- Trustsec Cisco
- Cisco Trustsec Matrix
- Trustsec Vs Macsec
- Trustsec Sgt
- Trustsec Ise
- Trustsec Configuration Guide
Understanding Medical Device Security
The FDA recall of a medical device last week has caused a bit of a media storm as the general public scrambles to find out more. The fact that a medical device meant to help sustain life is insecure and could be hacked to kill a patient is alarming to all of us. More worrying […]
Cisco TrustSec SGT Technology vs Huawei Ddkompik Created: Oct 7, 2020 12:06:53 Latest reply: Oct 7, 2020 12:51:49 168 3 0 0 Rewarded HiCoins： 0 (problem resolved).
In this blog post, I'll go through the configuration for TrustSec and SXP for both my Catalyst 3650 switch and wireless controller. I'll walk through the configuration, create the SXP connection, and verify. After that, I'll test out a policy by connecting a client to the switch, watching the tag be applied on ingress and the policy applied. The Panorama plugin for Cisco TrustSec enables you to create security policy for your TrustSec environment using dynamic address groups. TrustSec enables enterprises to build identity-aware networks, albeit via an all-Cisco approach. Alternative identity-aware solutions are available for enterprises that seek more choices for their LAN infrastructures.
What is an Intuitive Network?
How well do you understand what Cisco just announced? If you are the slight bit technical or just curious what the reality is behind all the grand talk...check out these shortcut videos from TechWiseTV.
Addressing Healthcare Security Challenges
It’s a gross understatement to say that security is critical in healthcare, where a breach can not only impact an organization’s effectiveness and reputation but also affect patient privacy and—worst-case scenario—health and safety. If you are reading this blog, you no doubt already know the most common challenges to securing digital healthcare organizations, from ensuring […]
Enterprise Network Security: Is it in your DNA?
With new capabilities on ISE and TrustSec, Cisco is now the first in the industry to deliver software-defined segmentation - from the network to the endpoint to the cloud - with complete application visibility.
Visibility is the new perimeter; It’s time for Cisco ISE 2.2
Visibility doesn’t just mean seeing data move within the network – it also means seeing who and what is on the network. Trends like the Internet of Things (IoT) and Enterprise Mobility – that will result in tens of billions of connected devices and users – are fundamentally changing the enterprise networking environment. Not knowing […]
To be Effective, Security Needs to Be a Force Multiplier
Effective security is simple, open, and automated. We’ve already talked about simple and open. Now let’s talk about automated. Security admins can relate to this scenario. You just learned of an infected system in your environment of thousands of devices. How many others are affected? That’s hard to figure out even in elite operations. What […]
2016 Forrester TEI Study Shows TrustSec Cuts Operations Costs up to 80%
Forrester Consulting recently conducted an analysis of customers using TrustSec software-defined segmentation in production networks and deduced the following: This matters today as network segmentation in the branch, campus and data center is a critical foundation for any network defense. Effective segmentation helps protect key assets and data while preventing the dangerous lateral movements of […]
Seeing Over the Wall: Unified TrustSec-ACI Policy Monitoring with Stealthwatch and ISE v2.1
Visibility has always been a core component of building effective security policy. Starting with the discovery phase of understanding the behavior of the users and assets on a network through...
What do “Going Green” and policy group sharing have in common? More than you think!
New Cisco Identity Services Engine (ISE) v2.1 Enables TrustSec-ACI Policy Plane Integration “Going green” is all about reducing waste and protecting the environment. It’s a movement most of us believe...
Cisco Trustsec Matrix
Read NX-OS and Cisco Nexus Switching: Next-Generation Data Center Architectures, 2nd Edition or more than 24,000 other books and videos on Safari Books Online. Start a free trial today.
Data Center Interconnection (DCI) has become quite common in the past few years for a multitude of reasons, including workload mobility, data center migration, and enhanced disaster recovery posture, to name a few. Of the many DCI technologies that are available, Cisco's Overlay Transport Virtualization (OTV) has been widely deployed by customers in every vertical across the world.
OTV has many unique benefits in the DCI arena, including a scalable control plane protocol, ease of site additional and removal, optimized traffic localization capabilities, and the ability to use existing network infrastructure to provide connectivity. OTV is currently available on the flagship data center switching platform, the Cisco Nexus 7000, as well as the Cisco ASR 1000 series of routers that together provide an OTV solution to meet almost any customer's requirements.
For many customers, regulatory requirements or internal policies dictate that network traffic must be encrypted when passing between data centers.
Traditionally, there have been a few ways to facilitate this, ranging from dedicated and expensive hardware-based encryption devices that sit inline or the use of various VPN technologies such as IPSec to provide encryption services. See Figure 1.
One alternative to these technologies is using 802.1AE MACSEC on the Nexus 7000 to provide hardware-based, line rate encryption on the Data Center Interconnect links. 802.1AE MACSEC is an IEEE standard for link level encryption. The implementation of MACSEC on the Nexus 7000 is 128-bit Advanced Encryption Standard (AES) that is hardware-driven, which means no additional Supervisor CPU is used to encrypt data at any speeds.
As of the writing of this article, the M-Series modules on the Nexus 7000 support 802.1AE MACSEC on all ports, including the new M2-series modules. The F2e modules will have this feature enabled in the future.
It is important to note that because 802.1AE MACSEC is a link-level encryption, the two MACSEC-enabled endpoints, Nexus 7000 devices in our case, must be directly L2 adjacent. This means we direct fiber connection or one facilitated with optical gear is required. MACSEC has integrity checks for the frames and intermediate devices, like another switch, even at L2, will cause the integrity checks to fail. In most cases, this means metro-Ethernet services or carrier-provided label switched services will not work for a MACSEC connection. We will focus on a direct connection scenario in this article.
Figure 2 shows two data centers with OTV configured to provide data center interconnect services. The DCI link in this example is interface Ethernet4/1 on both of the Nexus switches. Prior to enabling CTS, the interface configuration looked like this:
Trustsec Vs Macsec
To enable CTS, we simply need to add the following commands that will do the following:
- Enable cts and dot1x as a feature.
- Configure cts manual mode.
- Define a preshared key.
- Increase the interface MTU to accommodate the extra header 802.1AE MACSEC adds.
The last step is important because CTS won't take effect until the interface is flapped with a shut/no shut sequence.
Once configured, you can verify that CTS is in use by looking at the interface:
The bold text shows that the encryption is active and negotiated.
Be sure to enable CTS on both ends of the link because if only one end is configured and the interface is flapped, the link will not come up as shown below:
That's it! How easy is that?! A few more thoughts on using CTS MACSEC for Data Center Interconnect:
- No need to change routing protocols or other L2 protocols to understand MACSEC; because it is link-level encryption, it is transparent to the upper-layer technologies.
- Optical taps don't work because the data is encrypted! SPAN/ERSPAN will still allow visibility into the frame as the CTS header is removed before the traffic is replicated.
- Remember that 40 bytes are added for CTS—16 for the 802.1AE header, 8 bytes for the Cisco MetaData, and 16 for the Integrity Check Value (ICV). Plan your MTU accordingly, and if you are using OTV, remember that it adds 42 more bytes.
- CTS was moved into the NX-OS base license as of NX-OS 6.1 on the Nexus 7000.
Trustsec Configuration Guide
Cisco TrustSec and 802.1AE MACSEC provide a very attractive alternative to expensive external devices that take rack space, power, and cooling resources in my data center. Being transparent to the upper-layer protocols enables more ways to deploy line-rate encryption.