《思科软件防护接入和多域分段.pdf》由会员分享,可在线阅读,更多相关《思科软件防护接入和多域分段.pdf(112页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveJerome Dolphin,Technical Marketing EngineerCCIE#17805(R&S,SEC),CCDE#2013:3BRKENS-2819Cisco SD-Access and Multi-Domain Segmentation 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex Ap
2、p to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 C
3、isco and/or its affiliates.All rights reserved.Cisco PublicBRKENS-28193#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaIntroductionLab Network Design and PolicyTransits and End to End SegmentationCisco Secure Firewall Segmentation with SGT and DC AttributesAccess Pr
4、ivileges with Endpoint Analytics and Trust Analytics Cisco Secure Endpoint and Rapid Threat ContainmentConclusionBRKENS-28194Introduction 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveA POC-Inspired PresentationBRKENS-28196 2023 Cisco and/or its affiliates.All rights res
5、erved.Cisco Public#CiscoLiveWhy Stay?Learn about solutions for end to end connectivity,segmentation and security context across the LAN,WAN,DC and security domains.Learn through doing:Configure,integrate and operate real Cisco software defined networking solutions.See the functional outcomes.Have yo
6、ur questions answered,hopefully.BRKENS-28197 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhy Leave?Assumed knowledge due to the scope of topics.Not a deep dive on any particular topic.Many concepts;the session is recorded.If you dont like demos.BRKENS-28198 2023 Cisco
7、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDisclaimerTheres many solutions to technical problems.A wide-reaching presentation cannot cover all combinations.BRKENS-28199 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDisclaimerTheres many solutions to
8、technical problems.A wide-reaching presentation cannot cover all combinations.Great places to find help and explore ideas:Cisco partnersCisco CXCisco saleshttps:/Cisco Live meet the BRKENS-281910Lab Network Design and Policy 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive
9、Cisco SD-AccessCisco DNA Center GUI and APIs for intent-based automation of wired and wireless fabric devices.Fabric Border Nodes A fabric device that connects external L3 networks to the Cisco SD-Access fabric.Fabric Edge Nodes A fabric device that connects wired endpoints to the Cisco SD-Access fa
10、bric and optionally enforces micro-segmentation policy.Control Plane Node Map System that tracks endpoint to device relationships.Mandatory ComponentsBRKENS-281912 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-AccessIdentity Services EngineIdentity Services Engi
11、ne Highly recommended.NAC and ID Services for dynamic Endpoint to Group mapping and Policy distribution.Fabric Wireless Controller and Fabric APsFabric Wireless Controller and Fabric APs Highly recommended.Connects Wireless Endpoints to the SD-Access fabric.Extended NodeExtended Node A switch operat
12、ing at Layer 2 that extends fabric connectivity and optionally enforces micro-segmentation policy.Intermediate NodesIntermediate Nodes Moves data between fabric nodes.Can be one or many hops e.g.,existing IP core.Optional Components(optional)(optional)(optional)(optional)BRKENS-281913 2023 Cisco and
13、/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access Options for DeploymentCisco DNA Center automated configuration of a Cisco SD-Access LISP-based fabric which includes Macro and Micro SegmentationAutomation Workflows and integrationsBest practice standardized configurations
14、 SD-Access Assurance BRKENS-281914 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access Options for DeploymentCisco DNA Center automated configuration of a Cisco SD-Access LISP-based fabric which includes Macro and Micro SegmentationAutomation Workflows and inte
15、grationsBest practice standardized configurations SD-Access Assurance ORCLI Configuration of Cisco LISP VXLAN Fabric which includes Macro and Micro SegmentationOpen integration with heterogenous tooling(CLI,Ansible,NSO,etc.)Customization within the parameters of the LISP Fabric validated designCisco
16、 DNA Center Device and Client AssuranceSubset of features supported compared to what is available with Cisco DNA Center.BRKENS-281915 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLab TopologyWest Fabric SiteWest Fabric SiteEast Fabric SiteEast Fabric SiteISEDNA CenterCe
17、ntral Fabric SiteCentral Fabric SiteBRKENS-281916 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLab Topologyc_staffc_cctvw_staffw_cctve_staffe_bms1,2,3,4West Fabric SiteWest Fabric SiteEast Fabric SiteEast Fabric SiteISEDNA CenterCentral Fabric SiteCentral Fabric SiteBRK
18、ENS-281917 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLab TopologyWest Fabric SiteWest Fabric SiteCentral Fabric SiteCentral Fabric SiteEast Fabric SiteEast Fabric Siteserver1ACIACIISEDNA Centerc_staffw_cctve_staffe_bms1,2,3,4w_staffAPICc_cctvBRKENS-281918 2023 Cisco
19、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLab TopologyWest Fabric SiteWest Fabric SiteCentral Fabric SiteCentral Fabric SiteEast Fabric SiteEast Fabric Siteserver1ACIACIserver2ISEDNA Centerc_staffw_cctve_staffe_bms1,2,3,4w_staffAPICc_cctvBRKENS-281919 2023 Cisco and/or its affi
20、liates.All rights reserved.Cisco Public#CiscoLiveLab TopologyWest Fabric SiteWest Fabric SiteEast Fabric SiteEast Fabric Siteserver1ACIACIserver2ISEDNA CenterCentral Fabric SiteCentral Fabric SiteWest Fabric SiteWest Fabric SiteCentral Fabric SiteCentral Fabric SiteEast Fabric SiteEast Fabric Sitec_
21、staffw_cctve_staffw_staffe_bms1,2,3,4IP_COREAPICc_cctvBRKENS-281920 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLab Topologyserver1ACIACISD-WANserver2ISEDNA CenterWest Fabric SiteWest Fabric SiteCentral Fabric SiteCentral Fabric SiteEast Fabric SiteEast Fabric Sitec_st
22、affw_cctve_staffw_staffe_bms1,2,3,4IP_COREvManage vSmartvBondAPICc_cctvBRKENS-281921 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLab Topologyserver1ACIACImetroSD-WANserver2ISEDNA CenterWest Fabric SiteWest Fabric SiteCentral Fabric SiteCentral Fabric SiteEast Fabric Si
23、teEast Fabric Sitec_staffw_cctve_staffw_staffe_bms1,2,3,4IP_COREvManage vSmartvBondAPICc_cctvBRKENS-281922 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLab Topologyserver1ACIACImetroSD-WANserver2ISEDNA CenterFMCAPICvManage vSmartvBondWest Fabric SiteWest Fabric SiteCent
24、ral Fabric SiteCentral Fabric SiteEast Fabric SiteEast Fabric Sitec_staffw_cctve_staffw_staffe_bms1,2,3,4IP_CORECSDACTTAc_cctvBRKENS-281923 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLab Topologyserver1ACIACIFTDvmetroSD-WANFTDserver2ISEDNA CenterFMCAPICvManage vSmartv
25、BondWest Fabric SiteWest Fabric SiteCentral Fabric SiteCentral Fabric SiteEast Fabric SiteEast Fabric Sitec_staffw_cctve_staffw_staffe_bms1,2,3,4IP_CORECSDACTTAc_cctvBRKENS-281924 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLab TopologyISEDNA CenterFMCAPICserver1ACIACI
26、SD-WANmetroSecure Malware ACSDACTTAFTDvserver2InternetvManage vSmartvBondWest Fabric SiteWest Fabric SiteCentral Fabric SiteCentral Fabric SiteEast Fabric SiteEast Fabric Sitec_staffw_cctve_staffw_staffe_bms1,2,3,4FTDIP_COREc_cctvBRKENS-281925 2023 Cisco and/or its affiliates.All rights reserved.Cis
27、co Public#CiscoLiveRouting ConfigurationGlobal Global RoutingRoutingTableTableIOTIOTVRFVRFCORPCORPVRFVRFSERVERSSERVERSVRFVRFIP_COREIP_COREREFERENCEBRKENS-281926 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRouting ConfigurationGlobal Global RoutingRoutingTableTableIOTIO
28、TVRFVRFCORPCORPVRFVRFSERVERSSERVERSVRFVRFIP_COREIP_COREISEDNA CenterFMCAPICCSDACTTAvManage vSmartvBondBRKENS-281927 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRouting ConfigurationGlobal Global RoutingRoutingTableTableIOTIOTVRFVRFCORPCORPVRFVRFSERVERSSERVERSVRFVRFIP_C
29、OREIP_COREISEDNA CenterFMCAPICCSDACTTAvManage vSmartvBondGlobal Global RoutingRoutingTableTableIOTIOTVNVNCORPCORPVNVNGlobal Global RoutingRoutingTableTableIOTIOTVNVNCORPCORPVNVNGlobal Global RoutingRoutingTableTableIOTIOTVNVNCORPCORPVNVNWest Fabric SiteWest Fabric SiteCentral Fabric SiteCentral Fabr
30、ic SiteEast Fabric SiteEast Fabric SiteBRKENS-281928 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRouting ConfigurationIP_COREIP_COREISEDNA CenterFMCAPICCSDACTTAvManage vSmartvBondGlobal Global RoutingRoutingTableTableIOTIOTVNVNCORPCORPVNVNGlobal Global RoutingRoutingTa
31、bleTableIOTIOTVNVNCORPCORPVNVNWest Fabric SiteWest Fabric SiteCentral Fabric SiteCentral Fabric SiteEast Fabric SiteEast Fabric SiteGlobal Global RoutingRoutingTableTableIOTIOTVRFVRFCORPCORPVRFVRFSERVERSSERVERSVRFVRFGlobal Global RoutingRoutingTableTableIOTIOTVNVNCORPCORPVNVNBRKENS-281929 2023 Cisco
32、 and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRouting ConfigurationIP_COREIP_COREISEDNA CenterFMCAPICCSDACTTAvManage vSmartvBondGlobal Global RoutingRoutingTableTableIOTIOTVNVNCORPCORPVNVNGlobal Global RoutingRoutingTableTableIOTIOTVNVNCORPCORPVNVNWest Fabric SiteWest Fabric SiteC
33、entral Fabric SiteCentral Fabric SiteEast Fabric SiteEast Fabric SiteGlobal Global RoutingRoutingTableTableIOTIOTVRFVRFCORPCORPVRFVRFSERVERSSERVERSVRFVRFGlobal Global RoutingRoutingTableTableIOTIOTVNVNCORPCORPVNVNVRF 101VRF 101VRF 103VRF 103VRF 102VRF 102SDSD-WANWANBRKENS-281930 2023 Cisco and/or it
34、s affiliates.All rights reserved.Cisco Public#CiscoLiveRouting ConfigurationIP_COREIP_COREISEDNA CenterFMCAPICCSDACTTAvManage vSmartvBondGlobal Global RoutingRoutingTableTableIOTIOTVNVNCORPCORPVNVNGlobal Global RoutingRoutingTableTableIOTIOTVNVNCORPCORPVNVNWest Fabric SiteWest Fabric SiteCentral Fab
35、ric SiteCentral Fabric SiteEast Fabric SiteEast Fabric SiteGlobal Global RoutingRoutingTableTableIOTIOTVRFVRFCORPCORPVRFVRFSERVERSSERVERSVRFVRFGlobal Global RoutingRoutingTableTableIOTIOTVNVNCORPCORPVNVNVRF 101VRF 101VRF 103VRF 103VRF 102VRF 102SDSD-WANWANBRKENS-281931 2023 Cisco and/or its affiliat
36、es.All rights reserved.Cisco Public#CiscoLiveRouting ConfigurationIP_COREIP_COREISEDNA CenterFMCAPICCSDACTTAvManage vSmartvBondGlobal Global RoutingRoutingTableTableIOTIOTVNVNCORPCORPVNVNGlobal Global RoutingRoutingTableTableIOTIOTVNVNCORPCORPVNVNWest Fabric SiteWest Fabric SiteCentral Fabric SiteCe
37、ntral Fabric SiteEast Fabric SiteEast Fabric SiteGlobal Global RoutingRoutingTableTableIOTIOTVRFVRFCORPCORPVRFVRFSERVERSSERVERSVRFVRFGlobal Global RoutingRoutingTableTableIOTIOTVNVNCORPCORPVNVNVRF 101VRF 101VRF 103VRF 103VRF 102VRF 102SDSD-WANWANSERVERSSERVERSVRFVRFACIACIserver1BRKENS-281932 2023 Ci
38、sco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRouting ConfigurationIP_COREIP_COREISEDNA CenterFMCAPICCSDACTTAvManage vSmartvBondGlobal Global RoutingRoutingTableTableIOTIOTVNVNCORPCORPVNVNGlobal Global RoutingRoutingTableTableIOTIOTVNVNCORPCORPVNVNWest Fabric SiteWest Fabric Si
39、teCentral Fabric SiteCentral Fabric SiteEast Fabric SiteEast Fabric SiteGlobal Global RoutingRoutingTableTableIOTIOTVRFVRFCORPCORPVRFVRFSERVERSSERVERSVRFVRFGlobal Global RoutingRoutingTableTableIOTIOTVNVNCORPCORPVNVNVRF 101VRF 101VRF 103VRF 103VRF 102VRF 102SDSD-WANWANSERVERSSERVERSVRFVRFInternetACI
40、ACIserver1BRKENS-281933 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRouting ConfigurationGlobal Global RoutingRoutingTableTableGlobal Global RoutingRoutingTableTableGlobal Global RoutingRoutingTableTableGlobal Global RoutingRoutingTableTableIOTIOTVRFVRFCORPCORPVRFVRFSE
41、RVERSSERVERSVRFVRFSERVERSSERVERSVRFVRFVRF 101VRF 101VRF 103VRF 103VRF 102VRF 102server1West Fabric SiteWest Fabric SiteCentral Fabric SiteCentral Fabric SiteEast Fabric SiteEast Fabric SiteACIACIInternetSDSD-WANWANIP_COREIP_COREFTDvserver2FTDIOTIOTVNVNCORPCORPVNVNIOTIOTVNVNCORPCORPVNVNIOTIOTVNVNCORP
42、CORPVNVNISEDNA CenterFMCAPICCSDACTTAvManage vSmartvBondBRKENS-281934 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInter-VRF Routing DesignFTDGlobal Routing Table0.0.0.0/00.0.0.0/00.0.0.0/00.0.0.0/010.3.0.0/1610.4.0.0/16various10.6.0.0/16IP_COREIOTIOTZoneZoneCORPCORPZone
43、ZoneGlobal Global ZoneZoneSERVERSSERVERSZoneZoneGlobal Global RoutingRoutingTableTableIOTIOTVRFVRFCORPCORPVRFVRFSERVERSSERVERSVRFVRFInternetBRKENS-281935 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEndpointsHostname/UsernameDescriptionVirtual NetworkSGT/EPGw_staffstaff
44、 endpointCORP_VNEmployeec_staffstaff endpointCORP_VNEmployeee_staffstaff endpointCORP_VNEmployeew_cctvCCTV deviceIOT_VNCCTVc_cctvCCTV deviceIOT_VNCCTVe_bms1,2,3,4BMS devicesIOT_VNBMSserver1ACI-connected serverSERVERS VRFSERVERSserver2AWS-connected servern/an/aBRKENS-281936 2023 Cisco and/or its affi
45、liates.All rights reserved.Cisco Public#CiscoLiveSegmentation PolicyMechanismSourceDestinationActionGroup-Based PolicySGT:CCTVSGT:BMSDenySGT:BMSSGT:CCTVDenySGT:QuarantineSGT:QuarantineSGT:EmployeeSGT:CCTVSGT:BMSDenySGT:EmployeeSGT:CCTVSGT:BMSSGT:QuarantineDenyDefault PolicyPermitBRKENS-281937 2023 C
46、isco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSegmentation PolicyMechanismSourceDestinationActionCisco Secure FirewallSGT:EmployeeSGT:BMSSGT:CCTVPermitSGT:BMSSGT:CCTVSGT:EmployeeDenySGT:Q8.8.8.8PermitSGT:QuarantineAnyDenySGT:CCTVEPG:SERVERSPermitSGT:BMSEPG:SERVERSDenySGT:BMSEC
47、2 instance:server2PermitSGT:CCTVEC2 instance:server2DenyAnyAnyPermitBRKENS-281938DemoTransits and End to End Segmentation 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFor More InformationCisco SD-Access CVDCisco SD-Access|SD-WAN Independent Domain Pairwise IntegrationCi
48、sco SD-Access Best Practices-Design&Deployment-BRKENS-2502aBRKXAR-2001-Cisco Intent Based Cross and Multidomain Integrations for SDA and SD-WANBRKENS-281941 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access FabricVirtual NetworksLayer 3 Virtual Networks use V
49、RFs and LISP Instance IDs to maintain separate routing topologies.Endpoint IDs(IPv4/IPv6 addresses)are routed within an L3VN.Layer 2 Virtual Networks use LISP Instance IDs and VLANs to maintain separate switching topologies.Endpoint IDs(MAC addresses)are switched within an L2VN.Edge Nodes,Border Nod
50、es and Fabric APs add and remove the Virtual Network constructs.L3VNCORPL2VNTENANTL3VNIOTBRKENS-281942 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurity Group Tag and Group-Based PolicySGT:30Group-Based PolicyEndpoint authenticated andEndpoint authenticated andclass
51、ified as Camera(SGT 5)classified as Camera(SGT 5)Destination=SGT 20Destination=SGT 20IP:10.1.100.52IP:10.1.10.220IP:10.1.200.100DST SRCLighting(20)HVAC(30)Camera(5)PermitDenyBYOD(7)DenyPermitEndpoints authenticated Endpoints authenticated and classified as:and classified as:Lighting(SGT 20)Lighting(
52、SGT 20)HVAC(SGT 30)HVAC(SGT 30)SRC:10.1.10.220DST:10.1.100.52SGT:5SGT:20VXLAN Overlay5SD-AccessUnderlayBRKENS-281943 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTransitsIPIP-Based TransitBased TransitPer-Layer-3-Virtual-Network eBGP peering to external routing domain,o
53、r LISP Extranet Provider VN eBGP peering to external routing domain.SGT propagation outside of fabric requires suitable hardware and software.VN1 eBGPVN2 eBGPVN3 eBGPFabric1Fabric2IPBRKENS-281944 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTransitsVN1 eBGPVN2 eBGPVN3 e
54、BGPFabric1IPFabric2ASN2ASN1Fabric1FabricNFabric2IPIPIP-Based TransitBased TransitPer-Layer-3-Virtual-Network eBGP peering to external routing domain,or LISP Extranet Provider VN eBGP peering to external routing domain.SGT propagation outside of fabric requires suitable hardware and software.SDSD-Acc
55、ess TransitAccess TransitSD-Access LISP/VXLAN between Fabric Sites.Preserves Layer 3 Virtual Networks and SGT.Fabric as a transit between external routing domains.BRKENS-281945 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTransitsFabric1Fabric2IPIPIP-Based TransitBased
56、TransitPer-Layer-3-Virtual-Network eBGP peering to external routing domain,or LISP Extranet Provider VN eBGP peering to external routing domain.SGT propagation outside of fabric requires suitable hardware and software.SDSD-Access TransitAccess TransitSD-Access LISP/VXLAN between Fabric Sites.Preserv
57、es Layer 3 Virtual Networks and SGT.Fabric as a transit between external routing domains.SDSD-WAN TransitWAN TransitCisco SD-WAN between Fabric Sites.Border Node connected to SD-WAN Edge.VN1 eBGPVN2 eBGPVN3 eBGPFabric1Fabric2ASN2ASN1Fabric1FabricNFabric2IPIPVN1 eBGPVN2 eBGPVN3 eBGPBRKENS-281946 2023
58、 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSGT Preservation is EssentialSource SGT and destination SGT must be known at policy enforcement point.SGT can be transported numerous ways:Source.In data plane.Source and Destination.In control plane via SXP or pxGrid.Data plane
59、source SGT scales better.SXP can be hard to design correctly in medium to large scale SD-Access networks.Peer SXP per SD-Access Border Node.SXP peering limits on ISE=SXP reflectors.Memory limits on switches can be a bottleneck in larger deployments.SXP does not easily capture static SGTs.BRKENS-2819
60、47 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSGT in the Data PlaneCMD encryptedCMD encryptedCMD in IPsecCMD in EthernetNoteNote:dropped by non-SGT capable network infrastructure.Review TrustSec capability matrix:https:/ GPOCMD in GREBRKENS-281948 2023 Cisco and/or it
61、s affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Transits and End to End SegmentationConnect Central site and East site to Cisco SD-Access Transit.Test intra-site and inter-site connectivity and segmentation.Establish West site Independent Domains SD-WAN Edge and SD-Access Border Node.Bri
62、ng up West site Fabric Edge Node and Embedded WLC.Test intra-site and inter-site connectivity and segmentation.BRKENS-281949 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDiscussed PreviouslySXP and VRF in BRKCRS-2819 at Cisco Live San Diego 2019.SGT and VRF in mGRE(DMVP
63、N)in BRKCRS-2819 at Cisco Live Barcelona 2020.BRKENS-281950 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Transits with End to End SegmentationWest Fabric SiteWest Fabric SiteCentral Fabric SiteCentral Fabric SiteEast Fabric SiteEast Fabric SiteSD-WANmetro1.SGT assi
64、gned to wired or wireless endpoint IP address2.SGT and VN in VXLAN3.SGT in Ethernet4.SGT and VN in IPsecBRKENS-281951 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Transits with End to End SegmentationWest Fabric SiteWest Fabric SiteCentral Fabric SiteCentral Fabric
65、 SiteEast Fabric SiteEast Fabric SiteSD-WANmetro11.SGT assigned to wired or wireless endpoint IP address2.SGT and VN in VXLAN3.SGT in Ethernet4.SGT and VN in IPsec1BRKENS-281952 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Transits with End to End SegmentationWest
66、Fabric SiteWest Fabric SiteCentral Fabric SiteCentral Fabric SiteEast Fabric SiteEast Fabric SiteSD-WANmetro221.SGT assigned to wired or wireless endpoint IP address2.SGT and VN in VXLAN3.SGT in Ethernet4.SGT and VN in IPsec1122BRKENS-281953 2023 Cisco and/or its affiliates.All rights reserved.Cisco
67、 Public#CiscoLiveDemo:Transits with End to End SegmentationWest Fabric SiteWest Fabric SiteCentral Fabric SiteCentral Fabric SiteEast Fabric SiteEast Fabric SiteSD-WANmetro233IP-Based Transit21.SGT assigned to wired or wireless endpoint IP address2.SGT and VN in VXLAN3.SGT in Ethernet4.SGT and VN in
68、 IPsec1122BRKENS-281954 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Transits with End to End SegmentationWest Fabric SiteWest Fabric SiteCentral Fabric SiteCentral Fabric SiteEast Fabric SiteEast Fabric SiteSD-WANmetro233IP-Based Transit21.SGT assigned to wired or
69、 wireless endpoint IP address2.SGT and VN in VXLAN3.SGT in Ethernet4.SGT and VN in IPsec11224SD-WAN TransitBRKENS-281955 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Transits with End to End SegmentationWest Fabric SiteWest Fabric SiteCentral Fabric SiteCentral Fab
70、ric SiteEast Fabric SiteEast Fabric SiteSD-WANmetro233IP-Based Transit21.SGT assigned to wired or wireless endpoint IP address2.SGT and VN in VXLAN3.SGT in Ethernet4.SGT and VN in IPsec11223214SD-WAN TransitBRKENS-281956DemoCisco Secure Firewall Segmentation with SGT and DC Attributes 2023 Cisco and
71、/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFor More InformationWatch later at :BRKSEC-2845 Cisco Secure Firewall and SD-Access Integration Deep DiveIntegrate Cisco Secure Firewall Management Centre with ISE pxGrid:https:/ Secure Dynamic Attributes Connector Configuration GuideBRKEN
72、S-281959 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Firewall Segmentation with SGT and DC AttributesUse APIC FMC Endpoint Update application to load EPG attributes into Cisco Secure Firewall Management Center(FMC).Use Cisco Secure Dynamic Attributes Connector(CSD
73、AC)to load AWS EC2 attributes into FMC.Integrate FMC with ISE.Build required FMC policies incorporating SGT,ACI and AWS attributes.Test and prove connectivity outcomes.BRKENS-281960 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Firewall Segmentation with SGT and DC
74、Attributes1.SGT assigned to wired or wireless endpoint IP address2.SGT and VN in VXLAN3.SGT in Ethernet4.SGT and VN in IPsec5.IP with no SGTBRKENS-281961 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Firewall Segmentation with SGT and DC Attributes1.SGT assigned to
75、wired or wireless endpoint IP address2.SGT and VN in VXLAN3.SGT in Ethernet4.SGT and VN in IPsec5.IP with no SGTCisco Secure FirewallManagement CenterFTDBRKENS-281962 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Firewall Segmentation with SGT and DC Attributes1.SGT
76、 assigned to wired or wireless endpoint IP address2.SGT and VN in VXLAN3.SGT in Ethernet4.SGT and VN in IPsec5.IP with no SGTCisco Secure FirewallManagement Center3FTDBRKENS-281963 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Firewall Segmentation with SGT and DC A
77、ttributes1.SGT assigned to wired or wireless endpoint IP address2.SGT and VN in VXLAN3.SGT in Ethernet4.SGT and VN in IPsec5.IP with no SGTCisco Secure FirewallManagement Center3FTDserver1BRKENS-281964 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Firewall Segmentat
78、ion with SGT and DC Attributes1.SGT assigned to wired or wireless endpoint IP address2.SGT and VN in VXLAN3.SGT in Ethernet4.SGT and VN in IPsec5.IP with no SGTCisco Secure FirewallManagement Center35FTDserver1BRKENS-281965 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveD
79、emo:Firewall Segmentation with SGT and DC Attributes1.SGT assigned to wired or wireless endpoint IP address2.SGT and VN in VXLAN3.SGT in Ethernet4.SGT and VN in IPsec5.IP with no SGTCisco Secure FirewallManagement Center35InternetFTDserver1BRKENS-281966 2023 Cisco and/or its affiliates.All rights re
80、served.Cisco Public#CiscoLiveDemo:Firewall Segmentation with SGT and DC Attributes1.SGT assigned to wired or wireless endpoint IP address2.SGT and VN in VXLAN3.SGT in Ethernet4.SGT and VN in IPsec5.IP with no SGTCisco Secure FirewallManagement Center35InternetFTD5server1BRKENS-281967 2023 Cisco and/
81、or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Firewall Segmentation with SGT and DC Attributes1.SGT assigned to wired or wireless endpoint IP address2.SGT and VN in VXLAN3.SGT in Ethernet4.SGT and VN in IPsec5.IP with no SGTCisco Secure FirewallManagement Center35InternetFTD5FTDvs
82、erver1BRKENS-281968 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Firewall Segmentation with SGT and DC Attributes1.SGT assigned to wired or wireless endpoint IP address2.SGT and VN in VXLAN3.SGT in Ethernet4.SGT and VN in IPsec5.IP with no SGTCisco Secure FirewallM
83、anagement Center35InternetFTD5FTDv5server1BRKENS-281969 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Firewall Segmentation with SGT and DC Attributes1.SGT assigned to wired or wireless endpoint IP address2.SGT and VN in VXLAN3.SGT in Ethernet4.SGT and VN in IPsec5.
84、IP with no SGTCisco Secure FirewallManagement Center35InternetFTD5FTDv5EPG:IPserver1BRKENS-281970 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Firewall Segmentation with SGT and DC Attributes1.SGT assigned to wired or wireless endpoint IP address2.SGT and VN in VXL
85、AN3.SGT in Ethernet4.SGT and VN in IPsec5.IP with no SGTCisco Secure FirewallManagement Center35InternetFTD5FTDv5EPG:IPCisco Secure DynamicAttributes Connectorserver1BRKENS-281971 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Firewall Segmentation with SGT and DC At
86、tributes1.SGT assigned to wired or wireless endpoint IP address2.SGT and VN in VXLAN3.SGT in Ethernet4.SGT and VN in IPsec5.IP with no SGTCisco Secure FirewallManagement Center35InternetFTD5FTDv5EPG:IPCisco Secure DynamicAttributes ConnectorIPSGT10.4.1.10Employee10.3.1.10BMS10.3.1.10CCTVetcserver1BR
87、KENS-281972 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Firewall Segmentation with SGT and DC Attributes3server15Internet55Cisco Secure DynamicAttributes ConnectorEPG:IPSGT/EPG/EC2:IP1.SGT assigned to wired or wireless endpoint IP address2.SGT and VN in VXLAN3.SGT
88、 in Ethernet4.SGT and VN in IPsec5.IP with no SGTCisco Secure FirewallManagement CenterFTDvFTDIPSGT10.4.1.10Employee10.3.1.10BMS10.3.1.10CCTVetcBRKENS-281973DemoAccess Privileges with Endpoint Analytics and Trust Analytics 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFo
89、r More InformationWatch later at :BRKENS-2850 What is Your First Step in Protecting Endpoints and Reducing the Attack Surface?BRKENS-2851 Identify Suspicious Behavior,Limit Attack Exposure on Endpoints Using Trust AnalyticsCisco AI Endpoint Analytics Deployment Guide:https:/ 2023 Cisco and/or its af
90、filiates.All rights reserved.Cisco Public#CiscoLiveCisco Zero Trust Network and CloudVisibilityVisibilitySegmentationSegmentationContainmentContainmentBRKENS-281977 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEndpoint Analytics and Trust Analytics ArchitectureEMM/MDM I
91、ntegrationsEndpoint ContextAuth protocol/statusAuthz profile,SGTs,Posture statusAI/MLProfile LabelsServiceNowCMDB Asset attributes Trust Score and Anomaly scoreANC PolicyCisco ISE 3.1Cisco DNA Centerand moreEAEATTA(Traffic Telemetry Appliance)BRKENS-281978 2023 Cisco and/or its affiliates.All rights
92、 reserved.Cisco Public#CiscoLiveCompatibility MatrixCapabilityCapabilityCisco DNA Cisco DNA CenterCenterWired CAT9kWired CAT9kWireless CAT9800 Wireless CAT9800 4 4Traffic Traffic Telemetry Telemetry Appliance Appliance(TTA)(TTA)FabricFabricNonNon-FabricFabricLocalLocalFlexFlexDPI Based Profiling2.1.
93、2.xAI Smart Grouping2.1.2.xAI Spoofing Detection22.2.2.xChanged profile labels2.2.3.xNAT Detection2.2.3.xConcurrent MAC Address2.2.3.x11Open Port Scan32.3.2.xWeak Credential Scan32.3.2.xTalos Low Reputation2 IP2.3.3.x1 Concurrent MAC violations can not occur on wireless CAT9k Controller,but can dete
94、ct concurrent MACs between wired and wireless.2 AI Spoofing Detection and Talos low reputation needs Netflow configuration,other functionalities need NBAR.3 Open port scan,weak credential scan needs security sensor(SDAVC app provisioned as container in Cat9k switch)4 Support for Fabric and FlexConne
95、ct from IOSXE 17.7+.Local mode supported in 17.6 for Enterprise SSIDCA Controlled Availability.Available to approved customers.BRKENS-281979 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Analytics-Based Access PrivilegesProfile some real endpoints with Endpoint Anal
96、ytics.Use results to assign network access privileges.Use Trust Analytics in the IOT_VN at East Fabric Site to implement:Open Port Scan.Weak Credentials Scan.Talos Low Reputation IP.Configure ISE Authentication Policy to quarantine Endpoints with a low Trust Score.Manually Quarantine questionable en
97、dpoints via ANC Policy.Test and prove connectivity outcomes.BRKENS-281980 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDiscussed PreviouslyCisco Secure Network Analytics(Stealthwatch)and Encrypted Traffic Analytics(ETA)in BRKCRS-2819 at Cisco Live Barcelona 2020.BRKENS-
98、281981 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Analytics-Based Access Privilegese_bms1,2,3,4East Fabric SiteEast Fabric SiteTraffic Telemetry Appliance*Required if Fabric Enabled Wireless AAAEAEABRKENS-281982 2023 Cisco and/or its affiliates.All rights reserve
99、d.Cisco Public#CiscoLiveDemo:Analytics-Based Access Privilegese_bms1,2,3,4East Fabric SiteEast Fabric SiteTraffic Telemetry Appliance*Required if Fabric Enabled Wireless ERSPANAAAEAEABRKENS-281983 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Analytics-Based Access
100、Privilegese_bms1,2,3,4East Fabric SiteEast Fabric SiteERSPANTelemetryAAAEAEATraffic Telemetry Appliance*Required if Fabric Enabled Wireless BRKENS-281984 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Analytics-Based Access Privilegese_bms1,2,3,4East Fabric SiteEast
101、Fabric SiteAAAERSPANTelemetryEAEATraffic Telemetry Appliance*Required if Fabric Enabled Wireless BRKENS-281985 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Analytics-Based Access Privilegese_bms1,2,3,4East Fabric SiteEast Fabric SiteERSPANTelemetryPort and credenti
102、alsscan configurationAAAEAEATraffic Telemetry Appliance*Required if Fabric Enabled Wireless BRKENS-281986 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Analytics-Based Access Privilegese_bms1,2,3,4East Fabric SiteEast Fabric SiteERSPANTelemetryOpen Port Scan andWeak
103、 Credentials ScanPort and credentialsscan configurationAAAEAEATraffic Telemetry Appliance*Required if Fabric Enabled Wireless BRKENS-281987 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Analytics-Based Access Privilegese_bms1,2,3,4ERSPANTelemetryPort and credentials
104、scan resultsPort and credentialsscan configurationAAAEAEAOpen Port Scan andWeak Credentials ScanTraffic Telemetry Appliance*Required if Fabric Enabled Wireless BRKENS-281988East Fabric SiteEast Fabric Site 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOpen Port Scan andW
105、eak Credentials ScanDemo:Analytics-Based Access Privilegese_bms1,2,3,4ERSPANTelemetryEndpoint ContextAuth protocol/statusAuthz profile,SGTProfile labelsTrust Score and Anomaly ScoreANC PolicyPort and credentialsscan resultsPort and credentialsscan configurationAAAEAEATraffic Telemetry Appliance*Requ
106、ired if Fabric Enabled Wireless BRKENS-281989East Fabric SiteEast Fabric Site 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOpen Port Scan andWeak Credentials ScanDemo:Analytics-Based Access Privilegese_bms1,2,3,4East Fabric SiteEast Fabric SiteERSPANTelemetryEndpoint Co
107、ntextAuth protocol/statusAuthz profile,SGTCoAEAEAPort and credentialsscan resultsPort and credentialsscan configurationAAAProfile labelsTrust Score and Anomaly ScoreANC PolicyTraffic Telemetry Appliance*Required if Fabric Enabled Wireless BRKENS-281990DemoCisco Secure Endpoint and Rapid Threat Conta
108、inment 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFor More InformationC Endpoint Security landing pageCisco Secure Endpoint-At-a-GlanceCisco Secure Endpoint Data SheetCisco Secure Firewall Management Center Configuration Guide Correlation PoliciesBRKENS-281993 2023 Ci
109、sco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure EndpointContinuous activity monitoringAdvanced endpoint searchSandboxingCloud IOCsThreat huntingIn depth-mapping to MITRE ATT&CK frameworkVulnerable and low prevalence software identification Unmanaged endpoint discover
110、yExtend to XDR with SecureX platformDetectionCustom block/allow lists for files and network trafficApplication control and allow listEndpoint isolationAccelerate threat response with an integrated security platformNever lose context with SecureX ribbon to pivot and investigate fasterSecureX orchestr
111、ation to do more with less through automationResponseBehavioral analyticsMachine learningSignature based detection Attack surface reduction with integrations with Duo,AnyConnect,UmbrellaPosture and IT Operations assessment through endpoint policy compliance and zero-day attack preventionProtectionBR
112、KENS-281994 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Secure Endpoint and Rapid Threat ContainmentIntegrate ISE and Cisco Secure Firewall Management Center(FMC)with Secure Malware Analytics(AMP Cloud).Define IOC correlation rules in FMC.On the East Fabric Site e
113、_staff workstation:Confirm Cisco Secure Endpoint connector is operating correctly.Trigger a threat event by accessing a known malicious file.Confirm FMC automatically-triggered ANC Quarantine policy and network access is heavily restricted.BRKENS-281995 2023 Cisco and/or its affiliates.All rights re
114、served.Cisco Public#CiscoLiveDemo:Secure Endpoint and Rapid Threat ContainmentCisco Secure FirewallManagement Centere_staffSGT=EmployeeEast Fabric SiteEast Fabric SiteBRKENS-281996 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Secure Endpoint and Rapid Threat Contai
115、nmentEast Fabric SiteEast Fabric Sitee_staffSGT=EmployeeRunsCisco Secure EndpointCisco Secure FirewallManagement CenterBRKENS-281997 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Secure Endpoint and Rapid Threat ContainmentEast Fabric SiteEast Fabric SiteRunsCisco S
116、ecure EndpointSecure Malware AnalyticsFile hashes and threat event syncThreat verdicts and updatese_staffSGT=EmployeeCisco Secure FirewallManagement CenterBRKENS-281998 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Secure Endpoint and Rapid Threat ContainmentEast Fa
117、bric SiteEast Fabric SiteRunsCisco Secure EndpointThreat verdicts and updatese_staffSGT=EmployeeCisco Secure FirewallManagement CenterSecure Malware AnalyticsFile hashes and threat event syncBRKENS-281999 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Secure Endpoint
118、 and Rapid Threat ContainmentEast Fabric SiteEast Fabric SiteRunsCisco Secure EndpointThreat verdicts and updatesANC Policy:Quarantinee_staffSGT=EmployeeCisco Secure FirewallManagement CenterSecure Malware AnalyticsFile hashes and threat event syncBRKENS-2819100 2023 Cisco and/or its affiliates.All
119、rights reserved.Cisco Public#CiscoLiveDemo:Secure Endpoint and Rapid Threat ContainmentEast Fabric SiteEast Fabric SiteRunsCisco Secure EndpointThreat verdicts and updatesChange of Authorizatione_staffSGT=EmployeeANC Policy:QuarantineCisco Secure FirewallManagement CenterSecure Malware AnalyticsFile
120、 hashes and threat event syncBRKENS-2819101 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo:Secure Endpoint and Rapid Threat ContainmentEast Fabric SiteEast Fabric SiteRunsCisco Secure EndpointThreat verdicts and updatesChange of AuthorizationANC Policy:QuarantineCisc
121、o Secure FirewallManagement Centere_staffSGT=EmployeeSGT=QuarantineSecure Malware AnalyticsFile hashes and threat event syncBRKENS-2819102DemoConclusion 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRaise of Hands!How many use other automation systems(Ansible,NSO,CLI,etc
122、.)to orchestrate network configurations today on the network devices?How many would be interested in deploying LISP VXLAN Fabric in your networks through other automation systems?BRKENS-2819105 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConclusionDiscussed and demonst
123、rated:End to end Segmentation using a range of transit technologies.Cisco Secure Firewall Segmentation with SGT and DC Attributes.Access Privileges with Endpoint and Trust Analytics.Cisco Secure Endpoint and Rapid Threat Containment.Weve just scratched the surface.Talk to a partner,CX,SE and AM repr
124、esentative to explore all the options and offer feedback for roadmap consideration.BRKENS-2819106 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConclusionWe value your feedback.Keep it coming!It couldnt be done without you.BRKENS-2819107 2023 Cisco and/or its affiliates.
125、All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily
126、 and grand prizesAttendees will also earn 100 points in theCisco Live Challenge for every survey completed.BRKENS-2819108 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAtt
127、end the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGamify your Cisco Live experience!Get points Get points for attending this s
128、ession!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:1234111 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENS-2819111#CiscoLive