Cisco 300-710 SNCF Exam: A Mean to Success in Networking

CCNP Security certification confirms outright information on network security. A CCNP: Security Certified Specialist has the knowledge and skills to get networks acquainted with the organization to sustain execution levels, moderate dangers, lessen security episodes, and diminish support costs. In this article, we will focus on 300-710 SNCF certification.

What is Cisco 300-710 SNCF Exam?

Cisco 300-710 SNCF exam measures an applicant's knowledge of Cisco Firepower Threat Defense and Firepower, comprising integrations, policy configurations, deployments, management, and troubleshooting. In this exam, you will learn how to carry out advanced Next-Generation Firewall (NGFW), and Next-Generation Intrusion Prevention System (NGIPS) features, comprising file type detection, network intelligence, network-based malware detection, and intense packet inspection.

How to Prepare for Cisco 300-710 SNCF Exam?

• The thing you should be familiar with is that the exam questions incorporate several topics; that's why your preparation for the exam should be adequate. Thus, before scheduling your CCNP Security 300-710 SNCF certification exam, get the list of exam syllabus topics.
• To get the most productive preparation, begin with the Cisco official website especially. Here you'll find the most appropriate study material for exam preparation. Cisco provides classroom training, e-learning, practice tests, study groups.
• Find online platforms that provide training courses for Cisco exams. On these platforms, you'll get the details on the exam from the top IT specialists.
• Perform Cisco 300-710 SNCF Practice Tests. The most updated and authentic practice tests will make your revision process smooth. Time management is essential in Cisco exams. No matter how much you have soaked up the concepts, it would all be worthless if you cannot output your knowledge in the assigned time. So make sure to time every exam you do and check whether you can finish answering all questions in time.

Things to Know About Cisco CCNP Security Certification

Job Opportunities

After getting CCNP Security certification, one can qualify for various jobs like Systems Engineer, Security Engineer, Network administrator, Network engineer, Network designer, Consulting systems engineer, Technical solutions architect, Network manager Job positions. CCNP Security certified professionals have high job availability than non-certified professionals.

High Salary

Cisco CCNP Security-certified professionals make at least ten percent more than their non-certified peers. The possibility to get high salary raises and can avail of fantastic job opportunities.
Skill Acknowledgment

Cisco CCNP Security certified notices that you had achieved excellent knowledge and skills in networking. Earning a certification from a renowned organization like Cisco indicates that one has acquired the best skills. Technology is an essential part of our lives today. If you want to advance in your career, it is best to stay updated with the latest technology and trends, precisely what Cisco CCNP certification does.

CCNP Security Certification Add Value to Your CV

CV is the only thing that talks about your education, skills, work experience, the knowledge that one has accomplished in their life. Once your CV is added with the Cisco CCNP Security certification, you will be ready to work with the leading organizations. The organizations believe that such professionals will be an asset to the organization and lead the organization to the top.

Great Confidence Builder

Cisco CCNP Security certification builds up the self-confidence to ace the interview for a new dream job. The knowledge and skills that have been achieved through certifications build the confidence to work with the latest technology.

Growth At Work

When it comes to finding a job in IT or computer networking, then earning Cisco CCNP Security certification puts you on the top of the list for promotion or career advancements. Cisco certified professionals will receive better job opportunities while switching the organization. They will be qualified for the positions that have high growth in the future, as IT is a dynamic world, and the skills they hold will need the update.

Opportunity to Work Globally

The Cisco certifications are globally recognized and offer better job opportunities to work in India, Dubai, Algeria, the USA, UK, and Australia.

Conclusion

Earning CCNP Security certification is not a walk in the park; if the applicant is hard working, no one can come in between their victory. Thus, sitting for the CCNP Security certification exam will pave the way towards this certification. Note that every organization wants to employ Cisco certified professionals to make their networks run efficiently. Take into consideration the benefits you'll get and start your preparation process for the 300-710 SNCF exam.

Continue reading

Should the CISO Report to the CIO?

The Chief Information Security Officer (CISO) is the organization’s senior executive in charge of the cybersecurity and the information technology risk management posture of the enterprise. He or she is a seasoned executive who must be equally adept at leading the myriad technology functions associated with protecting the enterprise’s information and data from misuse and compromise, as well as at managing the deeper business aspects of the role, such as hiring, developing, and retaining qualified and competent personnel; orchestrating Governance, Risk, and Compliance (GRC) requirements and mandates; incorporating a risk-conscious and security-aware culture in an enterprise; and preparing and defending the budget associated with protecting the enterprise’s computing infrastructure from harm.

In many organizations, and in the U.S. federal government in particular, the CISO reports to the Chief Information Officer (CIO). Much has been written over the years about the feasibility of this organizational construct. Lately, some very progressive organizations in the Fortune 500 and the Global 1000 have elevated the CISO to a reporting relationship under, variously, the Chief Risk Officer, the Chief Security Officer, the Chief Financial Officer, the General Counsel, or even the Chief Executive Officer. Where the CISO belongs organizationally in any enterprise is largely a function of the roles and responsibilities of the CISO and the manner in which those roles and responsibilities cleave into the operations and mission of the enterprise.

The role of the CISO

For the sake of simplicity, the CIO is responsible for the information technology spectrum of “power, ping and pipe,” and the CISO is responsible for the cybersecurity spectrum of “identify, protect, detect, respond, and recover.” The two responsibilities are inter-related, and in most cases are complementary, but the question boils down to which set of responsibilities should have primacy over the other, or are they co-equal? Added to this analysis is the general CIO and information technology emphasis on the “3 Fs” of features, functionality, and fast, which are anathema to cybersecurity in general. A growing consensus among information technology and C-level executives is that the CISO’s priorities should not be subsumed under the CIO’s priorities.

Viewed another way, having the CISO report to the CIO relegates cybersecurity to an IT security, or technology, function. However, if the CISO reports higher up the chain of command and has a seat at the C-level table, then cybersecurity is solidly embedded into the overall risk management of the enterprise.

Perhaps an examination of how the U.S. federal government approaches the organizational situation can provide additional perspective. The Federal Information Modernization Act (FISMA) or 2014, which replaced the Federal Information Security Management Act of 2002, is a federal law that requires federal agencies to develop, document, and implement an agency-wide program to provide information security for the information technology and systems that support the agency’s mission. FISMA designates departmental and agencies CIOs as the primary official responsible for their organizations’ IT security. Among the CIOs’ duties under FISMA is designating a senior agency information security officer. Therefore, an act of law determines the organizational placement of the CISO under the CIO in the federal government.

Let’s acknowledge a counterargument right there: if federal law were to unshackle the CISO from the CIO’s chain of command, would information security across the federal government be appreciably improved? Could it possibly be any worse than it is now?

Perhaps Congress concluded that no CISO should be allowed to give his or her unvarnished opinion of the true cybersecurity and risk management posture of the agency’s enterprise as long as the top official responsible for IT does not wish that opinion to be disclosed. Under the current structure, the CIO is free to raid the cybersecurity budget to fund any other priority, or the CIO may feel inclined to overlook a powerful peer’s security deficiencies, or the CIO may disregard security recommendations that interfere with ‘really neat’ functionality. By placing the CIO in a position of superiority over the CISO in federal agencies, the CISO is marching to the CIO’s orders and working off the CIO’s list of priorities, not to mention attempting to receive his or her performance bonus that the CIO must approve. If that’s the situation that FISMA intended, then Congress should simply have given the security job, and the corresponding accountability, to the CIO.

Risk management and the CISO

Back to the commercial world, where there is no legislative mandate, and to the original question about where the CISO should be organizationally positioned. It depends. It depends on many factors, not the least of which is the enterprise’s perspective on risk management. If overall risk management – including financial, programmatic, human, facilities, and information technology – is embedded into the very soul and culture of the organization, with risk appetite and risk tolerance decisions continuously on the radar of the senior executives and the board of directors, then the CISO cannot realistically be buried under the CIO. If, on the other hand, the organization views information technology as its lifeblood and considers the protection of those information technology resources to be the totality of its cybersecurity obligations to its stakeholders, then the CIO should have the CISO within his or her span of control. There is no one-size-fits-all answer, although the prevailing trend is to unshackle the CISO from the CIO.

In the end, it boils down to how an organization approaches its risk management diligence. In most cases where organizations place the CISO in a subordinate role to the CIO, the result is over-leveraging towards cost management as opposed to risk management. In those organizations where the CISO is elevated to a C-level position at least co-equal with the CIO, then risk is more likely to be embedded in the culture of the organization.

Source: cisco.com

Continue reading

300-415 Certification Cost | Cisco ENSDWI Accurate Study Guide

Cisco ENSDWI Exam Description:

The Implementing Cisco SD-WAN Solutions v1.0 (ENSDWI 300-415) exam is a 90-minute exam associated with the CCNP Enterprise and Cisco Certified Specialist - Enterprise SD-WAN Implementation certifications. This exam certifies a candidate's knowledge of Cisco’s SD-WAN solution including SD-WAN architecture, controller deployment, edge router deployment, policies, security, quality or service, multicast and management and operations. The course, Implementing Cisco SD-WAN Solutions, helps candidates to prepare for this exam.

Cisco 300-415 Exam Overview:

• Exam Name:- Implementing Cisco SD-WAN Solutions
• Exam Number:- 300-415 ENSDWI
• Exam Price:- $300 USD
• Duration:- 90 minutes
• Number of Questions:- 55-65
• Passing Score:- Variable (750-850 / 1000 Approx.)
• Recommended Training:- Implementing Cisco SD-WAN Solutions (SDWAN300)
• Exam Registration:- PEARSON VUE
• Sample Questions:- Cisco 300-415 Sample Questions
• Practice Exam:- Cisco Certified Network Professional Enterprise Practice Test

Related Articles:-

1. Cisco 300-415 ENSDWI Exam: How to Prep and Pass
2. Stay Updated with Morden Trends by Passing Cisco 300-415 ENSDWI Exam

Continue reading

Cisco Cloud ACI Unifies and Simplifies On-Premises and Cloud Interconnection and Management

Most companies have plans to run or move a certain percentage of new and existing applications to the cloud in the next few years. While the cloud offers many compelling benefits, consuming cloud resources is often not as easy as IT departments might expect. The complex list of challenges to be considered when moving to the cloud are enumerated in the cloud adoption frameworks from cloud providers.

One of the major challenges to be surmounted is combining different network policy definitions across on prem and cloud environments and between different cloud vendors. Adapting to only a single cloud provider’s strategy limits an organization’s ability to move workloads to another cloud when another vendor would be a better fit from a technical or business perspective. For many organizations, a multicloud vendor strategy to spread the risks of outages and disaster recovery scenarios may be the best choice.

These different strategies require a more flexible way to provision native cloud resources for any and all cloud vendors. That way is Cisco Cloud Application Centric Infrastructure (ACI) for multicloud environments. Cloud ACI lets IT interconnect workloads across different public clouds or between public clouds and on-premises deployments with a single API.

Automation to Handle Complexity and Scale

Cisco Cloud ACI uses a high degree of automation to provide:

◉ Secure connectivity across clouds and on-premises

◉ Provisioning and enforcement of network policies for tag or IP-based workloads across clouds and on premises

◉ Provisioning of cloud native objects, including Azure Virtual Network (VNET) and AWS Transit Gateway (TGW) and their route tables to enable communication intra-region, inter-region and inter-site

◉ Provisioning and configurations of cloud-native load balancers

With Cisco Cloud ACI, APIs from different cloud providers are abstracted into a single API while using each cloud provider’s specific tools, so there’s no need to create an overlay in the cloud.

A single pane of glass enables administrators to monitor, configure, and troubleshoot connectivity across region, sites, applications, and cloud objects. Using Cisco Cloud Application Policy Infrastructure Controller (APIC), a key component of Cisco Cloud ACI, IT can define their intent to orchestrate an application’s data path within the cloud and between different cloud and on-premises sites. A single pane of glass dashboard enables IT to define application templates and apply those to multiple clouds and on-premises sites using Cisco Nexus Dashboard Orchestrator.

For Day 2 ops, Cisco Network Insights (NI) and Cisco Network Assurance Engine (NAE) tools will in the future support both inter-cloud and on-premises traffic with automated troubleshooting, proactive monitoring, resource utilization, capacity planning, and continuous and proactive network verification and assurance.

It is important to stress that the Cisco Cloud ACI solution will only act as an object translator, abstracting the cloud-specific API into a common Cloud ACI language. It enables the cloud admin to automate the provisioning of consistent network resources across different clouds by utilizing this common ACI language.

Figure 1 highlights the main ACI objects that map to Azure and AWS network objects. The network admin only needs to interact with Cisco ACI APIs while the Cisco Cloud APIC takes care of provisioning the specific cloud network policy objects.

Figure 1. Cloud ACI-to-Cloud Object Mapping

There is no overlay or VM agent required in a Cisco Cloud ACI design. All that is needed for setup is to find and deploy the Cloud APIC from the cloud vendor marketplace and register Cloud APIC with Cisco Nexus Dashboard Orchestrator if inter-site connectivity is needed. In less than an hour, a company can be managing on-premises and multi-cloud deployments.

Figure 2 shows an example of an AWS to Azure network extension architecture. An AWS infra-virtual private cloud (VPC) and Azure infra-virtual network (VNET) are automatically provisioned in AWS and Azure respectively. The infra VPC and infra VNET host Cisco Cloud APIC and Cisco CSR1000v virtual routers. The routers are fully operated by the Cisco Cloud APIC and route application data across clouds, cloud regions, and on-premises sites through encrypted tunnels.

Figure 2. Extension of Applications Across AWS to Azure

Many enterprise IT professions today provision cloud resources with Infrastructure as a Code (IaaC) tools like Ansible and Terraform. However, none of those tools are capable of reducing the complexity of orchestrating different cloud providers and maintaining consistency in routes and network policies across clouds and on-prem.

Cisco Nexus Dashboard Orchestrator offers a REST API to fully support automated provisioning of network resources. Terraform provider and Ansible galaxy modules are available for Cisco Nexus Dashboard Orchestrator and can help to dramatically reduce the complexity of provisioning multicloud network policies in consistent manner across multiple clouds and on-premises.

The following simple demo shows how easy it is to provision a multi-tier application where the frontend is deployed in AWS and the database is a virtual machine deployed in Azure, as shown in the topology in Figure 3. Based on the custom tag applied to the virtual machines, Cloud ACI automatically configures the right network policies, allowing, in this case, the frontend to expose HTTP service to the Internet and to connect to the database for MySQL service.

Figure 3. Topology of the Demo

In the demo shown in Figure 3, an Ansible Playbook deploys the network application templates to Cisco Nexus Dashboard Orchestrator. Virtual machines that will serve the application will then be deployed through a Terraform plan. Based on the tags configured on the virtual machines, Cloud ACI will attach Azure Application Security Groups and AWS Security Groups to allow only the selected inbound and outbound traffic. If necessary, cloud application load balancers or other network services can be controlled through Cisco Nexus Dashboard Orchestrator and Cisco Cloud APIC.

Click the image below to play the demo video.

Link to Demo Video

Enterprises using Cisco Cloud ACI today report that it’s exactly what they need to help them create consistent network policies in a multicloud environment.

Source: cisco.com

Continue reading

Unlock business observability with AppDynamics enablement on Cisco Black Belt Academy

On March 22nd, 2017, Cisco concluded its acquisition of AppDynamics, with a one set goal of providing its customers, the holistic visibility and actionable insights across their entire domain. Fast forward to 2021, Cisco AppDynamics, was crowned a leader in Gartner’s “Leaders Quadrant for Application Performance Monitoring” for the 9th time in a row! Gartner recognized AppDynamics for its excellence in business analytics, intensified by Cisco’s broad portfolio of infrastructure software products. Meanwhile, Cisco also announced the launch of “Intersight Workload Optimizer” to further assure application performance from on-premises to cloud and completed its acquisition of ThousandEyes to allow customers to have an end-to-end view into the digital delivery of applications.

And, with the wheels moving forward as visualised, Cisco has now gradually shifted its business lens to “full-stack observability” enabling sublime business results whilst providing deep visibility into each core layer of the stack: Application, Infrastructure, Network and Security. Adhering to this, we at Black Belt Academy decided to move out, the AppDynamics learning modules, from the Data Center Curriculum and start the ball rolling for an independent standalone “AppDynamics Learning Hub”.

The Revamped “AppDynamics Pedagogy” on Cisco Black Belt Academy

The revised strategy for Partner enablement on AppDynamics, embarks by powering our partners with in-depth knowledge on the APM Platform, beginning with the evolution of the business application and how they can help their customers manage the modern applications. As they gradually gain ground, we equip them with hands-on specialized labs to ensure that they have the right skills to prepare an AppDynamics environment to use in a real customer scenario. Once, they are well versed with all the know-hows of the solution, we then press forward on “Full Stack Observability” and demystify the potential of Intersight Workload Optimizer and ThousandEyes in delivering that flawless application visibility together with AppDynamics. In the end, we divulge our partners to “Cross Architecture” concepts and the world of Cloud, emphasizing on how AppDynamics associates with other architectures and some of the top Cloud service providers.

Fundamental Highlights:

◉ Elemental Knowledge: Articulate the values and key differentiators of AppDynamics and learn to identify customer pain points & business objectives whilst understanding on how to deliver a perfect pitch to your customers.

◉ AppDynamics Proficiency: Get an in-depth architectural overview of how AppDynamics collects Application performance metrics and Business Insights using light agents to achieve cross-stack and business observability.

◉ Business IQ: Learn how AppDynamics Business iQ delivers business performance monitoring and observability for every layer of your tech stack, so that you can work as one to prioritize what matters most.

◉ Pricing & Licensing: Comprehend the entire functioning of Pricing & Licensing for AppDynamics including both the Agent and Infrastructure based licenses.

◉ Sales Process: Learn about AppDynamics recipe for success and MEDDIC. Walk-through a step-by-step Sales Process of AppDynamics and how you can sell it effectively from all ends.

◉ Competitive intel: Deep Dive into AppDynamics competitive advantages over our top three competitors – Dynatrace, Datadog and New Relic.

◉ Demos: Get hands on a series of demos to showcase how to navigate and refine dashboards, investigate response times, and remove organizational boundaries to be more pro-active in your application monitoring.

◉ Specialized Hands on PoC/PoV Labs: Ensure that you have the right skills and capabilities to prepare an AppDynamics Environment to use in a real customer Proof of Value (PoV) with a personalized “hand hold” experience from the Cisco AppDynamics team.

◉ Full Stack Visibility: Learn how AppDynamics with IWO and ThousandEyes, provides observability for every layer of your customer’s tech stack, so that they can work as one to prioritize what matters most.

◉ Cross Architecture & Cloud Context: Delineate all new “Cisco Secure Application” and understand how AppDynamics correlate with Cisco UCCE and IoT. Also, deep dive into the AppD’s alliance with the topmost cloud service providers like AWS, Azure and GCP along with AppD’s rapport with Cisco’s Strategic Partners like SAP and ServiceNow.

With these gradually changing dynamics of the Application world, don’t wait up any longer and get that firsthand experience on how your customers can observe what matters and get real time insights to transform application performance with AppDynamics “Application Performance Management” to drive best in class business outcomes. With AppDynamics Enablement on Cisco Black Belt Academy, you can strongly walk out to have those confident customer conversations and become an AppDynamics Master in no-time.

Source: cisco.com

Continue reading

Rural connectivity is the next digital opportunity

Connectivity to the internet is now critical: it empowers communities and businesses to connect from any location, forever changing our economy, our relationships, and our lives. The digitalization of society is rapidly accelerating, but unfortunately, not everyone can participate equally. In Ethiopia, for example, we’re working with WebSprix to bring high-speed broadband access to its population of 115 million, were less than 270,000 currently have fixed broadband access.

In the United States of America, roughly 14.5 million people still reside in areas without access to the current Federal Communications Commission (FCC) benchmark of 25Mbps for high-speed broadband internet. Rural communities are disproportionately affected when broadband access is expected to be ubiquitous. At Cisco, we believe everyone deserves the opportunity to connect and participate in online communities and economies, and only when everyone is connected can we capture the full potential of an inclusive future for all.

Any digital divide will exacerbate income inequalities and limit opportunities to participate in the larger community. We must empower Communication Service Providers (CSP) to support rural areas with improved services and bridge the digital divide for these underserved areas.

Managing core transport networks is no easy task for CSPs. The infrastructure must be able to carry existing wired and wireless traffic while being aware of application and service performance requirements. It also needs to support new applications like distance learning, IoT-enabled smart farming, green (solar/wind) energy production and management, and telemedicine, each with its own Quality of Service (QoS) requirements. To be successful, CSPs need to simplify their operations and optimize Capital Expenditures (CapEx) to the point where serving these rural areas can be justified and makes economic sense.

Scalability through access router innovation

Recent updates to our Converged Software-Defined Networking (SDN) Transport architecture allow network architectures to scale without the associated costs of inefficient designs and complex operations. Innovations for the best-selling NCS 540 and NCS 560 access routers provide tools to support rural areas and offer CSPs the following benefits:

◉ Configurations that support 80Gbps to 900Gbps of total bandwidth, with 25Gbps optimized solutions

◉ A single, modular network operating system (IOS XR) from the access router to the core router that supports Open APIs can reduce operational complexity

◉ Compact and powerful designs for deployment in space or power constrained locations and embedded safeguards for surge protection and capital investment protection

◉ Temperature hardened and conformal coated configurations for deployments in adverse environmental conditions

◉ Simplified network management and traffic control using Segment Routing and Ethernet Virtual Private Networking (EVPN) to enable network slicing and ensure service performance

◉ Model-driven APIs and streaming telemetry to automate network operations and reduce time managing the network

◉ Pay-As-You-Grow (PAYG) Flexible Consumption Model (FCM) to help CSPs better manage their CapEx/OpEx by only paying for needed bandwidth rather than idle capacity

Making rural investments easier to justify

The innovations built across the NCS 540 and NCS 560 product portfolio provide a foundation for a flexible and scalable network architecture that is ideally suited for rural communities. These routers are specifically designed to support the strict timing needs, ultra-low latency, and Common Public Radio Interface (CPRI), eCPRI, and Radio over Ethernet (RoE) options for mobile networks. This gives CSPs the flexibility to deploy Wi-Fi 6, public 5G, and/or private 5G service offerings in areas where last-mile access routes are more difficult to economically justify.

The NCS 540/560 helps support the convergence of service and network layers by supplying enhanced visibility and automation tools to improve network uptime and resiliency. For high availability, the NCS 560 operates as a fully redundant platform with support for 50ms In-Service Software Upgrade (ISSU). When serving rural communities where dispatching technicians is costly and time-consuming, CSPs must consider solutions that can be highly automated and minimize hands-on time. Automation tools like secure Zero Touch Provisioning (ZTP) can reduce operational costs by building consistency in both initial deployments and system updates, which reduces truck rolls to remediate human errors.

To further improve the economic justification in serving rural areas, the NCS 540/560 support 100G/200G/400G ZR/ZR+ optics, integral tools required for transmission over long distances without the need for additional optical equipment. For use cases where more than 10G is needed, the NCS 540/560 router configurations can support 25Gbps ports, and the NCS 540 also supports Bidirectional (BiDi) transceivers. Using different wavelengths for ingress and egress traffic in the same fiber strand, BiDi allows CSPs to optimize their existing and planned fiber investment, as well as the associated fiber ports and space.

Closing the digital divide

Closing the digital divide is a top agenda for many governments and organizations around the world. Cisco is excited to leverage its expertise and experience to help these organizations expand their networks to service unconnected and underserved areas.

Source: cisco.com

Continue reading

TrustSec – 9800 vs 8540 Wireless LAN Controller deployment

To protect business critical data, the network needs to be segmented. But traditional methods are complex. Cisco TrustSec provides a simple way to segment and apply polices uniformly across the network.

More Info: 300-715: Implementing and Configuring Cisco Identity Services Engine (SISE)

Traditional network segmentation approaches use IP address-based access control lists (ACLs), VLAN segmentation, and firewall policies that require extensive manual maintenance. Therefore, every device in the network that needs to enforce security policies would require manual configuration. For instance, any change to policies would mean manually updating the ACLs for all the devices uniformly which is error prone. With IOT and BYOD the scale factor will make it very difficult to use traditional ACLs.

Having a single centralized security policy database would be easy to maintain and policies can be uniformly enforced. This is where trustSec becomes relevant. TrustSec provides an end-to-end secure network where each entity is authenticated and trusted by its neighbors. Above all, it provides consistent policy set across the network.

This blog provides an overview of how trustSec as a solution is deployed on 9800 and 8540 Wireless LAN Controller. In addition, some key feature differentiators is also highlighted.

Terminology

Security Group

Used for grouping users and endpoints that should have a similar access control policy.

Security Group Tag (SGT)

It is a unique security group number that gets assigned to the security group.

TrustSec Capable Device

Devices that are capable of understanding SGT (hardware or software based).

Protected Access Credential (PAC)

Shared credential used to mutually authenticate Trustsec capable devices with ISE.

Environment (Env) Data

ISE provides ENV data information to a trustSec capable device. It consist of : Server list, expiry/refresh timeout and device SGT.

◉ Server list – It provides the list of radius servers which can be used for authentication and authorization.

◉ Expiry/Refresh timeout – Configurable timer on ISE which will let the administrator know how often the device should refresh the environment data.

◉ Device SGT – This is the SGT assignment for the device.

Security Group Access Control List (SGACL)

Access and permission are provided based on the SGT information.

With increase in number of source and destination the ACL size could grow exponentially making it difficult to maintain. In other words, it takes a lot of effort for an administrator to manually update ACL across network devices. For example, here is a pictorial representation of how trustSec as a solution can make things easy for an administrator.

Key components

There are three components within TrustSec domain.

1. Classification: Client classification at ingress by centralized policy database (ISE) and assigning unique S-SGT to client based on client identity attributes.

2. Propagation: Propagation of IP to SGT binding to neighboring devices using SXPv4 or inline tagging.

3. Enforcement: SGACL download at enforcement point for (S-SGT, D-SGT) and enforcing the policy.

Given below are some details about trustSec implementation on 8540 and  9800 Wireless LAN controllers.

Classification

It happens on ISE at the ingress and the clients get the SGT based on client identity attributes. So, the ISE acts as the central policy manager providing SGT for the clients.

Propagation and Enforcement

There are two modes for SGT propagation:

SXPv4

SXP is a control protocol which propagates IP address to Security Group Tag (SGT) binding information across network devices. Using the SGT and SGACL information, the endpoint device(WLC or AP) can enforce traffic.

8540 Central switching

The controller can act ONLY as a speaker. This means that the SGT information of the wireless client is  propagated to the enforcement point by the controller. But enforcement happens at the AP for the traffic towards the client.

9800 Central switching

The controller can act as Listener, Speaker and both mode. In listener mode, controller can enforce traffic. Whereas controller in both mode can enforce and as well as propagate SGT information to the enforcement point.

An important difference between 8540 and 9800 controller in central switching deployment – On 8540, the enforcement happens on the AP. Whereas, on 9800 enforcement happens on the WLC.

Local switching

The Access point acts as Listener, Speaker and both modes. In listener mode, the access point can enforce traffic. On the other hand, access point in both mode can enforce and propagate SGT information to the enforcement point. This functionality is common between 8540 and 9800 deployments.

Inline tagging

Inline tagging involves tagging each packet egressing the controller by inserting a CMD header.

For inbound packets (towards client), the CMD header is stripped if present. The client S-SGT is used to find SGACL associated with (S-SGT, D-SGT) for enforcement.

8540 Central switching

WLC performs inline tagging for all packets sourced from wireless clients that reside on the WLC by tagging it with Cisco Meta Data (CMD) tag. For packets inbound (towards client), WLC strips the packet of the CMD header and pushes the SGT information to the AP for enforcement. Note that the enforcement doesn’t happen on WLC.

9800 Central switching

The WLC performs inline tagging for all packets sourced from wireless clients. For the inbound traffic (towards client), WLC strips the CMD and learns the SGT information from the meta data header. WLC will enforce the traffic using the SGT information.

 

Local switching

AP performs inline tagging for all packets sourced from wireless clients that reside on the AP by tagging it with Cisco Meta Data (CMD) tag. On the other hand, for packets inbound (towards client) AP will strip the CMD header and act as an enforcement point. This functionally is common between 8540 and 9800 deployments.

In a nutshell, propagation and enforcement happens on the WLC or AP depending on the deployment method (Central and Flex local switching) and the type of controller (9800 or 8540) deployed in the network.

TrustSec – Key feature comparison

Source: cisco.com

Continue reading