《使用 Catalyst 9000 保护从园区和分支机构到云的端到端安全.pdf》由会员分享,可在线阅读,更多相关《使用 Catalyst 9000 保护从园区和分支机构到云的端到端安全.pdf(142页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveMeghan Kachhi,Raj Kumar GoliTechnical Marketing EngineerBRKENS-3094Securing End-to-End from Campus and Branch to Cloud with Catalyst 9000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAbout Us.I work as a Technical Marketing Engineer for Enterprise Ne
2、tworking team focused on switch/router performance,feature-level and solution-level testing of Tier 1 and Tier 2 networking vendors testing of Tier 1 and Tier 2 networking vendors and comparing primarily against Ciscos Catalyst 9000 switching Ciscos Catalyst 9000 switching portfolio,Catalyst SDportf
3、olio,Catalyst SD-WAN and DNA Center SolutionWAN and DNA Center SolutionIn free time,I involve myself in learning about latest technologies,latest technologies,cloud platforms and understanding how our life is intrinsically and cloud platforms and understanding how our life is intrinsically and intri
4、cately intertwined with all theseintricately intertwined with all these.Things I do for funThings I do for fun:Play PS5 Games,Read Books,Binge-watch anything interesting(or not!),Go for a hike,etc.Meghan KachhiMeghan KachhiTechnical Marketing EngineerRaj Kumar GoliRaj Kumar GoliTechnical Marketing E
5、ngineerI work as a Technical Marketing Engineer Technical Marketing Engineer focusing on Catalyst 9000 switching platforms and Enterprise Campus Architectures.I primarily focus on Fabric Solutions like BGP-EVPN&MPLS,Security Solutions like IPsec,WAN MACsec&Cloud Security and Time Sensitive Solutions
6、 like Precision Time Protocol and Audio Vide Bridging.In free time,I go on trials in and around Bay area with my Kids.Spend time catching up on latest technology.What do I do for funWhat do I do for fun:Play Tennis,Travel,read books.BRKENS-30943 2023 Cisco and/or its affiliates.All rights reserved.C
7、isco Public#CiscoLiveEnter your personal notes hereCisco Webex App 4Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the W
8、ebex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12344https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENS-3094#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaSecuring Infrastructure Securing Infrastructure with
9、 Cisco Trustworthy SolutionsSecuring EndpointsSecuring Endpoints with native connectors(Cisco Secure Cloud Analytics i.e.,Stealthwatch,Cisco Umbrella,Stateful Inspection)AutoAuto-profiling and securing endpointsprofiling and securing endpoints using Endpoint Analytics and Trust AnalyticsSecuring Tra
10、nsportSecuring Transport with MACsec and IPsec(Site-Site,Site-Cloud)5BRKENS-3094Catalyst 9000 being the bridge to secure end-to-end communication 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveKey Zero Trust StrengthsCampus|Data Center|Cloud|EdgeOpen API|Developer Framewo
11、rkCisco Talos Threat Intelligence&ResponseThreat Research|Incident Response ServicesDetection&ResponseObservability|Prioritization|Investigation|Orchestration|AutomationAdvanced ServicesDesign|Deploy|OptimizeCisco Secure PlatformDelivering Zero Trust PlatformUser&Device SecurityCloud&NetworkSecurity
12、Application&Data SecurityEstablish TrustVisibility and contextual awareness for making trust-level decisions across both IT and OTEnforce Trust-Based AccessConsistent unified policy-based verification-people/apps/machines Continuously Verify TrustContinuous trust adaptation based on changing riskRes
13、pond to Change in TrustAutomated response across network/device/applications to spring back fasterBRKENS-30946 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicTypical Enterprise Typical Enterprise or Campusor Campus7BRKENS-3094 2023 Cisco and/or its affiliates.All rights reserved.Ci
14、sco Public#CiscoLive8BRKENS-3094DISTRIBUTIONCOREEDGE10/25/40/100G10/25/40/100GSmart BuildingTime Sensitive NetworkingBonjour ServicesInternetLight FixturesUSB-C donglesPrivate WANFiber to the Desktop(FTTX)Servers and DesktopsWiFi6 APtvEnd-PointsData CenterHALight FixturesLight FixturesLight Fixtures
15、BranchBranchBranch 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive9BRKENS-3094DISTRIBUTIONCOREEDGE10/25/40/100G10/25/40/100GSmart BuildingTime Sensitive NetworkingBonjour ServicesInternetLight FixturesUSB-C donglesPrivate WANFiber to the Desktop(FTTX)Servers and DesktopsW
16、iFi6 APtvEnd-PointsData CenterHALight FixturesLight FixturesLight FixturesBranchBranchBranchJohn DoeJohn Doe,Network AdminNetwork Admin 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive10BRKENS-3094DISTRIBUTIONCOREEDGE10/25/40/100G10/25/40/100GSmart BuildingTime Sensitive N
17、etworkingBonjour ServicesInternetLight FixturesUSB-C donglesPrivate WANFiber to the Desktop(FTTX)Servers and DesktopsWiFi6 APtvEnd-PointsData CenterHALight FixturesLight FixturesLight FixturesBranchBranchBranch“I want to hack the“I want to hack the Cisco San Jose Campus!Cisco San Jose Campus!*evil l
18、augh*evil laugh*2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive11BRKENS-3094DISTRIBUTIONCOREEDGE10/25/40/100G10/25/40/100GSmart BuildingTime Sensitive NetworkingBonjour ServicesInternetLight FixturesUSB-C donglesPrivate WANFiber to the Desktop(FTTX)Servers and DesktopsWiF
19、i6 APtvEnd-PointsData CenterHALight FixturesLight FixturesLight FixturesBranchBranchBranchJohn DoeJohn Doe,Network AdminNetwork AdminVS.VS.Securing Infrastructure Securing Infrastructure with Cisco Trustworthy Solutions 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive13BRK
20、ENS-3094DISTRIBUTIONCOREEDGE10/25/40/100G10/25/40/100GInternetPrivate WANData CenterHALight FixturesLight FixturesLight FixturesBranchBranchBranch“Lets start by hacking the infrastructure“Lets start by hacking the infrastructure the Catalyst 9000 Hardware and Software”the Catalyst 9000 Hardware and
21、Software”2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhere and How“Blade Hacks”can attack?Why there is a need for Trustworthy Systems14BRKENS-3094SupplySupply ChainChain AttackAttackBIOS/BIOS/ROMMONROMMON AttackAttackRuntimeRuntime AttackAttackWhereWhere can attack hap
22、pen?can attack happen?HWHW TamperingTampering AttackAttackSWSW BinaryBinary AttackAttack 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhere and How“Blade Hacks”can attack?Why there is a need for Trustworthy Systems15BRKENS-3094Exploited VulnerabilityCompromised Credenti
23、alsPhysical access to device/imagesInfection MethodIn-Memory ModificationsModified OS BinariesROMMON changesResultMalware InstalledBoot loader corrupted SupplySupply ChainChain AttackAttackBIOS/BIOS/ROMMONROMMON AttackAttackRuntimeRuntime AttackAttackHowHow can attack happen?can attack happen?HWHW T
24、amperingTampering AttackAttackSWSW BinaryBinary AttackAttackWhereWhere can attack happen?can attack happen?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTT provide foundational security foundational security at the system infrastructure level,starting with HW to the SW,f
25、rom boot time to runtimefrom boot time to runtime.TT are built for todays threats todays threats and provide foundational security building blocks that can be integrated into Cisco product platforms.What are key Trustworthy Technologies(TT)?Catalyst 9000 Series Switches Catalyst 9000 Series Switches
26、 Foundational SecurityFoundational SecurityBRKENS-309416 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrustworthy Technologies Protection ScopeHardwareRuntimeAttacksSystem BootedSupply Chain AttacksBIOS/RommonAttacksSW Binary AttacksBIOS/ROMMONSoftware ImageHW Tampering
27、AttacksManufacturingRuntime DefensesTrust Anchor module w/SUDIImage SigningSecure BootTrust Anchor module w/SUDI+Attack TypeCounter Attack withBRKENS-309417 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow Trustworthy Technologies will protect against Blade Hackss Attac
28、kCompromised Software Compromised Software and Boot Codeand Boot CodeAttacks against the Attacks against the running Softwarerunning SoftwareUnauthorized Command Unauthorized Command Line AccessLine AccessCounterfeit HardwareCounterfeit HardwareImage Signing&Secure BootImage Signing&Secure BootThe b
29、oot-code&Open IOS-XE is authentic&unmodifiedAttacks against the running SoftwareAttacks against the running SoftwareProtects the running OS and Eliminates vulnerabilitiesSSH 2SSH 2-Factor X.509v3 AuthenticationFactor X.509v3 AuthenticationEliminate passwords and protects the configurationSecure Devi
30、ce ID&Trust AnchorSecure Device ID&Trust AnchorBuilt-in HW ID Root-of-trust,HW is Cisco,Secure PnPAttackAttackProtect with Cisco Trustworthy SolutionsProtect with Cisco Trustworthy SolutionsBRKENS-309418 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStep 5Step 6Step 2Ste
31、p 1Secure Platform with Trustworthy TechnologiesStep 4Step 3MicroloaderMicroloaderchecks BootloaderBootloaderBootloaderchecks OSOSOS launchedAuthenticity andlicense checksOSTrust Anchor Trust Anchor module module providescritical servicesOSFirst instructions run on CPU stored in Tamper-resistant har
32、dwareHardwareAnchorMicroloaderConfidentialityIntegrityAuthenticityTAmCPUCPUCPUCPUCPUMicroloaderBootloaderOSOSOSBRKENS-309419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure PnPSecure Hardware Secure Hardware DevelopmentDevelopmentAnti-Counterfeit Phase 2(ACT2)Secure
33、 StorageSecure UDIHW EntropyData at Rest EncryptionBoot Code HardeningWhats making it work?Secure Hardware DevelopmentBRKENS-309420 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Boot Verification during boot upInitializing Hardware.System integrity status:00000610
34、Rom image verified correctlySystem Bootstrap,Version 15.4(3r)S,RELEASE SOFTWARE(fc1)Copyright(c)1994-2014 by cisco Systems,Inc.#Boot image size=425853700(0 x19620304)bytesPackage header rev 1 structure detectedCalculating SHA-1 hash.donevalidate_package:SHA-1 hash:calculated 334207fa:464503d3:2e7abd
35、5f:160919d0:b425523bexpected 334207fa:464503d3:2e7abd5f:160919d0:b425523bRSA Signed RELEASE Image Signature Verification Successful.Package Load Test Latency:6511 msecImage validatedROMMON Secure boot verificationIOS Secure boot verificationMicroloader doesnt display verification,if verification fai
36、ls then the box doesnt boot at all.1234BRKENS-309421 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Boot Verification after bootupCat9k#show software authenticity running(other packages not displayed)PACKAGE-Image type :ProductionSigner InformationCommon Name :Cisc
37、oSystemsOrganization Unit :IOS-XEOrganization Name :CiscoSystemsCertificate Serial Number:54F33A2EHash Algorithm :SHA512Signature Algorithm :2048-bit RSAKey Version :AVerifier InformationVerifier Name :monoVerifier Version :SYSTEM IMAGE-Image type :ProductionSigner InformationCommon Name :CiscoSyste
38、msOrganization Unit :IOS-XEOrganization Name :CiscoSystemsCertificate Serial Number:54F33B36Hash Algorithm :SHA512Signature Algorithm :2048-bit RSAKey Version :AVerifier InformationVerifier Name :ROMMONVerifier Version :System Bootstrap,VersionROMMON-Image type :ProductionSigner InformationCommon Na
39、me :CiscoSystemsOrganization Unit :IOS-XEOrganization Name :CiscoSystemsCertificate Serial Number:53A3B3D2Hash Algorithm :SHA512Signature Algorithm :2048-bit RSAKey Version :AVerifier InformationVerifier Name :ROMMONVerifier Version :System Bootstrap,VersionMicroloader-Image type :ReleaseSigner Info
40、rmationCommon Name :CiscoSystemsOrganization Name :CiscoSystemsCertificate Serial Number:f01632135f43ae4bc1c4ca63a289b727Hash Algorithm :HMAC-SHA256Verifier InformationVerifier Name :Hardware AnchorVerifier Version :F01023R12.1817bb4af2014-05-231234BRKENS-309422 2023 Cisco and/or its affiliates.All
41、rights reserved.Cisco Public#CiscoLiveTrustworthy Technologies for Enterprise NetworkingCreates a unique digital signature for a block of code.Signed images may be checked at runtime to verify that software has not been modified.Image SigningImage SigningAllows platform identity and software integri
42、ty information to be visible and actionable.Admins can verify whether the platform has booted with trusted code.Boot Integrity Visibility Boot Integrity Visibility Built-in operating system features that protect against malware being injected into running code.Runtime Defenses Runtime Defenses Helps
43、 verify that code is authentic and unmodified.Anchors the microloader in immutable hardware,establishing a root of trust and preventing Cisco devices from executing tainted software.Hardware Anchored Hardware Anchored Secure BootSecure BootA Tamper-resistant chip featuring nonvolatile secure storage
44、,SUDI,and crypto services including RNG,key store,and crypto engine.Trust Anchor Module Trust Anchor Module(TAmTAm)Uses a X.509 SUDI certificate to verify hardware authenticity.Runs only after the secure boot process has completed and software has been verified to be trusted.Hardware Authenticity Ch
45、eckHardware Authenticity CheckProvides secure,up-to-date encryption so that encrypted data communications in-transit and at-rest remains confidential.Modern Cryptography Modern Cryptography One command to reset the device to factory-original settings to protect sensitive corporate data when device i
46、s out of direct control.Simplified Factory ResetSimplified Factory ResetA repeatable,measurable process designed to reduce vulnerabilities and enhance the security and resilience of Cisco solutions.Secure Development Secure Development Lifecycle(SDL)Lifecycle(SDL)The Secure Unique Identifier(SUDI)is
47、 an X.509 certificate that provides factory-installed device identity.Prevents spoofing and MITM attacks.Enables remote on-boarding of devices.SUDI for Cisco SUDI for Cisco Plug&PlayPlug&PlayBRKENS-309423 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCatalyst 9000 Built
48、with Trustworthy Solutions24BRKENS-3094Feature SupportFeature SupportCatalyst Catalyst 96009600Catalyst Catalyst 95009500Catalyst Catalyst 94009400Catalyst Catalyst 93009300Catalyst Catalyst 92009200Image SigningImage SigningHWHW-Anchored Secure BootAnchored Secure BootTrust Anchor ModuleTrust Ancho
49、r ModuleHW Authenticity AssuranceHW Authenticity AssuranceBoot Integrity VisibilityBoot Integrity VisibilityRuntime DefensesRuntime DefensesSimplified Factory ResetSimplified Factory ResetSecure StorageSecure StorageSecure Guest ShellSecure Guest ShellBIOS ProtectionBIOS ProtectionSUDI authenticatio
50、n for SUDI authentication for Cisco Plug and PlayCisco Plug and Play 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACT2 TAM functionality split into four areas:IdentityIdentityDuring product manufacturing,a products ACT2 chip is filled with Cisco Secure Unique Device Ide
51、ntity(SUDI)in the form of an X.509v3 ECDSA or RSA certificate(or both),along with the associated keypair(s)and certificate chain(s).SUDI is the basis for Ciscos hardware anti-counterfeit check and is also used for establishing initial network identity.EntropyEntropyThe ACT2 contains a NIST SP 800-90
52、B compliant entropy source that is ideal for seeding host-based pseudo-random number generators.Key ManagementKey ManagementThe ACT2 can generate symmetric keys and ECC and RSA asymmetric keypairs.The symmetric keys and the private portion of the keypairs are never released from the chip.Access to t
53、he protected keys is through crypto APIs.Certificates can be enrolled for the keypair generated by the ACT2.Secure StorageSecure StorageACT2 can store about 50 Kbytes of host data in a physically tamper-protected manner.This is an ideal location for sensitive data such as licenses and secret data su
54、ch as credentials.BRKENS-309425 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSwitch#show crypto pki certificates CertificateStatus:AvailableCertificate Serial Number(hex):00F42FCertificate Usage:General PurposeIssuer:cn=ACT2 SUDI CAo=CiscoSubject:Name:cat9300Serial Numb
55、er:PID:ISR4451-X/K9 SN:FOC16491MW3cn=ISR4451-X/K9ou=ACT-2 Lite SUDIo=CiscoserialNumber=PID:ISR4451-X/K9 SN:FOC16491MW3Validity Date:start date:01:12:14 UTC Dec 20 2012enddate:01:12:14 UTC Dec 20 2022Associated Trustpoints:CISCO_IDEVID_SUDI 26How ACT2 Data is Accessed?BRKENS-3094ApplicationTAM Client
56、Platform IPCTAM ServicesSecure Unique Device Identifier(SUDI)-Currently deployed in TAM for immutable device identity Connections with the device can be authenticated by the SUDI credentialBinds the hardware identity to a key pair in a cryptographically secure X.509 certificate PID during manufactur
57、ingTAM ClientCert Dates are not used 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhats making it work?Secure BootCisco Secure Boot IP Core integrated into FPGA CPU now boots from Microloader stored within Cisco Secure Boot IP Core FPGA Bootloader images are signed so t
58、hey can be validated by Cisco Secure BootBRKENS-309427 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCPU-Based Secure BootCPU boots from internal masked boot ROM codeBootloader images are signed Validated against signatures stored in CPU at manufacturing Cat 2960-x and s
59、ome Cat 4500 modelsBRKENS-309428So,So,whats the scorewhats the scorebetween John Doe and between John Doe and Blade Hacks?Blade Hacks?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive30BRKENS-3094DISTRIBUTIONCOREEDGE10/25/40/100G10/25/40/100GSmart BuildingTime Sensitive Net
60、workingBonjour ServicesInternetLight FixturesUSB-C donglesPrivate WANFiber to the Desktop(FTTX)Servers and DesktopsWiFi6 APtvEnd-PointsData CenterHALight FixturesLight FixturesLight FixturesBranchBranchBranch1 1“I have“I have secured my secured my infrastructure infrastructure leveraging leveraging
61、Catalyst Catalyst 9000 9000 Trustworthy Trustworthy Systems”Systems”VS.VS.-0 0Securing Securing EndpointsEndpoints with native connectors 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive32BRKENS-3094DISTRIBUTIONCOREEDGE10/25/40/100G10/25/40/100GSmart BuildingTime Sensitive
62、 NetworkingBonjour ServicesInternetLight FixturesUSB-C donglesPrivate WANFiber to the Desktop(FTTX)Servers and DesktopsWiFi6 APtvEnd-PointsData CenterHALight FixturesLight FixturesLight FixturesBranchBranchBranch“What if the infrastructure is“What if the infrastructure is secure?!secure?!I can easil
63、y make I can easily make users/devices users/devices access malicious sites or steal their access malicious sites or steal their credentialscredentials”2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow Blade Hacks can attack an endpoint userUnskilled employee with privil
64、eged accessVictimized employee compromised credentialsLateral Movement and Data exfiltrationAngry employee Angry employee malicious insidermalicious insiderAttack PersonaAttack PersonaBRKENS-309433Attack FlowAttack FlowUser opens email with malicious content.Based on that the attacker has stolen pri
65、vileges and will start to download data from financial database on intermittent intervalsLocate access from unusual places.Like typical patterns is Las Vegas as entry point all over sudden we get access from location in Asia.We get unusual servers that the user gets logged in fromWe get unusual serv
66、ers that the user gets logged in fromWe get unusual traffic encryption from that computers 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENS-309434Securing Securing EndpointsEndpoints with Secure Cloud Analytics connectorSecure Cloud Analytics-See it ALL!Capture enhanced NetFlo
67、w for encrypted traffic analysis from Cisco ASR,ISR and Catalyst Catalyst 9000 platforms9000 platformsA Trace of every conversationAgentless information collectionRemote worker endpoint data collectionCloud Telemetry ingest East west and north south visibilityLight meta data collection using the exi
68、sting infrastructure 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEndpointsEndpointsEmbedded SensorCisco Catalyst 9200 and 9300 Series SwitchesSecure Cloud Analytics Sensor on C9KAdd Advanced Cloud Security to your networkSecure Cloud Secure Cloud AnalyticsAnalyticsPred
69、ictiveThreat Analytics Hybrid EnvironmentVisibilityDetectionInvestigation and ResponseCisco ISECisco ISECoABRKENS-309435IOS-XE 17.5.1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEndpointsEndpointsEmbedded SensorCisco Catalyst 9200 and 9300 Series SwitchesSecure Cloud A
70、nalytics Sensor on C9KAdd Advanced Cloud Security to your networkSecure Cloud Secure Cloud AnalyticsAnalyticsPredictiveThreat Analytics Hybrid EnvironmentVisibilityDetectionInvestigation and ResponseCisco ISECisco ISECoABRKENS-309436Available on Cisco Catalyst 9200 and 9300 SwitchesIOS-XE 17.5.1Prot
71、ects the data by sending with encryptionConsumes less WAN Bandwidth Compressed FNF records Simplified FNF configuration No need for additional probes in network(Inbuilt FNF collector)Benefits of Native Connectors 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveData Format
72、For UploadPacket matchDestination IPv4/IPv6 AddressSource IPv4/IPv6 AddressL4 Source PortIP Protocol NumberEnd of FlowFlow CollectionCSV file ContentBytes per FlowPackets per FlowStart of FlowL4 Destination Port Start the start time for this flow in Unix Epoch Packets the number of packets transmitt
73、ed Bytes the number of bytes transmitted End the end time for this flow in Unix EpochCSV files are uploaded every 1 minuteCSV files contain IPv4 and IPv6 FlowsCSV files are stored locally on flash before uploaded/tmp folderCSV files are compressed to reduce BW consumption9-tuple flow dataBRKENS-3094
74、37 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFetching/Provision Public Key/Certificates for encryptionRegister Secure Cloud Analytics monitor with service keyVerifying NetFlow traffic on Secure Cloud Analytics portalConfigure NetFlow record,exporter,monitor1234Secure
75、 Cloud Analytics(StealthWatch Cloud)Sensor ConfigurationBRKENS-309438FOR YOUR REFERENCE:FOR YOUR REFERENCE:Detailed configuration steps can be found in the hidden slides after this 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnd-to-end visibility infrastructureNetFlow
76、Export is available across the Cisco portfolioThe above is a non-exhaustive list of Cisco exporters.For individual platform features,reference the Cisco feature navigator:http:/ Flow Sensor(v9/IPFIX ETA)Cisco UCS VIC(v9/IPFIX)SwitchCatalyst 9200(v9/IPFIX)Catalyst 9200(v9/IPFIX)Catalyst 9300/9400(v9/
77、IPFIX ETA)Catalyst 9300/9400(v9/IPFIX ETA)Catalyst 9500(v9/IPFIX)Catalyst 9500(v9/IPFIX)Catalyst 9600 Catalyst 9600(v9/IPFIXv9/IPFIX)Catalyst 2960-X(v9/IPFIX)Catalyst 3650/3850(v9/IPFIX)Catalyst 4500E(v9/IPFIX)Catalyst 6500E(v9/IPFIX)Catalyst 6800(v9/IPFIX)IE3000(v9/IPFIX)IE4000(v9/IPFIX)IE5000(v9/I
78、PFIX)RouterCisco ISR 4000(v9/IPFIX ETA)Cisco CSR 1000v(v9/IPFIX ETA)Cisco ASR 1000(v9/IPFIX ETA)Cisco ASR 9000(v9/IPFIX)Cisco WLC 5520,8510,8540(v9 Enhanced)Catalyst 9800(v9/IPFIX ETA)FirewallASA 5500-X(NSEL)FTD(NSEL,Syslog)Meraki MX/Z(v9 Enhanced v14.5)Data center switchNexus 1000v(v9/IPFIX)Nexus 3
79、000(sFlow)Nexus 7000(M Series modules (v9/IPFIX)Nexus 7000(F Series modules (v9/IPFIX sampled)Nexus 9000 Series(sFlow)Nexus 9000 Series EX/FX(v9)SwitchRouterRouterFirewallData center switchServerUserIdentity ServicesEngineCloudServerDeviceCloudAWS(VPC Flow Logs via CTB)EndpointAnyConnect(IPFIX)BRKEN
80、S-309439 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStealthwatch Cloud Connector Configcrypto pki trustpoint SWC.revocation-check none enrollment terminal crypto pki authenticate SWCEnter the base 64 encoded CA certificate.End with a blank line or the word quit on a l
81、ine by itself%Do you accept this certificate?yes/no:yesTrustpoint CA certificate accepted.%Certificate successfully importedNote:There are two certificates needed.Create two trustpoints:Certificate to RegisterCertificate to Upload Data11Define Source IP fo communication with StealthWatch Cloud(SWC)C
82、reate Trust Point to store Certificate for SSL communication with SWCip http client source-interface (optional)BRKENS-309440 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow to get Public Keys from StealthWatch Cloud?%openssl s_client-connect :443 showcertsCONNECTED(000
83、00006)depth=2 C=BM,O=QuoVadis Limited,CN=QuoVadis Root CA 2verify return:1depth=1 C=US,O=HydrantID(Avalanche Cloud Corporation),CN=HydrantID SSL CA G3verify return:1depth=0 C=US,ST=California,L=San Jose,O=Cisco Systems,Inc.,CN=verify return:1 Certificate Installation Steps 1.Configuring a certificat
84、e for Registration NewQuake#conf t Enter configuration commands,one per line.End with CNTL/Z.NewQuake(config)#crypto pki trustpoint StealthWatch1 NewQuake(ca-trustpoint)#revocation-check none NewQuake(ca-trustpoint)#enrollment terminal NewQuake(ca-trustpoint)#exit NewQuake(config)#exit NewQuake#conf
85、 t Enter configuration commands,one per line.End with CNTL/Z.NewQuake(config)#crypto pki authenticate StealthWatch1 Enter the base 64 encoded CA certificate.End with a blank line or the word quit on a line by itself -BEGIN CERTIFICATE-MIIEdTCCA12gAwIBAgIJAKcOSkw0grd/MA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
86、BAYTAlVTMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTIw MAYDVQQLEylTdGFyZmllbGQgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 eTAeFw0wOTA5MDIwMDAwMDBaFw0zNDA2MjgxNzM5MTZaMIGYMQswCQYDVQQGEwJV UzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTElMCMGA1UE ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5j
87、LjE7MDkGA1UEAxMyU3RhcmZp ZWxkIFNlcnZpY2VzIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVDDrEKvlO4vW+GZdfjohTsR8/y8+fIBNtKTrID30892t2OGPZNmCom15cAICyL1l/9of5JUOG52kbUpqQ4XHj2C0N Tm/2yEnZtvMaVq4rtnQU68/7JuMauh2WLmo7WJSJR1b/JaCTcFOD2oR0FMNnngRo Ot+OQFodSk7PQ5E7
88、51bWAHDLUu57fa4657wx+UX2wmDPE1kCK4DMNEffud6QZW0C zyyRpqbn3oUYSXxmTqM6bam17jQuug0DuDPfR+uxa40l2ZvOgdFFRjKWcIfeAg5J Q4W2bHO7ZOphQazJ1FTfhy/HIrImzJ9ZVGif/L4qL8RVHHVAYBeFAlU5i38FAgMB AAGjgfAwge0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0O BBYEFJxfAN+qAdcwKziIorhtSpzyEZGDMB8GA1UdIwQYMBaAFL9ft9HO
89、3R+G9FtV rNzXEMIOqYjnME8GCCsGAQUFBwEBBEMwQTAcBggrBgEFBQcwAYYQaHR0cDovL28u c3MyLnVzLzAhBggrBgEFBQcwAoYVaHR0cDovL3guc3MyLnVzL3guY2VyMCYGA1Ud HwQfMB0wG6AZoBeGFWh0dHA6Ly9zLnNzMi51cy9yLmNybDARBgNVHSAECjAIMAYG BFUdIAAwDQYJKoZIhvcNAQELBQADggEBACMd44pXyn3pF3lM8R5V/cxTbj5HD9/G VfKyBDbtgB9TxF00KGu+x1X8Z+rLP3+
90、QsjPNG1gQggL4+C/1E2DUBc7xgQjB3ad1 l08YuW3e95ORCLp+QCztweq7dp4zBncdDQh/U90bZKuCJ/Fp1U1ervShw3WnWEQt 8jxwmKy6abaVd38PMV4s/KCHOkdp8Hlf9BRUpJVeEXgSYCfOn8J3/yNTd126/+pZ 59vPr5KW7ySaNRB6nJHGDn2Z9j8Z3/VyVOEVqQdZe4O/Ui5GjLIAZHYcSNPYeehu VsyuLAOQ1xk4meTKCRlb/weWsKh/NEnfVqn3sF/tM+2MR7cwA130A4w=-END CERTIFICAT
91、E-Notes:Notes:Install every certificate as individual trustpoint.The switch will automatically pick the public key need to useBRKENS-309441 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRegister StealthWatch cloud with Keystealthwatch-cloud-monitorservice-key ABCDEFGHIJK
92、LMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxsensor-name my_sensorurl https:/2Syslogs for Sensor Registration:*Dec 13 10:11:01.208:%SWC-6-SENSOR_REG_SUCCESS:Sensor registration for new-sensor is successful!*Dec 13 08:08:20.190:%SWC-3-SENSOR_REG_FAILURE:Sensor registration for new-sensor failed!2Get the se
93、rvice Key and set Name to appear in SWCReceive Successul Register Message on SuccessGo to“Settings”“Sensors”BRKENS-309442 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFlow Exporter Config on Switchflow record SWCRecdescription swc flow match ipv4 source address match ip
94、v4 destination address match transport source-port match transport destination-port match ipv4 protocol collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last33Define Standard Record for records to exportBRKENS-309443 2023 Cisco and/o
95、r its affiliates.All rights reserved.Cisco Public#CiscoLiveCheck on Stealthwatch dashboard Sensor4Check on Stealth Watch Portal for Records being exported“Settings”“Sensors”4Heartbeat is GreenData has started to be ReceivedBRKENS-309444 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publ
96、ic#CiscoLiveStealthwatch Cloud Connector Show45BRKENS-3094Show CLIsShow CLIs1.show stealthwatch-cloud detail2.show platform software object-manager sw ac RP active object-type-count|inc SWC3.show platform software fed switch active swc statisticsclear platform software fed switch active swc statisti
97、cs4.show platform software fed switch active swc connectionclear platform software fed switch active swc connectionDebugs for the entire flow(HTTPS transaction flow)Debugs for the entire flow(HTTPS transaction flow)debug stealthwatch-cloud all debug ip http client all debug ip http all debug ip tcp
98、transactions debug ssl openssl msg 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDEMO TIME!46BRKENS-3094 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveModernized response management moduleRules:A set of one or multiple nested condition types
99、that define when one or multiple response actions should be triggeredActions:Response actions that are associated with specific rules and are used to perform specific type of response actions when triggeredRuleWhat Alarms?ActionWhat to do with Alarms?If this ConditionCondition is met,then trigger th
100、is ResponseResponseAutomatic ResponseAutomate Responses by defining Rules and applying ActionsConfigurable-Rules-Actions-Response typesBRKENS-309447 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveKey features with Secure Network AnalyticsVisibility everywhereUnique threat
101、 detectionEncrypted traffic analyticsSmart segmentationImmediate threat remediationAnalyze enterprise telemetry from any source,provide end to end visibility across the extended network in the cloud or with remote workersCombination of multi-layer machine learning and behavioral modeling provides th
102、e ability to detect inside as well as outside threatsAnalyze encrypted traffic to detect malware and ensure policy compliance without decryptionUse logical functional business groups that,monitor the effectiveness of segmentation policies through contextual alarmsUse the network to remove the infect
103、ed host by applying a relevant policy through Automated Response BRKENS-309448 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe network as the source of truthSee it ALL!A Trace of every conversationAgentless information collectionRemote worker endpoint data collectionCl
104、oud Telemetry ingest East west and north south visibilityLight meta data collection using the existing infrastructureCapture enhanced NetFlow for encrypted traffic analysis from Cisco ASR,ISR and Catalyst 9000 platformsSource address10.1.8.3Destination address172.168.134.2Source port47321Destination
105、 port443InterfaceGi0/0/1IP TOS0 x00IP protocol6Next hop172.168.25.1TCP flags0 x1ASource SGT100:ETA meta dataIDP|SPLTApplication nameNBAR SECURE-HTTPProcess Namechrome.exeProcess Account UserAcme/johnFlow informationPacketsRoutersSwitches10.1.8.3172.168.134.2(internal)Internet(external)LocalRemoteBRK
106、ENS-309449 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENS-309450Securing Securing EndpointsEndpoints with Umbrella connectorProvides Secure access to the internet and usage of cloud applications 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco
107、 Umbrella Native ConnectorAvailable on Catalyst 9200&9300 series switches(Branch)Catalyst 9000Headquarters DNS Query/ResponseUmbrellaTraffic SplitDNScryptActive DirectoryC9200C9200C9300C9300Malvertising/PhishingC&C CallbackBRKENS-309451 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publ
108、ic#CiscoLiveWhat is EDNS(Expand DNS messages)?DNS SimplifiedDNS AnswersDNS QuestionsDNS FlagsAuthority SectionExpanded DNS packetClient IPExtensionsUser HashOrganization IDDevice IDOther CodesA method to Extend or Expand DNS messages(RFC 6891)EDNS adds information to DNS messages in the form of pseu
109、do-resource-records included in the additional data section of a DNS messageUmbrella uses EDNS for sending device-id,organization-id,username hash and client-ip information to Umbrella cloudBRKENS-309452 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHostConnectorOpen DNS
110、Provision Customer PolicyToken for Device Registration1-Device Registration2-Device ID,Organization IDDNS QueryDNS Response3-DNS Query with EDNS5-DNS ResponseUmbrella flow Sequence without DNSCrypt4-Apply Customer PolicyBRKENS-309453 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#
111、CiscoLiveHostOpen DNS1-Device Registration2-Device ID,DNScrypt KeyDNS QueryDNS Response3-Encrypted DNS Query with EDNS5-Encrypted DNS ResponseConnector4-Apply Customer PolicyUmbrella flow Sequence with DNSCryptProvision Customer PolicyToken for Device RegistrationDecrypt DNS ResponseEncrypt packet a
112、nd EDNSBRKENS-309454 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDEMO TIME!55BRKENS-3094 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveC9300 enable C9300#configure terminal C9300(config)#parameter-map type umbrella global C9300(config-profi
113、le)#dnscrypt C9300(config-profile)#api-key 5f22922exxxxxxxxx51174af822734 C9300(config-profile)#orgid 26xxx16 C9300(config-profile)#secret 0 a0d176ebxxxxxxxfbb343dfc4fd209 Cisco Umbrella Native Connector IntegrationConfiguration with API keySoftwareSoftwareIOSIOS-XE 17.7.1XE 17.7.1BRKENS-309456 2023
114、 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKENS-309457 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfigure via Web UISelect“Admin”“API Keys”Get Token from“Umbrella Cloud”BRKENS-309458 2023 Cisco and/or its affiliates.All rights reserved.
115、Cisco Public#CiscoLivePolicy ViewSelect“Policies”“Management”“DNS Policies”Check/Update devices where policy is appliedBRKENS-309459 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePolicy ViewSelect“Policies”“Management”“Web Policies”Check/Update devices where policy is bl
116、ocked ConfirmBRKENS-309460 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKENS-309461 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveKey features with Umbrella Connector62BRKENS-3094Register and use Umbrella knowledgeStatic Policy Per PortPer
117、 User PolicyTraffic Split to cloud and on premiseDNS Crypt to protect the trafficNo need for endpoints to know site ratingSwitch intercepts the DNS Query to ANY DNS server unless Net Admin created a policy to redirect to local sitesAssign a static policies per ports and link them to a policyin Umbre
118、lla portalProvides unified policy regardless of the endpoint typethe TAG name is defined by the Net AdminThe same TAG name can be assigned to many portsUmbrella+AD Integration to detect user and pass on right policyBob is part of Employee group in ADSam is part of Guest group in ADDNS Queries for Tr
119、usted Cloud Apps Protected by Cisco UmbrellaUntrusted Internet Traffic tunneled through HQDirect Internet Access for trusted Cloud AppsDNS traffic is encrypted and cannot be intercepted 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENS-309463Securing IT&OT Securing IT&OT Endpoi
120、nts Endpoints with ASAc FirewallCisco Secure Cisco Secure Firewall Firewall ASAcASAcCatalyst 9300X/9300/9300LCatalyst 9300X/9300/9300L 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive64BRKENS-3094Bringing Cisco EN and Security solutions together for improved OperationsASAc
121、 Firewall hosted on C9K SwitchesUse CaseStateful inspection of OT traffic at the EdgeNo need of Physical FirewallNo need to change network architectureNetwork bandwidth PreservationAutomation to scale operationsCDOCDOCisco Defense OrchestratorCisco Cisco DNADNA-CenterCenterApp LifecycleManagementSec
122、urity PolicyManagementCisco Secure Firewall ASAcStateful Inspection FirewallL3 Firewall(Routed Mode only)Support for SGTPerformance100M-300M(IMIX)ASAcThroughputApp ResourcesMemory(RAM):2 GBDisk(SSD):40 MB CPU:1 CoreCatalyst 9300X/9300/9300LOT endpointIT endpoint App Deployment App Lifecycle Manageme
123、nt Networking to App Deploy&Manage sec policies Config and Audit logging Meets needs of Compliance&Sec auditsEFTBeta SupportContractorHistorianSensorHMIEngineerManufacturing LineCarpeted OfficeManufacturing DMZPartnerAccessPLCManufacturing FloorUSE CASESo,So,whats the scorewhats the scorebetween Joh
124、n Doe and between John Doe and Blade Hacks?Blade Hacks?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive66BRKENS-3094DISTRIBUTIONCOREEDGE10/25/40/100G10/25/40/100GSmart BuildingTime Sensitive NetworkingBonjour ServicesInternetLight FixturesUSB-C donglesPrivate WANFiber to t
125、he Desktop(FTTX)Servers and DesktopsWiFi6 APtvEnd-PointsData CenterHALight FixturesLight FixturesLight FixturesBranchBranchBranch2 2-VS.VS.0 0AutoAuto-profiling and profiling and securing endpointssecuring endpoints 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive68BRKENS-
126、3094DISTRIBUTIONCOREEDGE10/25/40/100G10/25/40/100GSmart BuildingTime Sensitive NetworkingBonjour ServicesInternetLight FixturesUSB-C donglesPrivate WANFiber to the Desktop(FTTX)Servers and DesktopsWiFi6 APtvEnd-PointsData CenterHALight FixturesLight FixturesLight FixturesBranchBranchBranch“SheeshThe
127、 security is heavy“SheeshThe security is heavy here!here!My next hope is to My next hope is to breach the dear breach the dear endpointsendpoints to gain access”to gain access”2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow Blade Hacks can attack an endpoint userAttrib
128、uteAttributeSpoofingSpoofingMAC MAC SpoofingSpoofingAttack PersonaAttack PersonaBRKENS-309469Attack FlowAttack FlowImpersonate the MAC address Impersonate the MAC address of another authorized endpoint in order to gain the same privilegesImpersonate classImpersonate class/type/type of the device of
129、the device in order to get privileged network access 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEA Profiling using NBARon Catalyst 9000 Series Switch70BRKENS-3094Incoming endpoint Incoming endpoint traffictrafficSimple classificationComplex classification at the Cisco
130、 DNA Center/EAProbe changesCisco DNA CenterCisco DNA CenterEndpoint visibility,Profiling and rule managementCisco Catalyst 9000 Series SwitchCisco Catalyst 9000 Series SwitchDPI technologyDPI technologyFirst packet classificationDeep packet inspectionEndpoint type:CT scannerCT scannerOperating syste
131、m:MS Windows 7MS Windows 7Manufacturer:Globex Corp.Globex Corp.Model:UltimaUltimaMultifactor classificationMultifactor classificationEAEA 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTraffic Telemetry ProtocolsSupport for 1400+application protocolsProtocol library gets
132、updated via Cisco DNA CenterInfrastructureInfrastructure:DNSHealthcareHealthcare:DICOM,HL7Web/IOTWeb/IOT:HTTP,SSL,MQTT,COAPBuilding automationBuilding automation:BACNETMulticastMulticast:mDNSMedia and Media and communication:communication:RTSP,RTCP,SIP Others:Others:CIFS,MS-SQL,NetBIOSCDP,LLDP,SNMP,
133、DHCP,Cisco Catalyst 9000 Series Switch(Traffic Telemetry-Embedded)Data plane protocols:Data plane protocols:Discovery protocols:Discovery protocols:Conduit for classification and protocol library update from Cisco DNA CenterGleans endpoint discovery information from switchesTraffic Telemetry conduit
134、Traffic Telemetry conduitProtocol Library:https:/ 17.2.1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive72Continuous validation of endpoints for Trusted AccessBRKENS-30943 3Trust ScoreSecure authentication and Posture Impersonation attacksLow reputation IP ConnectionsVuln
135、erability/Threat Metrics MLMLEAEAUnauthorized ports and weak credentialsEmbedded/Machine LearningSecurity EcosystemEncrypted/Clear communicationsEndpoint TelemetryChange of AuthorizationContinuously monitor Risk/Trustworthiness and restrict access 2023 Cisco and/or its affiliates.All rights reserved
136、.Cisco Public#CiscoLiveSolution 1:Detecting spoofing with AI Spoofing Detection73ML for Endpoint ML for Endpoint AnalyticsAnalyticsIP PhoneIP PhonePrintersPrintersSuggestion:Suggestion:Cisco IP Phone?EAEAI am a I am a“Cisco IP Phone”“Cisco IP Phone”Cisco IP PhoneEA:Endpoint AnalyticsAnomaly!Anomaly!
137、Traffic pattern mismatchBehavior Behavior ModelModelCisco DNA Center 2.2.2Cisco DNA Center 2.2.2BRKENS-3094 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSolution 2:Detecting spoofing with Concurrent MAC Address DetectionDCSDCS00:26:AB:7C:EC:4000:26:AB:7C:EC:4000:26:AB:7
138、C:EC:4000:26:AB:7C:EC:40EAEAAnomaly!Anomaly!Concurrent MAC Address at switch#port#VLAN#Cisco DNA Center 2.2.3Cisco DNA Center 2.2.3BRKENS-309474 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDEMO TIME!75BRKENS-3094 2023 Cisco and/or its affiliates.All rights reserved.Cis
139、co Public#CiscoLiveISE ProfilingISE ProfilingEndpoint Analytics(ISE+EA)Endpoint Analytics(ISE+EA)Single label endpoint profile(Endpoint Profile)Multi-Factor Endpoint profile across four categories(Endpoint(Endpoint Type,OS,Model and Manufacturer)Type,OS,Model and Manufacturer)Profiling based on Endp
140、oint probesDPI based profiling DPI based profiling on application layer data and traffic telemetry from endpoints using NBARpxGrid Context-in,AD and MDM probe as additional data sources for profilingCMDB(ServiceNOW),AD/MDM CMDB(ServiceNOW),AD/MDM from ISE and other data sources for endpoint contextU
141、nknown endpoint classification via manual policy changes and external tools such as EATML assisted profiling and label suggestions ML assisted profiling and label suggestions using crowd-sourcingIn-built and custom profiling policy-based device profilingProfiling based on a combination of System rul
142、es,Custom combination of System rules,Custom rules,ML rules,Device Registrationrules,ML rules,Device RegistrationCertainty Factor for rule arbitrationRule prioritization Rule prioritization among rule categories-(extendable per rule in future releases)Enhancing profiling with AI Endpoint AnalyticsBR
143、KENS-309476 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEndpoint Analytics Compatibility MatrixCapabilityCapabilityCisco DNA CenterCisco DNA CenterCatalyst 9000 SwitchesCatalyst 9000 SwitchesFabricFabricNonNon-FabricFabricDPI Based Profiling2.1.2.xAI Smart Grouping2.1.
144、2.xAI Spoofing Detection22.2.2.xAnomalous profile change 2.2.3.xNAT Detection2.2.3.xConcurrent MAC Detection2.2.3.xOpen Port Scan32.3.2.xWeak Credential Scan32.3.2.xTalos Low Reputation2 IP2.3.3.x 1 Concurrent MAC violations can not occur on wireless CAT9k Controller,but can detect concurrent MACs b
145、etween wired and wireless.2 AI Spoofing Detection and Talos low reputation needs netflow configuration,other functionalities need NBAR.3 Open port scan,weak credential scan needs security sensor(SDAVC app provisioned as container in Cat9300 and Cat9400 switches only.)4 Support for Fabric and Flexcon
146、nect from IOSXE 17.7+.Local mode supported in 17.6 for Enterprise SSIDBRKENS-309477 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveKey features with Endpoint&Trust AnalyticsDPI-based endpoint profilingCisco ISE integrationML clustering and crowdsourcingServiceNow integrat
147、ionTrust AnalyticsDPI-based endpoint profilingis a more deterministic approach to profiling,using active learning from endpoint connections and application traffic from sensors embedded in Cisco hardware.Provides a way to gather attributes from sources suchas AD,RADIUS,and external Identities.Cisco
148、ISE assigns the right security policies,using EAprofile labels.Reduce unknown endpoints in the network with ML.ML will cluster endpoints that have common attributes.Admin gets suggestions on labels learned from other customers with similar setsof endpoints.Device owners can use ServiceNow to createa
149、ssets(endpoints)thatEA will learn.Admins cancreate custom rules tolabel endpoints usingCMDB attributes.EA performs ongoing validation of endpoint anomalies/risk from impersonation,insecure interfaces,unauthorized endpoints,behavioral variation and will be expanded to other areas of vulnerability/thr
150、eats.Overall Trustworthiness of the endpoint is evaluated and used for Trusted access.Mitigation action can be taken from DNAC.BRKENS-309478So,So,whats the scorewhats the scorebetween John Doe and between John Doe and Blade Hacks?Blade Hacks?2023 Cisco and/or its affiliates.All rights reserved.Cisco
151、 Public#CiscoLive80BRKENS-3094DISTRIBUTIONCOREEDGE10/25/40/100G10/25/40/100GSmart BuildingTime Sensitive NetworkingBonjour ServicesInternetLight FixturesUSB-C donglesPrivate WANFiber to the Desktop(FTTX)Servers and DesktopsWiFi6 APtvEnd-PointsData CenterHALight FixturesLight FixturesLight FixturesBr
152、anchBranchBranchVS.VS.3 3-0 0Securing Transport Securing Transport with MACsec and IPsec(Site-Site&Site-Cloud)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive82BRKENS-3094DISTRIBUTIONCOREEDGE10/25/40/100G10/25/40/100GSmart BuildingTime Sensitive NetworkingBonjour ServicesI
153、nternetLight FixturesUSB-C donglesPrivate WANFiber to the Desktop(FTTX)Servers and DesktopsWiFi6 APtvEnd-PointsData CenterHALight FixturesLight FixturesLight FixturesBranchBranchBranch“My last chance is to hack the“My last chance is to hack the transport”transport”2023 Cisco and/or its affiliates.Al
154、l rights reserved.Cisco Public#CiscoLiveLarge Video DisplaysNetwork Powered Light arrays60/90 Watt devices60/90 Watt devicesPTZ UHD CamerasUSB-C donglesCoreCoreDistributionDistributionAccessAccessmGig Capable devicesmGig Capable devicesWiFi6 APFiber to the Desktop(FTTX)Fiber to the Desktop(FTTX)Serv
155、ers and DesktopsWifi6 DeploymentsSmart BuildingsFiber ConnectivityMedia NetworksTime Sensitive10/25/40/100G10/25/40/100GDataCenterInternetIaaSSaaSEnterprise EdgeLarge Video DisplaysNetwork Powered Light arrays60/90 Watt devices60/90 Watt devicesPTZ UHD CamerasUSB-C donglesmGig Capable devicesmGig Ca
156、pable devicesWiFi6 APLarge Video DisplaysNetwork Powered Light arrays60/90 Watt devices60/90 Watt devicesPTZ UHD CamerasUSB-C donglesmGig Capable devicesmGig Capable devicesWiFi6 AP11111111CampusCampusBranchBranchBranchBranchLAN MACsecLAN MACsecWAN MACsecL2 L2 ExtensionExtensionInternetInternetBRKEN
157、S-309483LAN MACsecLAN MACsec 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat is MAC Security(MACsec)?Hop-by-Hop Encryption via IEEE802.1AEHop-by-Hop vs End-to-End“Bump-in-the-wire”model-Packets are decrypted on ingress port-Packets are encrypted on egress portAllows t
158、he network to continue to perform all the packet inspection features currently used.256bit AES GCM Encryption256bit AES GCM Encryption256bit AES GCM Encryption256bit AES GCM Encryption128bit AES GCM Encryption128bit AES GCM Encryption00000010010
159、0000001010001001ASICASICDecrypt at IngressDecrypt at IngressEncrypt at EgressEncrypt at EgressBRKENS-309484 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMACsec FrameFrames are encrypted and protected with an integri
160、ty check value(ICV)MACsec Ethertype is 0 x88e5(defined by IEEE 802.1AE)IP MTU is auto adjusted to accommodate 32 B MACsec TagMACsec Tag FormatMACsec Tag FormatDMACDMACSMACSMAC802.1AE Header802.1AE Header802.1Q802.1QETYPEETYPEPAYLOADPAYLOADICVICVCRCCRCMACsec EtherTypeMACsec EtherTypeTCI/ANTCI/ANSLSLP
161、acket NumberPacket NumberSCI(optional)SCI(optional)EncryptedEncryptedAuthenticatedAuthenticated0 x88e56 Bytes6 Bytes8-16 Bytes8-16 B4 Bytes4 Bytes2 BytesBRKENS-309485 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMACsec Switch to Switch TopologyBRKENS-309486L2 Service Pr
162、ovider L2 Service Provider NetworkNetwork,Intermediate,Intermediate SwitchSwitchX XSwitchPSKSwitchPSKSwitchSwitchPSKEAPoLEncrypted DataPSKLocal ProfileLocal ProfileSwitchPSKEAPoLEncrypted DataIP Security 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInternet is the new E
163、nterprise WANSaaSSaaSApplicationsIaaSIaaSInfrastructureSecuritySIGSIGDCCorporateSoftwareRemote BranchINTERNETSecure WANSecure access to apps and data from everywhereSecurely connect a hybrid workforce to apps anywhereMultiCloud AccessApplications moving to CloudSecurity moving to CloudInfrastructure
164、 moving to CloudBranches are becoming leanerAlways watching for Always watching for packets to steal!packets to steal!DMACDMACSMACSMACESP HeaderESP HeaderIPIPETYPEETYPEPAYLOADPAYLOADIPIPL4L4ESP TrailerESP TrailerESP AuthESP AuthEncryptedBRKENS-309488 2023 Cisco and/or its affiliates.All rights reser
165、ved.Cisco Public#CiscoLive89UADP 2.0 SecUADP 2.0 SecCatalyst 9300XSimple Secure BranchUADP 2.0 SecUADP 2.0 SecFlexible,Redundant ModularSilicon OneSilicon OneHigh Speed Core100G Layer 3 hardwareencryptionHigh-Speed IPsec Encryption with Cat9kSoftwareSoftwareCisco IOS XE 17.6.2Cisco IOS XE 17.6.2With
166、 Cisco DNA Advantage(HSEC key for export control)100G Layer 3 hardwareencryptionCatalyst 9400XCatalyst 9500X(C9500X-60L4d)400G Layer 3 hardwareencryptionBRKENS-3094 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive90Secure Connectivity to AnywhereEncryptionEncryptionAuthent
167、icationAuthenticationAES-128-CBCHMAC/SHA1AES-128/256-GCMGMACTunnel modeEncapsulation ESPIKEv2Catalyst SwitchNative IPsecSIGSIGDC/HQIaasIaasColoColoSaasSaasStatic virtual tunnel interfaceIPv4/IPv6OSPF/BGPPolicy Based RoutingMulticast RoutingNAT traversalLayer 3 segmentation over IPsecLayer 2 extensio
168、n over IPsecVRF-aware128 tunnels256 SAs+128rekey SABRKENS-3094 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPsec Packet Flow EncryptionForwarding EngineEgress InterfaceIngress InterfaceVTICrypto EngineEncrypted Packets will now be Forwarded based on Outer HeaderPackets
169、 forwarded for EncryptionEncrypted Packets forwarded to destination Egress PortIPsecTunnelClear Text Packets91BRKENS-3094 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPSec packet flow DecryptionForwarding EngineEgress InterfaceIngress InterfaceVTICrypto EngineEncrypted
170、 PacketsClear text Packets will now be Forwarded based on Original IP HeaderPackets forwarded for decryption based on SA associationClear Text Packets forwarded to destination Egress PortIPSec TunnelBRKENS-309492 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTransport Mo
171、deIP HeaderTCP HeaderDataEncrypted with ESP HeaderIP HeaderTCP HeaderDataEncrypted with ESP HeaderTunnel ModeIP HeaderTCP/UDPDataESP HeaderESP TrailerESP Auth TrailerOriginal IP HeaderIP HeaderTCP/UDPDataESP HeaderESP TrailerESP Auth TrailerNew IP HeaderBRKENS-309493 2023 Cisco and/or its affiliates
172、.All rights reserved.Cisco Public#CiscoLiveIKEIKEv2Encryptiondes3desaes-cbc-128aes-cbc-192aes-cbc-256aes-gcm-128aes-gcm-256Integritymd5sha1sha256sha384sha512DeffieDeffie HelmanHelman1 768 MODP2 1024 MODP5 1536 MODP14 2048 MODP15 3072 MODP16 4096 MODP19 256 ECP20 384 ECP21 521 ECP24 2048(256 sub grou
173、ps)MODPSupported IKEv2 Proposal(Software)Supported Transform Sets(Hardware)Transform SET(HW)EncryptionIKEv2BandwidthIKEv2esp-aes+esp-sha-hmacesp-gcm 128(gmac is derived)esp-gcm 256(gmac is derived)Upto 15 GbpsUpto 100 GbpsUpto 100 GbpsBRKENS-309494 2023 Cisco and/or its affiliates.All rights reserve
174、d.Cisco Public#CiscoLiveCatalyst 9k-Secure connectivity to anywhereSite to cloudSite to cloudStandards-based IPsec for secure direct internet access and cloud-native workloadsRemote branch SecuretunnelsCisco Catalyst 9300XCisco Catalyst 9300XRemote branch Cisco Catalyst 9300XCisco Catalyst 9300XSecu
175、retunnelsBranch,campus,data centerRegional point of presenceSite to siteSite to site100G line-rate IPsec encryption with low-latency forwardingColoColoSecure Web Usage&ControlFaster time to DeploymentLower TCOInvestment protection Up to 100G low latency IPsec EncryptionUnicast&Multicast RoutingL3 Se
176、gmentation&L2 ExtensionBRKENS-309495 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBranch-1Branch-2Branch-3Branch-4Branch-5Branch-6HQCatalyst 9000 Site-to-Site IPsecIPsec TunnelsBRKENS-309496High Speed Secure ConnectivityOSPF/BGPMulticast RoutingIPv4/IPv6L3 segmentation
177、over IPSECL2 Extension over IPSECVRF AwareNAT Traversal 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveColo BackboneIPsec Colo ConnectivityRegional PoPCat9kRegional PoPCat9kRemote BranchRemote BranchRemote BranchHQ/CampusKey BenefitsKey BenefitsUp to 100G IPsec throughput
178、pay-as-you grow modelIncremental transition to Cloud InfrastructureIPsec Tunnel/sBRKENS-309497 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveC9300X IPsec Colo ConnectivityLos AngelesSan JoseEquinix BackboneTunnelsPacket SizesThroughput(Gbps)Avg LatencyMin LatencyMax Late
179、ncy11006.58.3558.3528.37212568.08.3608.3578.37315129.08.3668.3638.380110249.48.3738.3708.386114009.48.3798.3768.391120489.48.3858.3828.401190009.48.4878.4848.505Los AngelesSan JoseEquinix BackboneTunnelsPacket SizesThroughputAvg LatencyMin LatencyMax LatencyBaseIPsecBaseIPsecBaseIPsec11006.58.3558.3
180、658.3528.3618.3728.38012568.08.3608.3688.3578.3648.3738.38115129.08.3668.3748.3638.3718.3808.392110249.48.3738.3808.3708.3778.3868.393114009.48.3798.3868.3768.3838.3918.399120489.48.3858.3928.3828.3898.4018.412190009.48.4878.4968.4848.4938.5058.514IPSECConsistent latency with/without IPsec encryptio
181、n/decryptionConsistent latency with/without IPsec encryption/decryption Less than 1ms difference with/without encryption/decryption Multicast and Unicast traffic deliver the same results Consistent results for IPv4,IPv6,and IPv4 over IPv6,and IPv6 over IPv4BRKENS-309498 2023 Cisco and/or its affilia
182、tes.All rights reserved.Cisco Public#CiscoLiveIPsec Site to Site/Point to Point with PSKcrypto ikev2 policy crypto ikev2 policy hun_ipsechun_ipsecmatch address local 172.16.0.1match address local 172.16.0.1proposal proposal sitetositesitetositecrypto ikev2 policy peerscrypto ikev2 policy peersmatch
183、match fvrffvrf anyanyproposal proposal sitetositesitetositeIKEv2 Policycrypto ikev2 policy crypto ikev2 policy hun_ipsechun_ipsecmatch address local 172.16.0.2match address local 172.16.0.2proposal proposal sitetositesitetositecrypto ikev2 policy peerscrypto ikev2 policy peersmatch match fvrffvrf an
184、yanyproposal proposal sitetositesitetositeIKEv2 PolicyHun1/1/1IPsec TunnelHun1/1/1crypto ikev2 keyring crypto ikev2 keyring authauth-keyringkeyringpeer 172.16.0.2peer 172.16.0.2address 172.16.0.2address 172.16.0.2prepre-sharedshared-key Cisco12345Cisco12345key Cisco12345Cisco12345IKEv2 Peercrypto ik
185、ev2 keyring crypto ikev2 keyring authauth-keyringkeyringpeer 172.16.0.1peer 172.16.0.1address 172.16.0.1address 172.16.0.1prepre-sharedshared-key Cisco12345Cisco12345key Cisco12345Cisco12345IKEv2 Peercrypto ikev2 profile crypto ikev2 profile auth_Hunauth_Hunmatch identity remote address 172.16.0.2 2
186、55.255.255.255match identity remote address 172.16.0.2 255.255.255.255identity local address 172.16.0.1identity local address 172.16.0.1authentication remote preauthentication remote pre-shareshareauthentication local preauthentication local pre-sharesharekeyring local keyring local authauth-keyring
187、keyringno configno config-exchange requestexchange requestIKEv2 Peer Profilecrypto ikev2 profile crypto ikev2 profile auth_Hunauth_Hunmatch identity remote address 172.16.0.1 255.255.255.255match identity remote address 172.16.0.1 255.255.255.255identity local address 172.16.0.2identity local addres
188、s 172.16.0.2authentication remote preauthentication remote pre-shareshareauthentication local preauthentication local pre-sharesharekeyring local keyring local authauth-keyringkeyringno configno config-exchange requestexchange requestIKEv2 Peer Profilecrypto ikev2 proposal crypto ikev2 proposal site
189、tositesitetositeencryption aesencryption aes-cbccbc-256256integrity sha512integrity sha512group 19 20 21group 19 20 21crypto ikev2 crypto ikev2 dpddpd 10 5 periodic10 5 periodicIKEv2crypto ikev2 proposal crypto ikev2 proposal sitetositesitetositeencryption aesencryption aes-cbccbc-256256integrity sh
190、a512integrity sha512group 19 20 21group 19 20 21crypto ikev2 crypto ikev2 dpddpd 10 5 periodic10 5 periodicIKEv2Site ASite ASite BSite B1234Step:Step:99 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPsec Site to Site/Point to Point with PKI/Certificatecrypto crypto pkip
191、ki trustpoint TPtrustpoint TPrevocationrevocation-check nonecheck noneenrollment terminalenrollment terminalcrypto crypto pkipki authenticate TPauthenticate TPOr use SCEP to distribute the Certificate*Or use SCEP to distribute the Certificate*Create Trustpointcrypto crypto pkipki trustpoint TPtrustp
192、oint TPrevocationrevocation-check nonecheck noneenrollment terminalenrollment terminalcrypto crypto pkipki authenticate TPauthenticate TPOr use SCEP to distribute the Certificate*Or use SCEP to distribute the Certificate*Create TrustpointHun1/1/1IPsec TunnelHun1/1/1crypto ikev2 profile crypto ikev2
193、profile auth_Hunauth_Hunmatch identity remote address 172.16.0.2 255.255.255.255match identity remote address 172.16.0.2 255.255.255.255identity local address 172.16.0.1identity local address 172.16.0.1authentication remote authentication remote rsarsa-sigsigauthentication local authentication local
194、 rsarsa-sigsigno configno config-exchange requestexchange requestpkipki trustpoint TPtrustpoint TPIKEv2 Peer Profilecrypto ikev2 profile crypto ikev2 profile auth_Hunauth_Hunmatch identity remote address 172.16.0.1 255.255.255.255match identity remote address 172.16.0.1 255.255.255.255identity local
195、 address 172.16.0.2identity local address 172.16.0.2authentication remote authentication remote rsarsa-sigsigauthentication local authentication local rsarsa-sigsigno configno config-exchange requestexchange requestpkipki trustpoint TPtrustpoint TPIKEv2 Peer ProfileSite ASite ASite BSite BIdentity c
196、an also match on Certificate MapIdentity can also match on Certificate Mapcrypto crypto pkipki certificate map cisco 1certificate map cisco 1subjectsubject-name co o=cisconame co o=ciscocrypto ikev2 namecrypto ikev2 name-mangler getmangler get-mymy-ououdndn organizationorganization-unitunitcrypto ik
197、ev2 profile crypto ikev2 profile auth_Hunauth_Hunmatch certificate ciscomatch certificate ciscoCertificate Map Match43Step:Step:100 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPsec Site to Site/Point to Pointcrypto crypto ipsecipsec profile profile sitesite-toto-sites
198、iteset securityset security-association lifetime seconds 28800association lifetime seconds 28800set securityset security-policy limit 1 policy limit 1(optional)(optional)set transformset transform-set authset auth-ipsecipsecset ikev2set ikev2-profile profile auth_Hunauth_HunIPsec Profilecrypto crypt
199、o ipsecipsec profile profile sitesite-toto-sitesiteset securityset security-association lifetime seconds 28800association lifetime seconds 28800set securityset security-policy limit 1 policy limit 1(optional)(optional)set transformset transform-set authset auth-ipsecipsecset ikev2set ikev2-profile p
200、rofile auth_Hunauth_HunIPsec ProfileIPsec TunnelHun1/1/1Hun1/1/1interface HundredGigE1/1/1interface HundredGigE1/1/1no switchportno switchportip address 172.16.0.1 255.255.255.0ip address 172.16.0.1 255.255.255.0Physical Portinterface HundredGigE1/1/1interface HundredGigE1/1/1no switchportno switchp
201、ortip address 172.16.0.2 255.255.255.0ip address 172.16.0.2 255.255.255.0Physical Portinterface Tunnel1interface Tunnel1ip address 30.30.30.1 255.255.255.0ip address 30.30.30.1 255.255.255.0tunnel source HundredGigE1/1/1tunnel source HundredGigE1/1/1tunnel mode tunnel mode ipsecipsec ipv4ipv4tunnel
202、destination 172.16.0.2tunnel destination 172.16.0.2tunnel protection tunnel protection ipsecipsec profile profile sitesite-toto-sitesiteCreate IP in IP tunnelinterface Tunnel1interface Tunnel1ip address 30.30.30.2 255.255.255.0ip address 30.30.30.2 255.255.255.0tunnel source HundredGigE1/1/1tunnel s
203、ource HundredGigE1/1/1tunnel mode tunnel mode ipsecipsec ipv4ipv4tunnel destination 172.16.0.1tunnel destination 172.16.0.1tunnel protection tunnel protection ipsecipsec profile profile sitesite-toto-sitesiteCreate IP in IP Tunnelip routingip routingip route 10.10.10.0 255.255.255.0 30.30.30.2ip rou
204、te 10.10.10.0 255.255.255.0 30.30.30.2ip route 24.24.24.24 255.255.255.255 30.30.30.2ip route 24.24.24.24 255.255.255.255 30.30.30.2Routesip routingip routingip route 10.10.10.0 255.255.255.0 30.30.30.1ip route 10.10.10.0 255.255.255.0 30.30.30.1ip route 24.24.24.24 255.255.255.255 30.30.30.1ip rout
205、e 24.24.24.24 255.255.255.255 30.30.30.1Routescrypto crypto ipsecipsec transformtransform-set authset auth-ipsecipsec espesp-gcmgcm 256256mode tunnelmode tunnelTransform SetSite BSite Bcrypto crypto ipsecipsec transformtransform-set authset auth-ipsecipsec espesp-gcmgcm 256256mode tunnelmode tunnelT
206、ransform SetSite ASite A68795Step:Step:101BRKENS-3094 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSelective Traffic forwardingPolicy Based Routing Set interfaceActive/BackupOtherSecureTunnelsRedirect all Internet bound Traffic SecureTunnelsECMP via Multiple TunnelsActi
207、ve/ActiveSite-to-Cloud:Secure Internet GatewaySecuring Internet TrafficOther102BRKENS-3094 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPsec to Umbrella SIG/Zscaler IPsec to Umbrella SIG/Zscaler crypto ikev2 proposal umb_sigcrypto ikev2 proposal umb_sigencryption aesen
208、cryption aes-cbccbc-128128integrity sha1integrity sha1group 19 20 21group 19 20 21crypto ikev2 crypto ikev2 natnat keepalive 20keepalive 20crypto ikev2 crypto ikev2 dpddpd 10 5 periodic10 5 periodicIKEv2crypto ikev2 policy umb_sigcrypto ikev2 policy umb_sigmatch match fvrffvrf anyanyproposal umb_sig
209、proposal umb_sigIKEv2 Policycrypto ikev2 keyring umb_sigcrypto ikev2 keyring umb_sigpeer umbrellapeer umbrelladescription ikev2_peer_146.112.85.8description ikev2_peer_146.112.85.8address 146.112.85.8address 146.112.85.8prepre-sharedshared-key Cisco12345Cisco12345key Cisco12345Cisco12345IKEv2 Keyrin
210、gcrypto ikev2 profile umb_sigcrypto ikev2 profile umb_sigmatch identity remote address 146.112.85.8 255.255.255.0match identity remote address 146.112.85.8 255.255.255.0identity local email atlanidentity local email atlan-edge2edge2-tun7971867tun795120711-authentication remote preau
211、thentication remote pre-shareshareauthentication local preauthentication local pre-sharesharekeyring local umb_sigkeyring local umb_sigdpddpd 10 2 periodic10 2 periodicno configno config-exchange requestexchange requestIKEv2 Data Center ProfileIPsec TunnelCatalyst 9300X103BRKENS-3094 2023 Cisco and/
212、or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPsec to Umbrella SIG/Zscalercrypto crypto ipsecipsec transformtransform-set umb_sig set umb_sig espesp-aesaes espesp-shasha-hmachmacmode tunnelmode tunnelTransform Setcrypto crypto ipsecipsec profile umb_sigprofile umb_sigset transformset
213、transform-set umb_sigset umb_sigset ikev2set ikev2-profile umb_sigprofile umb_sigIPsec Profileinterface Vlan2interface Vlan2no switchportno switchportip address 128.107.251.122 255.255.255.0ip address 128.107.251.122 255.255.255.0loadload-interval 30interval 30Physical/Virtual Portinterface Tunnel1i
214、nterface Tunnel1ip ip unnumbered Vlan2ip ip unnumbered Vlan2tunnel source Vlan2tunnel source Vlan2tunnel mode tunnel mode ipsecipsec ipv4ipv4tunnel destination 146.112.85.8tunnel destination 146.112.85.8tunnel protection tunnel protection ipsecipsec profile umb_sigprofile umb_sigCreate IP in IP tunn
215、elip route 0.0.0.0 0.0.0.0 Tunnel1ip route 0.0.0.0 0.0.0.0 Tunnel1ip route 146.112.85.8 255.255.255.255 128.107.251.65ip route 146.112.85.8 255.255.255.255 128.107.251.65RoutesIPsec TunnelCatalyst 9300Xrouteroute-map UMB_PBR_RM permit 10 map UMB_PBR_RM permit 10 match ip address UMB_PBR_ACLmatch ip
216、address UMB_PBR_ACLset interface Tunnel1 Tunnel2set interface Tunnel1 Tunnel2routeroute-map UMB_PBR_RM permit 20map UMB_PBR_RM permit 20!ip accessip access-list extended UMB_PBR_ACLlist extended UMB_PBR_ACL10 permit ip host 192.168.1.10 any10 permit ip host 192.168.1.10 anyPolicy Based Routing104ORB
217、RKENS-3094 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdd a tunnelIPsec TunnelIPsec to Umbrella SIGIPsec to Umbrella SIGBRKENS-3094105 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTunnel is UPTunnel is UPIPsec Tunnel106IPsec to Umbrella S
218、IGIPsec to Umbrella SIGBRKENS-3094 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPsec to Umbrella SIGIPsec to Umbrella SIG107BRKENS-3094 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSite-to-Cloud:Cloud Service ProvidersSecure connectivity t
219、o Native Cloud Resources108SecureTunnelsCloud GatewayVPCAppsNative IPSEC termination on CSPsStatic/BGPActive/BackupActive/ActiveSecureTunnelsVPCAppsTransit networkIPSEC termination on CSPs Transit NetworksCloud GatewayStatic/BGPActive/BackupActive/ActiveBRKENS-3094 2023 Cisco and/or its affiliates.A
220、ll rights reserved.Cisco Public#CiscoLiveCatalyst 9000 AWS Workflow109BRKENS-3094AWS TGWInternetAWS VPCAWS VPCAWS VPCVPN-1VPN-2192.168.1.0/24192.168.2.0/24192.168.2.0/24172.168.1.0/24IPsecIPsecStatic or BGPStatic or BGPStatic or BGPStatic or BGP 2023 Cisco and/or its affiliates.All rights reserved.C
221、isco Public#CiscoLiveIPsec to Umbrella AWS crypto ikev2 proposal crypto ikev2 proposal aws_tgwaws_tgwencryption aesencryption aes-cbccbc-128128integrity sha1integrity sha1group 19 20 21group 19 20 21crypto ikev2 crypto ikev2 natnat keepalive 20keepalive 20crypto ikev2 crypto ikev2 dpddpd 10 5 period
222、ic10 5 periodicIKEv2crypto ikev2 policy crypto ikev2 policy aws_tgwaws_tgwmatch match fvrffvrf anyanyproposal proposal aws_tgwaws_tgwIKEv2 Policycrypto ikev2 keyring crypto ikev2 keyring aws_tgwaws_tgwpeer umbrellapeer umbrelladescription ikev2_peer_52.8.92.5description ikev2_peer_52.8.92.5address 5
223、2.8.92.5address 52.8.92.5prepre-sharedshared-key Cisco12345Cisco12345key Cisco12345Cisco12345IKEv2 Keyringcrypto ikev2 profile crypto ikev2 profile aws_tgwaws_tgwmatch identity remote address 52.8.92.5 255.255.255.0match identity remote address 52.8.92.5 255.255.255.0identity local address 128.107.2
224、51.88identity local address 128.107.251.88authentication remote preauthentication remote pre-shareshareauthentication local preauthentication local pre-sharesharekeyring local keyring local aws_tgwaws_tgwdpddpd 10 2 periodic10 2 periodicno configno config-exchange requestexchange requestIKEv2 Data C
225、enter ProfileIPsec TunnelCatalyst 9300X110BRKENS-3094 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPsec to Umbrella SIG and AWScrypto crypto ipsecipsec transformtransform-set set aws_tgwaws_tgw espesp-aesaes espesp-shasha-hmachmacmode tunnelmode tunnelTransform Setcryp
226、to crypto ipsecipsec profile profile aws_tgwaws_tgwset transformset transform-set set aws_tgwaws_tgwset ikev2set ikev2-profile profile aws_tgwaws_tgwIPsec Profileinterface Vlan2interface Vlan2no switchportno switchportip address 128.107.251.122 255.255.255.0ip address 128.107.251.122 255.255.255.0lo
227、adload-interval 30interval 30Physical/Virtual Portinterface Tunnel1interface Tunnel1ip address 169.254.16.102 255.255.255.252ip address 169.254.16.102 255.255.255.252tunnel source Vlan2tunnel source Vlan2tunnel mode tunnel mode ipsecipsec ipv4ipv4tunnel destination 52.8.92.5tunnel destination 52.8.9
228、2.5tunnel protection tunnel protection ipsecipsec profile profile aws_tgwaws_tgwCreate IP in IP tunnelip route 0.0.0.0 0.0.0.0 Tunnel1ip route 0.0.0.0 0.0.0.0 Tunnel1ip route 52.8.92.5 255.255.255.255 128.107.251.65ip route 52.8.92.5 255.255.255.255 128.107.251.65RoutesIPsec TunnelCatalyst 9300Xrout
229、er bgp 65000router bgp 65000neighbor 169.254.16.101 remoteneighbor 169.254.16.101 remote-as 65001as 65001addressaddress-family ipv4family ipv4network 192.168.1.0network 192.168.1.0neighbor 169.254.16.101 activateneighbor 169.254.16.101 activateCreate IP in IP tunnel111ORBRKENS-3094 2023 Cisco and/or
230、 its affiliates.All rights reserved.Cisco Public#CiscoLiveCat9kCisco DNA CenterISP10.11.0.211TGWVPCSite to CSPCat9k Secure Connectivity to AnywhereSite-to-SiteBRKENS-3094112 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWith NAT-T*Source or Destination can be nattedISPPu
231、blic IPNegotiate on port 500Internet Source or Destination are not nattedPrivate IPNegotiate on port 4500ISPInternetI am going to NAT.!IPsec NAT TraversalIPsec TunnelIPsec Tunnel*-17.9.1Without NAT-T IPsec negotiated on port 500 Upon NAT detection,IPsec can be negotiated on port 4500113 2023 Cisco a
232、nd/or its affiliates.All rights reserved.Cisco Public#CiscoLive9300XSIGSIGCOLOCOLODefault VRFDefault VRFPrior to 17.9.19300XVRF aware IPSEC(17.9.1)SIGSIGCOLOCOLO9300XISP VRFCOLO VRFVRF:VRF:Virtual Routing&ForwardingFVRF:FVRF:Front Door VRFIVRF:IVRF:Inside VRFVRF Aware IPsecBRKENS-3094114 2023 Cisco
233、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVRF-Campus(IVRF)Te1/0/19300XVRFFVRFint Te1/0/1ip add 128.107.251.22 255.255.255.252vrf forwarding WAN1-VRFvrf definition WAN1-VRFaddress-family ipv4address-family ipv6VRF Aware IPsec(FVRF)vrf definition Campusaddress-family ipv4address-
234、family ipv6IVRFinterface Tunnel4vrf forwarding Campusip unnumbered Te1/0/1tunnel source Te1/0/1tunnel mode ipsec ipv4tunnel destination 146.112.83.8tunnel vrf WAN1-VRFtunnel protection ipsec profile prf_umbFVRFIVRFBRKENS-3094115 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisco
235、LiveFVRFFVRFInternetPrivate WAN116BRKENS-30949300X9400XFVRF9300X9400X9300X9400XIPsec TunnelsBGP-EVPN+BGP EVPN over IPsecIngress ReplicationUnderlay-1OSPF/BGPSecure OverlayIPsecLayer 3 OverlayBGP EVPNLayer 2 ExtensionBGP EVPN 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive
236、Catalyst 9000 IPSEC Automation&MonitoringFlexible consumption options ModesBenefitsDIY w/IOS XE Distributed deployment using CLI/YANG APIsFlexible ConsumptionEcosystem IntegratorsDeployment via Ansible,Terraform,Chef etc.Seamless integration w/existing toolsTurnkey with Cisco DNA CenterCentralized m
237、anagement and monitoringIncreased scalabilityShippingShippingBetaBRKENS-3094117 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDay 0 On-boarding ChallengesRemote Offices PNP ConnectDHCPCloud re-direction to PnP connectRe-directs to on-prem Cisco DNA CenterCisco DNA Center
238、DHCPRemote Offices PNP ConnectISPCloud re-direction to PnP connectRe-directs to on-prem Cisco DNA CenterWhere is 192.168.1.1?192.168.1.1192.168.1.1192.168.1.1Cisco DNA Center192.168.1.1Problem:Problem:No connectivity to On-Prem DNA CenterBRKENS-3094118 2023 Cisco and/or its affiliates.All rights res
239、erved.Cisco Public#CiscoLive0 0Day 0 ConfigPNP Cloud ServicePNP-CPNPaaS1 1C9KEdge sends PnP Connect request2 2PnPaas provisions Day 0 Config3 3C9KEdge forms a tunnel to Corp DC0 0Cisco DNAC uploads Day 0 config to PnPaas4 4C9KEdge is managed via DNA CenterLow/No touchdeploymentSimplified onboardingR
240、emotedeploymentSecuritySensitiveCloud Delivered Secure Device Onboarding Beta1 12 23 34 4Cisco DNA Center192.168.1.1Cisco Catalyst 9000 BranchBRKENS-3094119 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDay N Automation Workflow for Cat9k Edge1Choose your site2Select a S
241、A/VA3Pick the SN of the device4Assign a Management IP5Choose Head End Router6Add pre-shared key7Define a HostnameDay N Automate Secure tunnels via DNA CenterBRKENS-3094120 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDC1DC2DC3DC4Day N Automation Workflow for Cat9k EdgeD
242、ay 0+Day N:Automate Secure tunnels to Internet GatewaysDay N Automate Secure tunnels via DNA CenterBRKENS-3094121 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive122BRKENS-3094Day N Automation Workflow for Cat9k EdgeTraffic selection 2023 Cisco and/or its affiliates.All ri
243、ghts reserved.Cisco Public#CiscoLiveTunnel Monitoring via Cisco DNA CenterDCRemote Offices Cisco Catalyst 9000Day N Tunnel AssuranceDay 0+Day N:Automate Secure tunnels to Internet Gateways+Tunnel MonitoringDay 0+Day N:Automate Secure tunnels to Internet Gateways+Tunnel MonitoringBRKENS-3094123 2023
244、Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCodilime:IPsec delivered via App-HostingCisco IOS XE 17.10With Cisco DNA Advantage IPsec VPN Application hosted on Cat9kSW IPsec-C9300/9300LRuns in Docker containerInteractive Web UI for IPsec configHW&SW IPsec-C9300XWill be avail
245、able on Cisco DEVNETCatalyst 9300X/9300/9300LCatalyst 9300X/9300/9300LBranch/DC/HQApp Resources App Resources Memory(RAM)Memory(RAM):409 MB:409 MBDisk(SSD)Disk(SSD):10 MB:10 MB CPUCPU:1480 units:1480 unitsCPUCPU-percentpercent:20%of 1 core:20%of 1 corePerformancePerformance200Mbps Traffic Encryption
246、200Mbps Traffic EncryptionIPSEC VPNIPSEC VPNRoutingRoutingIPsec IKEv2Authentication using PSK or x509VRF AwareNATNAT-TYANG model with REST APIAWS,GCP,AzureCisco Umbrella,ZscalerC8K,ISR/ASR,JuniperSecurityProtocol SupportAutomationInteroperabilityAvailable at GithubBRKENS-3094124 2023 Cisco and/or it
247、s affiliates.All rights reserved.Cisco Public#CiscoLiveLink Speeds Out-Pacing IP Encryption125 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLink Speeds Out-Pacing IP EncryptionBandwidth application requirements out-pacing IP encryption capabilitiesBi-directional and pac
248、ket sizes further impact encryption performanceIPsec engines dictate aggregate performance of the platform(much less than the switch router forwarding throughput)Encryption must align with link speed(100G+)to support next-generation applications.timelinkBWLink SpeedLink SpeedIPsec Encryption SpeedIP
249、sec Encryption SpeedLink speed =Encryption EngineBRKENS-3094126 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCentralCentralC Ca ammp pu us s/HQHQC Ca ammp pu us s/Branch/BranchMKAMKA SessionSessionPublic Carrier Ethernet Public Carrier Ethernet Network Network IEEE 802.
250、1AE standards-based Layer 2 encryption that provides data confidentiality and integrity for media access independent protocols.Optimize MACsec+WAN features to accommodate running over L2 public Ethernet transport.“line-rate”encryption mitigating packet eavesdropping,tampering,and injection.What is W
251、AN MACsec?MACsec Secured PathMACsec Capable PHYSP Owned Ethernet Transport DeviceMACsec MKA SessionMACsec Capable SwitchBRKENS-3094127WAN MACsecWAN MACsecLAN MACsecLAN MACsecConnection TypeConnection TypeOver L2 MPLS,Over L2 MPLS,VPLS,VPLS,EoMPLSEoMPLS,QinQQinQ,Multiple,Multiple Point to Point Point
252、 to Point Only Directly Only Directly Connected Connected DevicesDevicesAES 128AES 128AES 256AES 256IPv4&IPv6 IndependentIPv4&IPv6 IndependentPerformancePerformanceLine rate on all Line rate on all Ports(C9600X,Ports(C9600X,C9500X)C9500X)Line rate on all Line rate on all PortsPortsOverheadOverhead32
253、 Bytes32 Bytes32 Bytes32 Bytes 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDot1Q Clear TagAdds Extra 802.1Q tag which is not considered as MACsec and is forwarded by the service provider devices.Leverages a“well known”ether type value.Enable on Physical port and all Su
254、bInterfaces will use Clear Tag on this physical portClear Tag packetsinterface TenGigabitEthernet1/0/4macsec dot1q-in-clear 1DMACDMACSMACSMAC802.1AE802.1AEETYPEETYPEPayloadPayloadICVICVCRCCRCClear Tag 802.1QClear Tag 802.1QEncryptedAuthenticatedBRKENS-3094128PE-1PE-2 2023 Cisco and/or its affiliates
255、.All rights reserved.Cisco Public#CiscoLiveMKA EAPoL Destination MAC TuningDestination Mac Change capabilityinterface TenGigabitEthernet1/0/4eapol destination-address broadcastmacsec dot1q-in-clear 1Leverage“broadcast”address as the destination MAC EAPoL address.Provider switch will forward as stand
256、ard“broadcast”all“F”s ethernet frame to all PeersSome Service Provider switches might Consume the Multicast frame and not send it to all peersCan be used with or without“Clear Tag”DMACDMACSMACSMACEth Type 0 x888EEth Type 0 x888EVer 1Ver 1Packet TypePacket TypePacket Body LengthPacket Body LengthPack
257、et BodyPacket BodyFCSFCSEAPoL on Ethernet“Broadcast”DMAC is required for P2MP casesEAPoL on Ethernet with Clear TagDMACDMACSMACSMACEth Type 0 x888EEth Type 0 x888EVer 1Ver 1Packet TypePacket TypePacket Body LengthPacket Body LengthPacket BodyPacket BodyFCSFCSClear TagClear TagBRKENS-3094129SW-1SW-2S
258、W-2SW-3Broadcast+Cleartag 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMKA EAPoL EtherType Tuninginterface TenGigabitEthernet1/0/4eapol eth-type 876Fmacsec dot1q-in-clear 1Leverages a“well known”ether type value.By default,EAPoL EthType is 0 x888ECan be used with or wit
259、hout“Clear Tag”DMACDMACSMACSMACEth Type 0 x876FEth Type 0 x876FVer 1Ver 1Packet TypePacket TypePacket Body LengthPacket Body LengthPacket BodyPacket BodyFCSFCSEAPoL on EthernetEAPoL on Ethernet with Clear TagDMACDMACSMACSMACEth Type 0 x876FEth Type 0 x876FVer 1Ver 1Packet TypePacket TypePacket Body
260、LengthPacket Body LengthPacket BodyPacket BodyFCSFCSClear TagClear TagClear Tag packetsModified Eth Type EAPoL packetsBRKENS-3094130 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMetro Ethernet NetworkP2P EVCsCE 1CE 1CE 2CE 2CE 3CE 3VLAN 10DeploymentDeployment:VLAN-based
261、 E-Line Service(P2P)VLAN 20MKA SessionMKA SessionVLAN/SubinterfaceSecurity Associations from CE 1from CE 1:Tx:CE 1 CE 2CE 1 CE 3Rx:CE 2 CE 1CE 3 CE 1MACsec encryption on WAN links connecting PE nodes for P2MP secure connectivity across MPLS core.BRKENS-3094131 2023 Cisco and/or its affiliates.All ri
262、ghts reserved.Cisco Public#CiscoLiveDeploymentDeployment:VLAN-based E-LAN Service(P2MP)Metro Ethernet NetworkP2MP EVCsCE 1CE 1CE 3CE 3CE 4CE 4VLAN 10VLAN 20MKA SessionsMKA SessionsCE 2CE 2CE 5CE 5VLAN/SubinterfaceSecurity Associations from CE 1from CE 1:Tx:CE 1 CE 2,CE 3(shared SA)CE 1 CE 4,CE 5(sha
263、red SA)Rx:CE 2 CE 1CE 3 CE 1CE 4 CE 1CE 5 CE 1When a peer is added/removed to shared SA,REKEY is transparent without traffic dropEAPoL DMAC is required to be BroadcastBRKENS-3094132 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDeploymentDeployment:Extending to Cloud Ser
264、vice ProvidersCOLOVLAN/SubinterfaceEAPoL DMAC is required to be BroadcastBRKENS-3094133Vl10-20802.1Q tunnelCloud Service ProvidersMKA Vl20MKA Vl10802.1Q tunnelEnd to End encryption from On-premise to Cloud InfrastructurePay as you grow models 2023 Cisco and/or its affiliates.All rights reserved.Cisc
265、o Public#CiscoLiveHSEC K9 key for Catalyst 9300X,9500X,9600XRequired for enabling IPsec on 9300X,9400X,9500X and WAN MACsec on 9500X,9600X.Without the HSECK9 Key IPsec&WAN MACsec cannot be enabled.With stack and Stackwise Virtual,it is recommended individual HSEC K9 keys per switch.NotesAuthorizatio
266、n code(SLAC Smart Licensing Authorization Code)required on the system.One time code installation on the switches.No subsequent action needed.HowOrders via CCW(drop shipped from Cisco)can have SLAC installed at factory prior to shipping.New add-on license in addition on top of subscription based on D
267、NA AdvantageLegally required by US law,requiring authorization prior to use.Can only be obtained for 9600X,9500X and 9300X switches.HSEC K9 Key IPsec,WAN MACsec*BRKENS-3094134 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWAN MACsec Supported Platforms and ScaleWAN MACse
268、cWAN MACsecLAN MACsecLAN MACsecC9600X,C9500XC9600X,C9500XC9300XC9300XHW CapableHW CapableC9400XC9400XHW CapableHW CapableC9200C9200-C9600C9600SCALESCALEC9600XC9600XC9500XC9500XTotal number of Total number of WAN MACsec WAN MACsec sessionsession2C9600X Supports WAN MACsec on C9600X Support
269、s WAN MACsec on C9600C9600-LCLC-40YL4CD with Gen 2 SUP40YL4CD with Gen 2 SUPBRKENS-3094135 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive136BRKENS-3094DISTRIBUTIONCOREEDGE10/25/40/100G10/25/40/100GSmart BuildingTime Sensitive NetworkingBonjour ServicesInternetLight Fixtu
270、resUSB-C donglesPrivate WANFiber to the Desktop(FTTX)Servers and DesktopsWiFi6 APtvEnd-PointsData CenterHALight FixturesLight FixturesLight FixturesBranchBranchBranch4 4-VS.VS.0 0 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive137BRKENS-3094DISTRIBUTIONCOREEDGE10/25/40/10
271、0G10/25/40/100GSmart BuildingTime Sensitive NetworkingBonjour ServicesInternetLight FixturesUSB-C donglesPrivate WANFiber to the Desktop(FTTX)Servers and DesktopsWiFi6 APtvEnd-PointsData CenterHALight FixturesLight FixturesLight FixturesBranchBranchBranchWifi/FTTDEndEnd-toto-End SecurityEnd Security
272、 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!138BRKENS-3094These points help you get on the leader
273、board and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-
274、on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive141Gamify your Cisco Live experience!Get p
275、oints Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:1234141 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENS-3094#CiscoLive