Log into ISE

Because of lack of policy exchange between the Campus and Data Center, all coordination between user access to applications are done manually – either at the datacenter or in firewalls protecting the datacenter. This could result in errors and inconsistency in enforcement. 

 

ACI with SD-Access (Cisco DNA Center & ISE) integration provides seamless and consistent identity and end point mapping between campus/branch office and Data Center.

 

In this short walkthrough demo, we will see how easy it is to perform this integration such that only the correct finance user has access to the finance servers (applications)

TrustSec ACI Policy Element Exchange

Once you log into the Identity Services Engine (ISE), proceed to the ACI settings page. Here you will add a few accesibility details for the APIC and more importantly append the Secure Group Tag (SGT) and End Point Group (EPG) tags . 

 

That's it, this is all the information required to complete the integration from the ISE perspective. In the next few screens, we will need to add a few details such that the APIC will understand the TrustSec-ACI policy exchange.

 

Log into APIC

Policy is dynamically translated and tracked in both security domains. This integration maps user identities and security group tags in the Campus/branch into Cisco APIC App End-point Identities and end point groups in order to determine, through policies, the role of users and devices in the network before granting access to applications. To enable groups from the ACI domain to be used in the TrustSec domain, ISE will synchronize Internal EPGs from the APIC-DC controller and create corresponding Security Groups in the SD Access fabric. ISE will also synchronize Security Groups and associated IP-Security Group mappings with the APIC External End Points (EEPGs) and subnets configuration.

 

Choose the application to which you wish to extend the policy to

Select the tenant to which ISE is integrated with to share policy information. Our finance user will need to access this application.

 

Why is this step important?

Today enterprise customers have to deal with disjointed Campus/branch and Data Center identity and security policy domains.  This can lead to inconsistent policy and compromised security posture- potentially leaving openings for new attack vectors for hackers and cyber-attacks.

 

Select the EPGs to the shared

These Data Center endpoint groups, within the selected tenant, are shared into ISE ( IOT_Apps and Finance EPGs). 

Finance EPG mapping

In addition to the group information, the IP addresses of the connected endpoints from the Campus, are shared in.  This is necessary information to enforce the endpoint traffic coming into the Data Center.

 

Select the user group

Select the Finance user group (scalable group/External EPG) to continue. 

 

This is the most important step where the association of the policies from the campus to the Data Center happens. This integration maps user identities and security group tags in the Campus/branch into Cisco APIC App End-point Identities and end point groups in order to determine, through policies, the role of users and devices in the network before granting access to applications. 

Create the desired white list policy

Here we will create the whitelist policy between Finance and Finance Server by dragging the contract icon between the EPGs.

Apply the contract

Apply the contract for communication between the EPGs.

Policy created

The desired policy with the contracts created earlier is now in place.

 

The complementary group-based policy approach used by SD Access and ACI vastly simplifies security design, operations and compliance. Understanding the user identities and mapping them consistently to end points and applications throughout the entire network - from Campus to Data Center and vice versa – is critical for quickly identifying which branches or users have access to specific applications or resources.

Log into Cisco DNA Center

The complementary group-based policy approach used by SD Access and ACI vastly simplifies security design, operations and compliance. Understanding the user identities and mapping them consistently to end points and applications throughout the entire network - from Campus to Data Center and vice versa – is critical for quickly identifying which branches or users have access to specific applications or resources.

We will now log in to the Cisco DNA center to finish creating a policy similar to the one we created in APIC.

Cisco DNA Center dashboard

Cisco DNA Center is a complete software-based network automation and assurance solution. It's the dashboard for control and management of our intent-based networking solution, Cisco DNA.

Navigate to the "policy" tab to create the required policy.

EPGs in Cisco DNA Center

By virtue of the integration, the EPGs are shared into Cisco DNA Center.

Create a policy

Create a policy to allow web access from Finance to Finance Servers.

Choose the contracts

choose the contract.

Add desired groups to the contract

Drag and drop the source and destination groups and save.

Policy is deployed

Policy is automatically “deployed” to the network through ISE.

EPG IP mapping

Here we see the IPs associated with the EPGs learned from ACI.  These are necessary for network devices to enforce traffic based on the Group-Based Policy.