Speaker: Jonathan Eaves, Technical Marketing Engineer
00:00 Intro
01:20 Where to Start : [Cisco Segmentation Strategy](community.cisco.com/t5/securi...)
03:35 Intent is Unclear with IP ACLs
04:45 Security Groups and Security Group Tags (SGTs)
05:37 Business Intent is clear with groups in the CLI
07:41 Classification | Propagation | Enforcement
10:51 Source and Destination Groups for Group-Based Policies
11:31 Use 802.1X or MAB to Dynamically Classify Endpoints with SGTs for Visibility
15:48 Visibility/Classification Scenario Demo Overview
16:48 - ISE Policy and Catalyst 9300 Initial State (CTS == Cisco TrustSec)
18:35 - Doctor Authentication on Gig1/0/2
19:24 - IP-to-SGT Mapping
19:35 - ISE LiveLogs
20:04 - ISE SXP Mapping Table
20:50 - Switch Configuration Reference
21:03 Switch Configuration for Enforcement :
```
cts credentials id {id} password {password}
show cts credentials
show cts pac
show cts environment-data
```
22:58 Dynamic Group Policy Download from ISE for Enforcement at Egress
26:03 Enforcement Demo
26:08 - ISE TrustSec Policy Matrix
```
show cts pac
show cts environment-data
show auth sessions
show auth session interface {interface} details
show cts role-based sgt-map all
show cts role-based permissions
```
27:33 - Enable Scanner
27:47 - ISE LiveLogs
```
show auth session mac {mac} details
show cts role sgt-map all
show cts role-based permissions
show cts role-based counters
```
30:01 - Change SGACL in ISE From `permit ip` to `deny ip`
31:12 Enforcement on Multiple Platforms
34:07 Peer-to-Peer SXP (SGT-to-IP Exchange Protocol)
35:08 SXP from ISE
35:35 IP-to-SGT Propagation Options: SXP, pxGrid, Inline Tagging, WAN protocols, VXLAN
37:26 SXP Propagation and Enforcement: Doctors and Cameras
40:16 - Add Propagation from ISE to the Destination Switch
41:13 - Add SXP to Destination Switch
```
show cts sxp connections brief
cts sxp connection peer {ip} source {ip} password {password} mode local listener
show cts role-based sgt-map all
```
43:58 - Change and Deploy Updated Group Policy in ISE
44:29 Demo: Inline Tagging Propagation and Enforcement (manual/static configuration)
```
cts manual
policy static sgt 2 trusted
```
47:35 - Monitor Capture:
```
monitor capture {name} interface {interface} both`
monitor capture {name} match any
monitor capture {name} clear
monitor capture {name} start
monitor capture {name} stop
monitor capture {name} buffer | include ICMP
monitor capture {name} buffer detail | begin frame {#}
```
49:34 Best Practices for Enforcement Design:
Assets ~ Classification Mechanism ~ Enforcement Points ~ Propagation Methods
51:15 Cisco DNAC with AI Endpoint Analytics
52:54 ISE Resources and Related Documents
- Cisco Segmentation Strategy: community.cisco.com/t5/securi...
53:31 Question: DNAC and Stealthwatch