Cisco TrustSec SGACL High Availability

Cisco TrustSec Security Group access control lists (SGACLs) support the high availability functionality in switches that support the Cisco StackWise technology. This technology provides stateful redundancy and allows a switch stack to enforce and process access control entries.

There is no Cisco TrustSec-specific configuration to enable this functionality, which is supported in Cisco IOS XE Denali 16.2.1 and later.

This chapter consists of these sections:

Prerequisites for Cisco TrustSec SGACL High Availability

This document assumes the following:

  • An understanding of Cisco TrustSec and the SGACL configuration.
  • Switches are configured to function as a stack. For more information, see the “ Managing Switch Stacks” chapter of the Software Configuration Guide, Cisco IOS XE Denali 16.1.1 (Catalyst 3850 Switches).
  • All the switches in the stack are running an identical version of Cisco IOS XE software.

Restrictions for Cisco TrustSec SGACL High Availability

  • When both active and standby switches fail simultaneously, stateful switchover of SGACL does not occur.

Information About Cisco TrustSec SGACL High Availability

High Availability Overview

In a switch stack, the stack manager assigns the switch with the highest priority as the active switch, and the switch with the next highest priority as the standby switch. During an automatic or a CLI-based stateful switchover, the standby switch becomes the active switch and the switch with the next highest priority becomes the standby switch and so on.

Operation data is synchronized from the active switch to the standby switch, during initial system bootup, changes in the operational data (also called Change of Authorization [CoA]), or operational data refresh.

During a stateful switchover, the newly active switch, requests and downloads the operation data. The environment data (ENV-data) and the Role-Based access control lists (RBACLs) are not updated until the refresh time is complete.

The following operation data is downloaded to the active switch:

  • Environment Data (ENV-data)—A variable length field that consists of the preferred server list to get the RBACL information at the time of refresh or initialization.
  • Protected Access Credential (PAC)—A shared secret that is mutually and uniquely shared between the switch and the authenticator to secure an Extensible Authentication Protocol Flexible Authentication via the Secure Tunneling (EAP-FAST) tunnel.
  • Role-Based Policy (RBACL or SGACL)—A variable-length role-based policy list that consists of policy definitions for all the Security Group Tag (SGT) mappings on the switch.
note.gif

Noteblank.gif Cisco TrustSec credential that consists of the device ID and password details is run as a command on the active switch.


Verifying Cisco TrustSec SGACL High Availability

To verify the Cisco TrustSec SGACL high availability configuration, run the show cts role-based permissions command on both the active and standby switches. The output from the command must be the same on both switches.

The following is sample output from the show cts role-based permissions command on the active switch:

Device# show cts role-based permissions
 
IPv4 Role-based permissions default (monitored):
default_sgacl-01
Deny IP-00
IPv4 Role-based permissions from group 10:SGT_10 to group 15:SGT_15:
SGACL_3-01
IPv4 Role-based permissions from group 14:SGT_14 to group 15:SGT_15:
multple_ace-14
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE

 

The following is sample output from the show cts role-based permissions command on the standby switch:

Device-stby# show cts role-based permissions
IPv4 Role-based permissions default (monitored):
default_sgacl-01
Deny IP-00
IPv4 Role-based permissions from group 10:SGT_10 to group 15:SGT_15:
SGACL_3-01
IPv4 Role-based permissions from group 14:SGT_14 to group 15:SGT_15:
multple_ace-14
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE

 

After a stateful switchover, run the following commands on the active switch to verify the feature:

The following is sample output from the show cts pacs command:

Device# show cts pacs
 
AID: A3B6D4D8353F102346786CF220FF151C
PAC-Info:
PAC-type = Cisco Trustsec
AID: A3B6D4D8353F102346786CF220FF151C
I-ID: CTS_ED_21
A-ID-Info: Identity Services Engine
Credential Lifetime: 17:22:32 IST Mon Mar 14 2016
PAC-Opaque: 000200B80003000100040010A3B6D4D8353F102346786CF220FF151C0006009C00030100E044B2650D8351FD06F23623C470511E0000001356DEA96C00093A80538898D40F633C368B053200D4C9D2422A7FEB4837EA9DBB89D1E51DA4E7B184E66D3D5F2839C11E5FB386936BB85250C61CA0116FDD9A184C6E96593EEAF5C39BE08140AFBB194EE701A0056600CFF5B12C02DD7ECEAA3CCC8170263669C483BD208052A46C31E39199830F794676842ADEECBBA30FC4A5A0DEDA93
Refresh timer is set for 01:00:05

 

The following is sample output from the show cts environment-data command:

Device# show cts environment-data
 
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 0:Unknown
Server List Info:
Installed list: CTSServerList1-000D, 1 server(s):
*Server: 10.78.105.47, port 1812, A-ID A3B6D4D8353F102346786CF220FF151C
Status = ALIVE
auto-test = FALSE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Multicast Group SGT Table:
Security Group Name Table:
0001-45 :
0-00:Unknown
2-ba:SGT_2
3-00:SGT_3
4-00:SGT_4
5-00:SGT_5
6-00:SGT_6
7-00:SGT_7
8-00:SGT_8
9-00:SGT_9
10-16:SGT_10
!
!
!
Environment Data Lifetime = 3600 secs
Last update time = 14:32:53 IST Mon Mar 14 2016
Env-data expires in 0:00:10:04 (dd:hr:mm:sec)
Env-data refreshes in 0:00:10:04 (dd:hr:mm:sec)
Cache data applied = NONE
State Machine is running

 

The following is sample output from the show cts role-based permissions command after a stateful switchover:

Device# show cts role-based permissions
 
IPv4 Role-based permissions default:
default_sgacl-01
Deny IP-00
IPv4 Role-based permissions from group 10:SGT_10 to group 15:SGT_15:
SGACL_3-01
IPv4 Role-based permissions from group 14:SGT_14 to group 15:SGT_15:
multple_ace-14
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE

 

Additional References for Configuring Cisco TrustSec SGACL High Availability

Related Documents

Related Topic
Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

Cisco TrustSec configuration guide

Cisco TrustSec Switch Configuration Guide

Managing Switch Stacks

Managing Switch Stacks ” chapter in the Software Configuration Guide, Cisco IOS XE Denali 16.1.1 (Catalyst 3850 Switches)

Technical Assistance

Description
Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Cisco TrustSec SGACL High Availability

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

note.gif

Noteblank.gif Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.


 

Table 1 Feature Information for Cisco TrustSec SGACL High Availability

Feature Name
Releases
Feature Information

Cisco TrustSec SGACL High Availability

Cisco IOS XE Denali 16.2.1

Cisco TrustSec Security Group access control lists (SGACLs) support the high availability functionality available on the switch stack manager.

There is no Cisco TrustSec-specific configuration to enable this functionality. This functionality is only available on switches that have the stack manager architecture and use Cisco IOS XE Denali 16.2.1 and later.