LabMinutes# SEC0061 - Introduction to Cisco TrustSec

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to lamb INSCOM in this video we will talk about Cisco traffic architecture to give you a better and stranding of what transact is all about and to prepare you for our transect lab videos so there will be no lab in this video now the whole concept of Cisco trust AG is to build a secure identity based access network and the three main components of Cisco tracks are authentication where aim points are indicated identify and assign access privileges secure communication where the data are transported securely by link level encryption with a two to one AE or max ACK and security group based access control SG ACL where access policies are enforced before allowing endpoint access to the resources okay so at the middle here we have a Cisco traffic domain and is constructed by contiguous groups of traffic Hardware capable devices and these devices authenticate against each other learn to negotiate each other's capabilities there's also concept of security group tag and the security group tag which gets added to packets header just like it shows the diagram here at the ingress point of the traffic domain and the Sgt tag carries information is used to determine endpoint access privileges so how does sgt value gets assigned to the endpoint sgt can be assigned as part of authorization process when the endpoint is indicated using 802 dot 1x onto the network for example within the authorization profile returned from cisco i like we show in the diagram here but if the endpoint is exempted or incapable of 802 1x you can also hard code sgt value under the interface configuration I'll do a static sgt so source IP mapping on the edge switches once the sgt is determined and packets are tagged the tag is maintained across the transect domain until it reaches the egress point where the access policies are enforced and this could be based on sgt of both sgt and dgt so sgt being the source security group tag and digital being destination security group tag okay so that is when you have a trusted card we're capable device end to end what if you have an X device that is not capable of inserting or transporting sgt assuming that the device support sgt exchange protocol also known as s XP the device can pair up with the closest sgt capable device and sends the sgt and IP mapping information so the sgt capable device would know what sgt value to imposed into the packet before entering the transect domain since s XP works over tcp we can see here is port 64 nine ninety nine the edge device can be actually server layer three hops away from the closest sgt capable device another major component that makes all these work is the policy decision point device and here we use cisco isis example some of the things the cisco eyes are responsible for are the authenticating authorizing endpoints and returning sgt value at the ingress device addenda cating authorizing network device before allowing them to join the traffic domain as well as maintaining a configuration of egress policy including the SGA CL and sgt - name mapping and distributing them to the egress devices for enforcement okay so now that we understand now that you can see there are a lot of moving parts in implementing cisco traffic and one of the most important thing is actually to know your devise capabilities so with that said let me pull up a cisco documents for the trust sack right here we have a traffic one 2.0 and 2.1 product bulletins and again well proposed this particular URL down below and let's start off with the cisco traffic 1.0 back intrust like 1.0 you can see these are lists of devices that support some of the tracks features and you can see some of them with support for example that s XP and this also shows the minimum of software version requires to run that particular features okay so you can actually see this back intrust like 100 there's not a whole lot of feature listed and it seems that the only device is capable of HVAC I back then was Nexus 7000 with the version 502 but now let's move on trust sect - you can see there is a little bit more platforms and features supported and if you search for SGA C I can see you now 6500 has become supported and now we are at traffic 2.1 you can see the list actually gets a even bigger so if you for example search for SGA CL and see what device now support that so countless 6000 7000 you can see now even 5000 Nexus 5000 also support SGA CL okay so just make sure that you compare your hardware to this particular capability list and know exactly what that particular heart was capable off before you start building the trust SEC domain because if they're not capable of trust sect you might find yourself in a little situation where you can't get things up and running as expected okay so that wraps up our video on introduction to cisco trust sec thank you for watching lab INSCOM i'll see you guys in the next video
Info
Channel: Lab Minutes
Views: 19,735
Rating: 4.9354839 out of 5
Keywords: trustsec, sxp, sgt, sgacl, introduction
Id: 5JU39kMm-00
Channel Id: undefined
Length: 5min 29sec (329 seconds)
Published: Mon Apr 22 2013
Related Videos
Cisco WLAN Architectures
StormWind Studios
4.4K
ThreatCentric NAC with Qualys and ISE
Katherine McNamara
823
Nexus vPC | How vPC works
Network Direction
129K
Introduction to OSPF: Areas
Networklessons.com
46K
FMC - Source and Destination SGT Tagging
Cisco Secure Firewall
856
How Hidden Technology Transformed Bowling
Veritasium
5.4M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.