TrustSec With Meraki MS320 Switch Configuration Guide
2y ago
264 Views
2 Downloads
1.88 MB
12 Pages
Report/dmca
Download PDF

Transcription

TrustSec Configuration GuideTrustSec with Meraki MS320 Switch Configuration Guide

TRUSTSEC CONFIGURATION GUIDESTable of ContentsTrustSec with Meraki MS320 Switch. 3Introduction. 3Summary of Operation . 3Configuration . 4Meraki Dashboard Configuration . 4Switch Summary . 4Switch Ports . 5Access Policy . 7DHCP Server Configuration . 8Routing and DHCP Configuration (Not Added) . 8OSPF Configuration (Not Added) . 9ASR Trunk Port Configuration . 9ISE Authorization Table . 9Operation. 10Connect / Authenticate Client . 10SXP Mapping and Propagation. 10TrustSec Enforcement . 11Cisco Systems 2017Page 2

TRUSTSEC CONFIGURATION GUIDESTrustSec with Meraki MS320 SwitchIntroductionThis use case is for customers that wish to utilize Meraki access switches but want to use TrustSec group based policyenforcement.At the time of writing this guide, the Meraki access switches do not support TrustSec classification, propagation orenforcement. However, the Meraki switches can still be used in a TrustSec deployment by making use of Trustsecfunctions within other network components.Summary of OperationThe latest Meraki firmware supports RADIUS Authentication and Accounting. This allows the Meraki access switchesto send RADIUS authentication and accounting messages to ISE which provides the capability to build completesessions for authenticating clients.If a client successfully authenticates to ISE via a Meraki access switch, ISE can be configured to assign a SecurityGroup Tag to the learned client IP address, known as an IP:SGT mapping. ISE can send this mapping to TrustSecenforcement points in the network via Security Group Tag Exchange Protocol (SXP).Cisco Systems 2017Page 3

TRUSTSEC CONFIGURATION GUIDESThe enforcement points then have the ability to enforce policy based on the source group information sent via ISE andthe destination group information learned via any supported methods.As can be seen, the Meraki access switch only takes part in RADIUS messaging, it does not play a part in TrustSecclassification, propagation or enforcement. The TrustSec functions within other network components allows theMeraki access switches to be deployed and used within this architecture.ConfigurationMeraki Dashboard ConfigurationSwitch SummaryCisco Systems 2017Page 4

TRUSTSEC CONFIGURATION GUIDESSwitch PortsPort 1 is purely for management.Port 2 is the uplink trunk to the network (ASR).Port 3 is the access port where the 802.1x client is connected.Cisco Systems 2017Page 5

TRUSTSEC CONFIGURATION GUIDESCisco Systems 2017Page 6

TRUSTSEC CONFIGURATION GUIDESAccess PolicyAs can be seen in the port 3 configuration above, the access policy is set as ‘For ISE’. This policy is added in thedashboard as follows where 10.1.101.41 is the IP address of the Identity Services Engine (ISE).The ISE RADIUS server is added for authentication and accounting is enabled:Cisco Systems 2017Page 7

TRUSTSEC CONFIGURATION GUIDESDHCP Server ConfigurationRouting and DHCP Configuration (Not Added)Cisco Systems 2017Page 8

TRUSTSEC CONFIGURATION GUIDESOSPF Configuration (Not Added)ASR Trunk Port ConfigurationThe following configuration resides on the ASR router interface connected to the Meraki MS320 switch:interface GigabitEthernet0/1/5description Connected to Meraki MS320 port 2no ip addressnegotiation auto!interface GigabitEthernet0/1/5.1encapsulation dot1Q 10ip address 10.6.1.1 255.255.255.0ip helper-address 10.1.100.2ISE Authorization TableISE contains the following authorization table entry.The condition checks if the user logging into the network is a member of the TSEngineering group in AD. If yes thenpermit access and assign the TSEngineering security group.Cisco Systems 2017Page 9

TRUSTSEC CONFIGURATION GUIDESOperationConnect / Authenticate ClientWhen the client is connected/authenticated, ISE shows the following entry in the Live Log:So, the TSeng authorization table entry has been hit/selected and therefore the TSEngineering security group has beenassigned.SXP Mapping and PropagationAfter a successful authentication, ISE tracks the IP:SGT mapping of the user. Static mappings have also been added toISE for the DC servers. All these mappings are placed in the ISE SXP table:Cisco Systems 2017Page 10

TRUSTSEC CONFIGURATION GUIDESWith an SXP connection deployed between ISE and the N7k, the mappings are propagated to the N7k:Kernow-N7k# show cts role-based sgt-mapIP ADDRESSSGTVRF/VLANSGT CONFIGURATION10.1.100.311(11 Dev Srvrs) vrf:1Learnt from SXP peer:10.3.3.110.1.100.414(14 PCI Srvr) vrf:1Learnt from SXP peer:10.3.3.110.1.140.219(19 Prod srvr) vrf:1Learnt from SXP peer:10.3.3.110.6.1.1017(TSEngineering) vrf:1Learnt from SXP peer:10.1.101.42Kernow-N7k#TrustSec EnforcementOnce the N7k learns of mappings, it downloads the TrustSec policy from ISE for groups it needs to protect. TheTrustSec policy matrix in ISE includes a policy to deny traffic from the TSEngineering group to the PCI Srvr group:The N7k shows this policy in residence once it has been downloaded from ISE:Kernow-N7k# show cts role-based policy sgt 17 dgt 14sgt:17(TSEngineering)dgt:14(14 PCI Srvr) rbacl:Deny IPdeny ipKernow-N7k#Cisco Systems 2017Page 11

TRUSTSEC CONFIGURATION GUIDESThe policy is active on the N7k with counters showing traffic being denied from the TSEngineering group to thePCI Srvr group. This is blocking the user logged onto the network (via dot1x on the Meraki switch) from accessingthe PCI Servers in the DC:Kernow-N7k# show cts role-based counters sgt 17 dgt 14RBACL policy counters enabledCounters last cleared: Neversgt:17(TSEngineering) dgt:14(14 PCI Srvr)rbacl:Deny IPdeny ip [6]Kernow-N7k#[6]Hence the Meraki access switch can be used in a TrustSec deployment even though the switch itself does not supportTrustSec capabilities today.Cisco Systems 2017Page 12

TrustSec with Meraki MS320 Switch Introduction This use case is for customers that wish to utilize Meraki access switches but want to use TrustSec group based policy enforcement. At the time of writing this guide, the Meraki access switches do not support TrustSec classification, propagation or enforcement. However, the Meraki switches can still be used in a TrustSec deployment by making use of Trustsec

Related Books

Overview of TrustSec - Cisco

Overview of TrustSec - Cisco

Cisco TrustSec How-To Guide: ISE integration with .

Cisco TrustSec How-To Guide: ISE integration with .

Meraki MX - Cisco

Meraki MX - Cisco

meraki datasheet mx - Cisco

meraki datasheet mx - Cisco

Meraki MX Family - cdn.cnetcontent

Meraki MX Family - cdn.cnetcontent

Meraki MX Family - Skyloft Networks

Meraki MX Family - Skyloft Networks

Cisco Meraki Cloud Networking CloudWifiWorks

Cisco Meraki Cloud Networking CloudWifiWorks

Cloud Managed Access Switches - Cisco Meraki

Cloud Managed Access Switches - Cisco Meraki

Overview - Cisco Meraki

Overview - Cisco Meraki

White Paper Cisco Meraki Auto VPN

White Paper Cisco Meraki Auto VPN

HowTo: Integrating Meraki Networks

HowTo: Integrating Meraki Networks

OpenDNS Solution Guide for Meraki Cloud-Managed Networks

OpenDNS Solution Guide for Meraki Cloud-Managed Networks

PopularTags

Recent Views