed filter lists:
CTS SXP filter rules exceed %[ ] threshold. Reached count of [count] out of [max]
The following message is generated when the number of filter lists that is configured reaches the maximum number of allowed filter lists, and no more filter lists can be added:
Reached maximum filter count. Could not add new filter
Feature Information for IP-Prefix and SGT-Based SXP Filtering
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 Feature Information for IP-Prefix and SGT-Based SXP Filtering
|
|
|
IP-Prefix and SGT-Based SXP Filtering |
Cisco IOS Release 15.2(6)E |
The IP-Prefix and SGT-Based SXP Filtering feature provides a filtering mechanism to solve the high IP-SGT bindings scale issue. The following commands were introduced: debug cts sxp filter events, cts sxp filter-list, cts sxp filter-group, cts sxp filter-enable, show cts sxp filter-group, show cts sxp filter-list. |