排除Trustsec内联标记故障
目录
简介
本文档介绍如何在Cisco Catalyst交换机9300上配置和验证Cisco Inline Tagging功能。
要求
Cisco 建议您了解以下主题:
- Cisco TrustSec(CTS)组件的基础知识
-
Catalyst交换机的CLI配置基础知识
-
使用身份服务引擎(ISE)配置的体验
您必须在网络中部署思科ISE,最终用户必须通过802.1x(或其他方法)在连接有线时向思科ISE进行身份验证。思科ISE会在安全组标记(SGT)对您的有线网络进行身份验证后分配安全组标记。
使用的组件
本文档中的信息基于以下软件和硬件版本:
- 运行3.0 P5的思科身份服务引擎
- 运行17.03.02a的Cisco Catalyst 9300交换机
- 运行17.07.01的Cisco Catalyst 9300交换机
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
背景信息
内联标记在接入层实施,因为这是信息的第一个联系点。换句话说,您的所有终端设备都连接到接入层。一旦接入层设备完成分类,就有必要与实施该分类的设备共享此信息。为此,NAS可以向以太网帧添加20个字节。这是帧的CMD(思科元数据)字段。其中包含SGT。
配置
网络图
拓扑图
- PC1进行身份验证,ISE动态分配SGT3。
- C9300A与C9300B的内联标记
- PC2进行身份验证,ISE动态分配SGT 17
- C9300B执行从SGT3到SGT17的ICMP流量。
内联标记
C9300A
interface TwoGigabitEthernet1/0/4
switchport trunk allowed vlan 761
switchport mode trunk
cts manual
policy static sgt 2 trusted
endC9300B
interface GigabitEthernet1/0/4
switchport trunk allowed vlan 761
switchport mode trunk
cts manual
policy static sgt 2 trusted
end必须使用命令cts manual和policy static启用内联标记。命令上使用的sgt可以是网络设备的sgt或任何其占位符。trusted命令的作用是指示交换机在收到CMD报头的流量时执行SGT。如果没有trusted命令,交换机将使用定义的SGT标记从该接口流过的所有流量。
检查
访问会话下载SGT
PC1
Switch#show authentication session interface Tw1/0/3 details
Interface: TwoGigabitEthernet1/0/3
IIF-ID: 0x1FB0D90E
MAC Address: 507b.9df0.34bb
IPv6 Address: Unknown
IPv4 Address: 10.4.16.142
User-Name: 50-7B-9D-F0-34-BB
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 3D781F0A0000000F2AE95F4A
Acct Session ID: 0x00000005
Handle: 0x02000004
Current Policy: POLICY_Tw1/0/3
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Server Policies:
SGT Value: 3
Method status list:
Method State
mab Authc SuccessPC2
Switch#show authentication session interface Gi1/0/1 details
Interface: GigabitEthernet1/0/1
IIF-ID: 0x1D1CA5C7
MAC Address: 507b.9df8.02ed
IPv6 Address: fe80::114c:dce1:ffa1:1642
IPv4 Address: 10.4.16.141
User-Name: 50-7B-9D-F8-02-ED
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 21781F0A000000242AF41195
Acct Session ID: 0x00000004
Handle: 0x4300000f
Current Policy: POLICY_Gi1/0/1
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Server Policies:
SGT Value: 17
Method status list:
Method State
mab Authc Success
交换机学习IP-SGT绑定
C9300A
Switch#show cts role-based sgt-map all
Active IPv4-SGT Bindings Information
IP Address SGT Source
============================================
10.4.16.142 3 LOCAL
C9300B
Switch#show cts role-based sgt-map all
Active IPv4-SGT Bindings Information
IP Address SGT Source
============================================
10.4.16.141 17 LOCAL
10.31.120.33 2 INTERNAL
C9300A和C9300B之间的授权状态
C9300A
Switch#show cts interface Two 1/0/4
Global Dot1x feature is Disabled
Interface TwoGigabitEthernet1/0/4:
CTS is enabled, mode: MANUAL
IFC state: OPEN
Interface Active for 01:36:44.332
Authentication Status: NOT APPLICABLE
Peer identity: "unknown"
Peer's advertised capabilities: ""
Authorization Status: SUCCEEDED
Peer SGT: 2:TrustSec_Devices
Peer SGT assignment: Trusted
SAP Status: NOT APPLICABLE
Propagate SGT: Enabled
Cache Info:
Expiration : N/A
Cache applied to link : NONE
Statistics:
authc success: 0
authc reject: 0
authc failure: 0
authc no response: 0
authc logoff: 0
sap success: 0
sap fail: 0
authz success: 0
authz fail: 0
port auth fail: 0
L3 IPM: disabled.
C9300B
Switch#show cts interfac Gig 1/0/4
Global Dot1x feature is Disabled
Interface GigabitEthernet1/0/4:
CTS is enabled, mode: MANUAL
IFC state: OPEN
Interface Active for 01:34:18.433
Authentication Status: NOT APPLICABLE
Peer identity: "unknown"
Peer's advertised capabilities: ""
Authorization Status: SUCCEEDED
Peer SGT: 2:TrustSec_Devices
Peer SGT assignment: Trusted
SAP Status: NOT APPLICABLE
Propagate SGT: Enabled
Cache Info:
Expiration : N/A
Cache applied to link : NONE
Statistics:
authc success: 0
authc reject: 0
authc failure: 0
authc no response: 0
authc logoff: 0
sap success: 0
sap fail: 0
authz success: 0
authz fail: 0
port auth fail: 0
L3 IPM: disabled.
故障排除
要排除任何问题,请考虑:
- 帧始终在支持SGT的设备的入口端口进行标记。
- 在其他L2服务(例如QoS)之前进行标记过程。
- 无影响IP MTU/分段。
- L2帧MTU影响:约40字节(约1600字节和1552字节MTU)
- MACsec对于功能强大的硬件是可选的。
数据包捕获/EPC
内联标记流
如果要对内联标记进行故障排除,需要在入口进行数据包捕获。
提示:如果您在软件的上行链路中使用pcap,您将看不到标记,因为此标记包含在接口级别上,因此可以在应用标记之前获取EPC。
注意:C4500等设备也有一些例外。由于C4500的架构,即使您在入口接口处使用pcap,它也无法检测CMD报头。对于此特定情况,您可以使用Netflow、Netflow Trustsec配置
在C9300B的入口端口上采用嵌入式数据包捕获(EPC)
Switch#monitor capture test interface Gig 1/0/4 both
Switch#monitor capture test match any
Switch#monitor capture test start
<
> Switch#
monitor capture test stop
采用EPC后,您可以使用show monitor capture buffer brief命令检查ICMP请求的帧号。
Switch#show monitor capture test buffer
..
..
44 17.059569 10.4.16.142 b^F^R 10.4.16.141 ICMP 86 Echo (ping) request id=0x0001, seq=147/37632, ttl=128
45 17.061079 10.4.16.141 b^F^R 10.4.16.142 ICMP 74 Echo (ping) reply id=0x0001, seq=147/37632, ttl=128 (request in 44)
..
..从之前的输出中观察到ICMP数据包位于帧44中。现在可使用此命令运行:show monitor capture <name> buffer detailed | begin Frame <number>以查看内容:
..
..
Frame 44: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0
Interface id: 0 (/tmp/epc_ws/wif_to_ts_pipe)
Interface name: /tmp/epc_ws/wif_to_ts_pipe
Encapsulation type: Ethernet (1)
Arrival Time: Jun 3, 2022 19:12:00.140014000 UTC
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1654283520.140014000 seconds
[Time delta from previous captured frame: 0.362660000 seconds]
[Time delta from previous displayed frame: 0.362660000 seconds]
[Time since reference or first frame: 17.059569000 seconds]
Frame Number: 44
Frame Length: 86 bytes (688 bits)
Capture Length: 86 bytes (688 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:vlan:ethertype:cmd:ethertype:ip:icmp:data]
Ethernet II, Src: 50:7b:9d:f0:34:bb (50:7b:9d:f0:34:bb), Dst: 50:7b:9d:f8:02:ed (50:7b:9d:f8:02:ed)
Destination: 50:7b:9d:f8:02:ed (50:7b:9d:f8:02:ed)
Address: 50:7b:9d:f8:02:ed (50:7b:9d:f8:02:ed)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 50:7b:9d:f0:34:bb (50:7b:9d:f0:34:bb)
Address: 50:7b:9d:f0:34:bb (50:7b:9d:f0:34:bb)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 761
000. .... .... .... = Priority: Best Effort (default) (0)
...0 .... .... .... = DEI: Ineligible
.... 0010 1111 1001 = ID: 761
Type: CiscoMetaData (0x8909)
Cisco MetaData <<<<<<<<<<<<<<<<<<<<<<< CMD header
Version: 1
Length: 1
Options: 0x0001
SGT: 3 <<<<<<<<<<<<<<<<<<<<<<<<<< SGT of PC1
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.4.16.142, Dst: 10.4.16.141
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 60
Identification: 0x7d1f (32031)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 128
Protocol: ICMP (1)
Header checksum: 0x887f [validation disabled]
[Header checksum status: Unverified]
Source: 10.4.16.142
Destination: 10.4.16.141
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0x4cc8 [correct]
[Checksum Status: Good]
Identifier (BE): 1 (0x0001)
Identifier (LE): 256 (0x0100)
Sequence number (BE): 147 (0x0093)
Sequence number (LE): 37632 (0x9300)
Data (32 bytes)
0000 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
0010 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi
Data: 6162636465666768696a6b6c6d6e6f707172737475767761...
[Length: 32]
..
..SGACL检查
交换机仅下载与从不同方法(本地、SXP、内联标记等)获取的IP-SGT绑定匹配的SGACL。C9300B从ISE动态获取目标安全组。它如何获知源安全组?内联标记。由于命令show cts role-based sgt-map all不会显示从内联标记获取的SGT,您可以断定,如果下载了SGACL,则交换机可从源(内联标记)和目标(本地)安全组进行感知。
Switch#show cts role-based permissions
IPv4 Role-based permissions default:
Permit_IP_Log-00
IPv4 Role-based permissions from group 3:DataCenter to group 17:MedicalDevices:
denyJonsICMP-06 <<<<
DENY_PRINTER_80_04-01
permitJons-01
IPv4 Role-based permissions from group 16:IUH_Office to group 17:MedicalDevices:
denyJonsICMP-06
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
从PC1从PC2 ping时,ICMP被阻止:
cisco>ping -S 10.4.16.142 10.4.16.141
Pinging 10.4.16.141 from 10.4.16.142 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.4.16.141:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
相关信息
修订历史记录
| 版本 | 发布日期 | 备注 |
|---|---|---|
1.0 |
01-Feb-2023 |
初始版本 |
反馈