CISCO Trustsec Yana Gina Tsaro
 Jagorar Mai Amfani da hanyar sadarwa
CISCO Trustsec Yana Gina Amintaccen Jagorar Mai Amfani da hanyar sadarwaCisco TrustSec yana gina amintattun cibiyoyin sadarwa ta hanyar kafa wuraren amintattun na'urorin cibiyar sadarwa. Kowace na'ura a cikin yankin an inganta ta takwarorinta. Sadarwa akan hanyoyin haɗin yanar gizo tsakanin na'urori a cikin yankin yana amintattu tare da haɗin ɓoyewa, bincika amincin saƙo, da hanyoyin kariya na sake kunna bayanai.
Ƙuntatawa don Cisco TrustSec
  • Samar da shaidar samun damar kariya (PAC) ya gaza kuma ya kasance a cikin rataye, lokacin da aka ayyana ID na na'ura mara inganci. Ko da bayan share PAC, da daidaita madaidaicin ID na na'ura da kalmar wucewa, PAC har yanzu ta gaza.
    A matsayin madaidaicin aiki, a cikin Injin Sabis na Shaida na Sisiko (ISE), cire alamar Abokan Cin Hanci.
    zaɓi a cikin Gudanarwa> Tsarin> Saituna> Ka'idoji> Menu na Radius don PAC yayi aiki.
  • Cisco TrustSec bashi da tallafi a yanayin FIPS.
  • Hani masu zuwa suna aiki ne kawai ga tsarin C9500X-28C8D na Cisco Catalyst 9500 Series Switches:
    • Cisco TrustSec ba shi da tallafi.
    • Cisco TrustSec Security Association Protocol (SAP) ba ta da tallafi.
    • Cisco TrustSec metadata rufaffiyar rubutun ba ta da tallafi.
Abubuwan da ke ciki boye
1 Bayani Game da Cisco TrustSec Architecture
2 Takardu / Albarkatu
2.1 Magana

Bayani Game da Cisco TrustSec Architecture

Tsarin tsaro na Cisco TrustSec yana gina amintattun cibiyoyin sadarwa ta hanyar kafa wuraren amintattun na'urorin cibiyar sadarwa. Kowace na'ura a cikin yankin an inganta ta takwarorinta. Sadarwa akan hanyoyin haɗin yanar gizo tsakanin na'urori a cikin yankin yana amintattu tare da haɗin ɓoyewa, bincika amincin saƙo, da hanyoyin kariya na sake kunna bayanai. Cisco TrustSec yana amfani da na'urar da takaddun shaidar mai amfani da aka samu yayin tabbatarwa don rarraba fakiti ta ƙungiyoyin tsaro (SGs) yayin da suke shiga cibiyar sadarwa. Ana kiyaye wannan fakiti ta hanyar tagfakitin ging kan shiga cikin hanyar sadarwa ta Cisco TrustSec domin a iya gano su da kyau don manufar amfani da tsaro da sauran ka'idojin manufofin tare da hanyar bayanai. The tag, mai suna kungiyar tsaro tag (SGT), yana ba da damar hanyar sadarwa don tilasta tsarin sarrafa damar shiga ta hanyar ba da damar na'urar ƙarshen yin aiki akan SGT don tace zirga-zirga.
Alamar bayanin kulaBa a tallafawa hanyoyin haɗin gwiwar Cisco TrustSec IEEE 802.1X akan dandamali da ake tallafawa a cikin Cisco IOS XE Denali
(16.1.x zuwa 16.3.x), Cisco IOS XE Everest (16.4.x zuwa 16.6.x), da Cisco IOS XE Fuji (16.7.x zuwa 16.9.x) suna sakewa, kuma don haka ne kawai ake goyan bayan Authenticator; ba a tallafawa mai addu'a.
Tsarin gine-ginen Cisco TrustSec ya ƙunshi mahimman sassa uku:
  • Ingantattun hanyoyin sadarwar sadarwar-Bayan na'urar farko (wanda ake kira na'urar iri) ta inganta tare da uwar garken tabbatarwa don fara yankin Cisco TrustSec, kowace sabuwar na'ura da aka ƙara zuwa yankin tana da ingantattun na'urorin takwarorinta da suka riga sun kasance cikin yankin. Takwarorinsu suna aiki azaman masu shiga tsakani don sabar tabbatar da yankin. Kowace sabuwar na'urar da aka inganta ana rarraba ta ta uwar garken tantancewa kuma an sanya lambar ƙungiyar tsaro dangane da ainihi, rawarta, da yanayin tsaro.
  • Ikon samun damar tushen ƙungiyar tsaro-Manufofin shiga cikin yankin Cisco TrustSec masu zaman kansu ne masu zaman kansu, dangane da matsayin (kamar yadda lambar ƙungiyar tsaro ta nuna) na tushen da na'urori masu zuwa maimakon kan adiresoshin cibiyar sadarwa. Fakitin mutum ɗaya ne tagged tare da lambar kungiyar tsaro na majiyar.
  • Amintaccen sadarwa-Tare da kayan aikin ɓoye-ɓoye, sadarwa akan kowace hanyar haɗin yanar gizo tsakanin na'urori a cikin yankin za a iya kiyaye shi tare da haɗin ɓoyewa, duba amincin saƙo, da hanyoyin kariya na sake kunna bayanai.
Adadi na gaba yana nuna tsohonampna yankin Cisco TrustSec. A cikin wannan exampHar ila yau, na'urorin sadarwar da yawa da na'urar ƙarshen ƙarshen suna cikin yankin Cisco TrustSec. Na'urar ƙarshe ɗaya da na'urar sadarwar ɗaya suna wajen yankin saboda su ba na'urori masu iya aiki da Cisco TrustSec ba ko kuma saboda an hana su shiga. Ana ɗaukar uwar garken tabbatarwa a waje da yankin Cisco TrustSec; ko dai Cisco Identities Service Engine (Cisco ISE), ko kuma Cisco Secure Access Control System (Cisco ACS).
Hoto 1: Cisco TrustSec Network Domain Example
CISCO Trustsec Yana Gina Amintaccen hanyar sadarwa - Hoto 1
Kowane ɗan takara a cikin tsarin tabbatar da Cisco TrustSec yana aiki a ɗayan ayyuka masu zuwa:
  • Mai Addu'a-Na'urar da ba ta da tabbas da aka haɗa da takwarorinsu a cikin yankin Cisco TrustSec, da ƙoƙarin shiga yankin Cisco TrustSec.
  • Sabar Tabbaci—Sabar da ke tabbatar da ainihin mai roƙo da fitar da manufofin da ke ƙayyadad da damar mai roƙon zuwa ayyuka a cikin yankin Cisco TrustSec.
  • Authenticator-Na'urar ingantacciya wacce ta riga ta kasance wani ɓangare na yankin Cisco TrustSec kuma zai iya tantance sabbin masu roƙon takwarori a madadin sabar tabbatacciyar.
Lokacin da mahaɗin da ke tsakanin mai roƙo da mai gaskatawa ya fara fitowa, jerin abubuwan da suka faru yawanci suna faruwa:
  1. Tabbatarwa (802.1X) — Sabar tabbaci ce ta tabbatar da mai roƙo, tare da mai gaskatawa yana aiki azaman tsaka-tsaki. Ana yin tantancewar juna tsakanin takwarorinsu biyu (mai roƙo da mai gaskatawa).
  2. Izini-Bisa akan bayanin ainihin mai roƙo, uwar garken tabbatarwa yana ba da manufofin izini, kamar ayyukan ƙungiyar tsaro da ACLs, ga kowane takwarorinsu masu alaƙa. Sabar tabbatacciyar tana ba da ainihin kowane takwarorinsu ga ɗayan, kuma kowane takwarorinsu sannan ya yi amfani da manufofin da suka dace don hanyar haɗin gwiwa.
  3. Tattaunawar Ƙungiyoyin Tsaro (SAP) - Lokacin da bangarorin biyu na hanyar haɗin yanar gizo suka goyi bayan ɓoyayyen ɓoyayyen, mai roƙo da mai gaskatawa sun yi shawarwarin da suka dace don kafa ƙungiyar tsaro (SA).
Alamar bayanin kula Ba a tallafawa SAP akan musaya na 100G. Muna ba da shawarar ku yi amfani da yarjejeniyar Maɓalli na MACsec
(MKA) tare da tsawaita lambar fakiti (XPN) akan musaya na 100G.
Lokacin da duk matakan uku suka cika, mai gaskatawa yana canza yanayin hanyar haɗin gwiwa daga jihar mara izini (tarewa) zuwa jiha mai izini, kuma mai roƙo ya zama memba na yankin Cisco TrustSec.
Cisco TrustSec yana amfani da ingress tagging da egress tacewa don tilasta aiwatar da manufofin sarrafa damar shiga cikin tsari mai girma. Fakitin shiga yankin sune tagged tare da kungiyar tsaro tag (SGT) mai dauke da lambar rukunin tsaro da aka sanya na na'urar tushen. Ana kiyaye wannan rabe-raben fakiti tare da hanyar bayanai a cikin yankin Cisco TrustSec don manufar amfani da tsaro da sauran ka'idojin manufofi. Na'urar Cisco TrustSec ta ƙarshe a kan hanyar bayanai, ko dai ƙarshen ƙarshen ko cibiyar egress batu, yana tilasta tsarin sarrafa damar shiga bisa ga rukunin tsaro na na'urar tushen Cisco TrustSec da ƙungiyar tsaro na na'urar Cisco TrustSec ta ƙarshe. Ba kamar lissafin kula da hanyoyin shiga na al'ada ba bisa adiresoshin cibiyar sadarwa, Cisco TrustSec manufofin sarrafa damar shiga wani nau'i ne na jerin abubuwan sarrafawa na tushen rawar (RBACLs) da ake kira jerin sunayen kula da damar ƙungiyar tsaro (SGACLs).
Alamar bayanin kulaIngress yana nufin fakitin shigar da na'urar Cisco TrustSec na farko da fakiti ya ci karo da shi akan hanyarsa zuwa inda ake nufi kuma egress yana nufin fakitin da ke barin na'urar Cisco TrustSec na ƙarshe akan hanya.
Tabbatarwa
Cisco TrustSec da Tabbatarwa
Yin amfani da Ikon shigar da na'urar sadarwa (NDAC), Cisco TrustSec yana tabbatar da na'ura kafin barin ta shiga cibiyar sadarwar. NDAC tana amfani da 802.1X Tantance kalmar sirri tare da Extensible Tabbaci Protocol m Tabbaci ta Secure Tunnel (EAP-FAST) a matsayin Extensible Tantance kalmar sirri Protocol (EAP) don aiwatar da Tantancewar. Tattaunawar EAP-FAST suna samar da wasu hanyoyin musayar hanyar EAP a cikin rami na EAP-FEST ta amfani da sarƙoƙi. Masu gudanarwa na iya amfani da hanyoyin tabbatar da mai amfani na gargajiya, kamar Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAPv2), yayin da har yanzu suna da tsaro ta hanyar EAP-FAST tunnel. A yayin musayar EAP-FAST, uwar garken tabbatarwa yana ƙirƙira kuma yana isar wa mai roƙon takamaiman shaidar samun kariya mai kariya (PAC) wacce ke ƙunshe da maɓalli da aka ɓoye da kuma rufaffen alamar da za a yi amfani da shi don amintaccen sadarwa na gaba tare da sabar tabbatarwa.
Hoto mai zuwa yana nuna EAP-FAST rami da hanyoyin ciki kamar yadda aka yi amfani da su a cikin Cisco TrustSec.
Hoto 2: Tabbatar da Cisco TrustSec
CISCO Trustsec Yana Gina Amintaccen hanyar sadarwa - Hoto 2
Cisco TrustSec Haɓaka zuwa EAP-Fast
Aiwatar da EAP-FAST don Cisco TrustSec yana da abubuwan haɓakawa masu zuwa:
  • Tabbatar da mai tabbatarwa-A tsare-tsare yana ƙayyade ainihin mai gaskatawa ta hanyar buƙatar mai tabbatarwa ya yi amfani da PAC ɗin sa don samo maɓallin da aka raba tsakaninta da uwar garken tabbatarwa. Wannan fasalin kuma yana hana ku daidaita maɓallan raba RADIUS akan sabar tantancewa don kowane adireshin IP mai yuwuwa wanda mai gaskatawa zai iya amfani da shi.
  • Sanar da kowace na'ura ainihin takwarorinta - A ƙarshen musayar tabbatarwa, uwar garken tabbacin ya gano duka mai roƙo da mai gaskatawa. Sabar tabbatacciyar tana isar da ainihin mai gaskatawa, kuma ko mai gaskatawa shine Cisco TrustSec-mai iyawa, ga mai roƙo ta amfani da ƙarin ma'aunin ƙimar nau'in-tsawon-ƙimar (TLVs) a cikin kariyar EAP-FAST ƙarewa. Sabar tabbatacciyar kuma tana isar da ainihin mai roƙo, kuma ko mai roƙon yana da Cisco TrustSec-mai iyawa, ga mai tabbatarwa ta amfani da halayen RADIUS a cikin Saƙon Samun- Karɓa.
    Saboda kowace na'ura ta san ainihin takwarorinta, za ta iya aika ƙarin buƙatun samun damar RADIUS zuwa uwar garken tabbatarwa don samun manufofin da za a yi amfani da su akan hanyar haɗin yanar gizo.
802.1X Zaɓin Matsayi
A cikin 802.1X, mai gaskatawa dole ne ya sami haɗin IP tare da uwar garken tabbatarwa saboda dole ne ya sake yin musayar tabbaci tsakanin mai roƙo da mai gaskatawa ta amfani da RADIUS akan UDP/IP. Lokacin da na'urar ƙarshe, kamar PC, ta haɗu da hanyar sadarwa, a bayyane yake cewa yakamata ta yi aiki azaman mai roƙo. Koyaya, a yanayin haɗin Cisco TrustSec tsakanin na'urorin cibiyar sadarwa guda biyu, rawar 802.1X na kowace na'urar cibiyar sadarwa bazai bayyana nan da nan ga sauran na'urorin cibiyar sadarwa ba.
Maimakon buƙatar daidaitawar mai tabbatarwa da ayyukan masu roƙo don maɓallai biyu na kusa, Cisco TrustSec yana gudanar da zaɓin zaɓi na algorithm don tantance waɗanne canji ne ta atomatik a matsayin mai gaskatawa kuma waɗanne ayyuka a matsayin mai roƙo. Algorithm na zaɓin rawar yana ba da aikin mai tabbatarwa zuwa maɓalli wanda ke da isarwar IP zuwa sabar RADIUS. Dukan musanya biyu suna farawa duka ingantattun injunan jihar da masu roƙo. Lokacin da maɓalli ya gano cewa takwarorinsa na da damar zuwa uwar garken RADIUS, ya ƙare na'urar jihar ta ingantacce kuma ta ɗauki matsayin mai roƙo. Idan maɓallai guda biyu suna da damar zuwa uwar garken RADIUS, canjin farko don karɓar amsa daga uwar garken RADIUS ya zama mai gaskatawa kuma ɗayan sauya ya zama mai roƙo.
Takaitacciyar Takaddar Tabbatar da Cisco TrustSec
A ƙarshen aikin tabbatar da Cisco TrustSec, uwar garken tabbacin ya yi ayyuka masu zuwa:
  • Tabbatar da sahihancin mai addu'a da mai gaskatawa.
  • Tabbatar da mai amfani idan mai roƙon na'urar ƙarshe ce.
A ƙarshen tsarin tabbatar da Cisco TrustSec, duka mai gaskatawa da mai roƙo sun san abubuwan da ke biyowa:
  • mai zuwa:
  • ID na na'ura na takwarorinsu
  • Cisco TrustSec bayanin iyawar takwarorinsa
  • Maɓallin da aka yi amfani da shi don SAP
Siffofin na'ura
Cisco TrustSec baya amfani da adiresoshin IP ko adiresoshin MAC azaman asalin na'urar. Madadin haka, kuna sanya suna (ID ɗin na'ura) ga kowane maɓalli na Cisco TrustSec don gano shi musamman a yankin Cisco TrustSec. Ana amfani da wannan ID ɗin na'urar don abubuwa masu zuwa:
  • Neman tsarin izini
  • Neman kalmomin shiga cikin ma'ajin bayanai yayin tantancewa
Takaddun shaida na na'ura
Cisco TrustSec yana goyan bayan bayanan tushen kalmar sirri. Cisco TrustSec yana tabbatar da masu roƙo ta hanyar kalmomin shiga kuma yana amfani da MSCHAPv2 don samar da amincin juna.
Sabar tabbatacciyar tana amfani da waɗannan takaddun shaida don tabbatar da juna tare da mai roƙo yayin musayar lokaci na EAP-FAST 0 (samar da) inda aka tanadar da PAC a cikin mai roƙo. Cisco TrustSec ba ya sake yin canjin lokaci na EAP-FAST 0 har sai PAC ta ƙare, kuma kawai yana yin EAP-FAST lokaci 1 da mu'amalar lokaci 2 don haɓaka hanyoyin haɗin gwiwa na gaba. Musanya lokaci na EAP-FAST yana amfani da PAC don tabbatar da sabar tabbatacciyar sabar da mai roƙo. Cisco TrustSec yana amfani da takaddun shaidar na'urar kawai yayin matakan samarwa (ko sabuntawa) PAC.
Lokacin da mai roƙo ya fara shiga yankin Cisco TrustSec, uwar garken tabbacin yana tabbatar da mai roƙo kuma yana tura maɓalli da aka raba da rufaffen alama ga mai roƙo tare da PAC. Sabar tabbaci da mai roƙo suna amfani da wannan maɓalli da alamar don tabbatar da juna a duk mu'amalar EAP-FAST na gaba.
Shaidar mai amfani
Cisco TrustSec baya buƙatar takamaiman nau'in shaidar mai amfani don na'urorin ƙarshen. Kuna iya zaɓar kowane nau'in hanyar tantance mai amfani wanda ke samun goyan bayan uwar garken tantancewa, kuma yi amfani da daidaitattun takaddun shaida. Don misaliample, Sigar 5.1 ta Cisco Secure Access Control System (ACS) tana goyan bayan MSCHAPv2, katin alamar alama (GTC), ko kalmar sirri ta RSA lokaci ɗaya (OTP)
Ikon Samun Samun Tushen Rukunin Tsaro
Wannan sashe yana ba da bayani game da jerin abubuwan kulawa na tushen ƙungiyar tsaro (SGACLs).
Ƙungiyoyin Tsaro da SGTs
Ƙungiyar tsaro ƙungiya ce ta masu amfani, na'urori masu ƙarewa, da albarkatu waɗanda ke raba manufofin sarrafa damar shiga. An bayyana ƙungiyoyin tsaro ta mai gudanarwa a cikin Cisco ISE ko Cisco Secure ACS. Yayin da ake ƙara sababbin masu amfani da na'urori zuwa yankin Cisco TrustSec, uwar garken tabbatarwa yana ba da waɗannan sababbin ƙungiyoyi zuwa ƙungiyoyin tsaro masu dacewa. Cisco TrustSec yana ba wa kowane rukunin tsaro lambar ƙungiyar tsaro ta musamman mai 16-bit wacce iyakarta ta duniya a cikin yankin Cisco TrustSec. Adadin ƙungiyoyin tsaro a cikin na'urar an iyakance shi ga adadin ingantattun hanyoyin sadarwa. Ba dole ba ne ka saita lambobin ƙungiyar tsaro da hannu.
Da zarar na'urar ta tabbata, Cisco TrustSec tags duk wani fakiti da ya samo asali daga waccan na'urar tare da rukunin tsaro tag (SGT) wanda ya ƙunshi lambar rukunin tsaro na na'urar. Fakitin yana ɗaukar wannan SGT a ko'ina cikin hanyar sadarwa tsakanin Cisco TrustSec header. SGT lakabi ne guda ɗaya wanda ke ƙayyade gata na tushen a cikin duka kasuwancin.
Domin SGT ya ƙunshi ƙungiyar tsaro na tushen, da tag ana iya kiransa tushen SGT. Hakanan ana sanya na'urar zuwa ga ƙungiyar tsaro (madaidaicin SG) wanda za'a iya kira shi don sauƙi azaman ƙungiyar alƙawarin. tag (DGT), kodayake ainihin fakitin Cisco TrustSec tag ba ya ƙunshi lambar ƙungiyar tsaro na na'urar da za a nufa.
Taimakon Ƙungiyar Tsaro ta ACL
Lissafin kula da samun damar ƙungiyar tsaro (SGACLs) wani tsari ne na tilastawa wanda mai gudanarwa zai iya sarrafa ayyukan da mai amfani ke yi, dangane da ayyukan ƙungiyar tsaro da albarkatu. Ƙaddamar da aiwatar da manufofi a cikin yankin Cisco Trustsec ana wakilta ta hanyar matrix izini, tare da lambar ƙungiyar tsaro ta tushe akan kusurwoyi ɗaya da lambar ƙungiyar tsaro ta makoma akan ɗayan axis. Kowane tantanin halitta a cikin matrix ɗin ya ƙunshi jerin umarni na SGACLs, waɗanda ke ƙayyadaddun izini waɗanda yakamata a yi amfani da su zuwa fakiti waɗanda suka samo asali daga IP na ƙungiyar tsaro ta tushe da samun adireshin IP na alkibla wanda ke cikin rukunin tsaro na manufa.
SGACL yana ba da tsarin sarrafa damar shiga mara jiha bisa ƙungiyar tsaro ko ƙungiyar tsaro tag darajar maimakon adiresoshin IP da masu tacewa. Akwai hanyoyi guda uku don samar da manufar SGACL:
  • Samar da manufofin tsaye: Manufofin SGACL an ayyana su ta hanyar mai amfani ta amfani da izinin tushen rawar da umarni.
  • Samar da manufofi masu ƙarfi: Haɓaka manufofin SGACL yakamata a yi ta da farko ta aikin gudanar da manufofin Cisco Secure ACS ko Injin Sabis na Shaida na Cisco.
  • Canjin izini (CoA): Ana zazzage manufofin da aka sabunta lokacin da aka canza manufar SGACL akan ISE kuma ana tura CoA zuwa na'urar Cisco TrustSec.

    Jirgin bayanan na'urar yana karɓar fakitin CoA daga mai ba da manufofin (ISE) kuma yana amfani da manufofin zuwa fakitin CoA. Sannan ana tura fakitin zuwa jirgin sarrafa na'urar inda mataki na gaba na aiwatar da manufofin ke faruwa don fakitin CoA masu shigowa. Zuwa view da hardware da software counter buga bayanai, gudanar da show cts rawar-tushen counters umurnin a cikin gata EXEC yanayin.

Manufofin SGACL
Yin amfani da jerin abubuwan kulawar ƙungiyar tsaro (SGACLs), zaku iya sarrafa ayyukan da masu amfani za su iya yi dangane da ayyukan ƙungiyar tsaro na masu amfani da albarkatu masu zuwa. Ƙaddamar da aiwatar da manufofi a cikin yankin Cisco TrustSec ana wakilta ta hanyar matrix izini, tare da lambobin ƙungiyar tsaro ta tushe a kan gauri ɗaya da lambobin ƙungiyar tsaro na makoma a ɗayan gaɓa. Kowane tantanin halitta a jikin matrix na iya ƙunsar da jerin sunayen SGACLs da aka ba da oda waɗanda ke ƙayyadaddun izini waɗanda yakamata a yi amfani da su zuwa fakitin da suka samo asali daga ƙungiyar tsaro ta tushe kuma aka keɓe don ƙungiyar tsaro.
Adadi na gaba yana nuna tsohonampmatrix izini na Cisco TrustSec don yanki mai sauƙi tare da fayyace ma'auni na mai amfani guda uku da ƙayyadaddun albarkatu guda ɗaya. Manufofin SGACL guda uku suna sarrafa damar zuwa uwar garken manufa bisa ga rawar mai amfani.
Hoto 3: SGACL Matrix Matrix Example
CISCO Trustsec Yana Gina Amintaccen hanyar sadarwa - Hoto 3
Ta hanyar sanya masu amfani da na'urori a cikin hanyar sadarwa zuwa ƙungiyoyin tsaro da kuma amfani da ikon samun dama tsakanin ƙungiyoyin tsaro, Cisco TrustSec yana samun ikon sarrafa kai-tsaye mai zaman kansa a cikin hanyar sadarwa. Saboda SGACLs suna ayyana manufofin sarrafa damar shiga bisa tushen na'urar maimakon adiresoshin IP kamar a cikin ACL na gargajiya, na'urorin cibiyar sadarwa suna da 'yanci don motsawa cikin hanyar sadarwar kuma canza adiresoshin IP.
Muddin ayyuka da izini sun kasance iri ɗaya, canje-canje ga topology na cibiyar sadarwa baya canza manufar tsaro. Lokacin da aka ƙara mai amfani zuwa na'urar, kawai kuna sanya mai amfani ga ƙungiyar tsaro da ta dace kuma nan da nan mai amfani ya karɓi izinin ƙungiyar.
Alamar bayanin kulaAna amfani da manufofin SGACL akan zirga-zirgar da aka samar tsakanin na'urori biyu masu masaukin baki, ba ga zirga-zirgar da aka samar daga na'ura zuwa na'urar mai masaukin baki ba.
Yin amfani da izini na tushen rawar yana rage girman ACLs sosai kuma yana sauƙaƙe kiyaye su. Tare da Cisco TrustSec, an saita adadin shigarwar ikon shiga (ACEs) ta adadin izini da aka ƙayyade, yana haifar da ƙaramin adadin ACE fiye da na hanyar sadarwar IP na gargajiya. Amfani da SGACLs a cikin Cisco TrustSec yawanci yana haifar da ingantaccen amfani da albarkatun TCAM idan aka kwatanta da ACL na gargajiya. Matsakaicin manufofin 17,500 SGACL ana goyan bayan akan Maɓalli na 9500 Series Switches. A kan Maɗaukakin Maɗaukaki na 9500 High Performance Series Switches, matsakaicin manufofin 28,224 SGACL ana tallafawa.
Shiga Tagging da Egress tilastawa
Ana aiwatar da ikon shigar da Cisco TrustSec ta amfani da ingress tagging da egress tilastawa. A wurin shiga zuwa yankin Cisco TrustSec, zirga-zirga daga tushen shine tagged tare da SGT mai ɗauke da lambar ƙungiyar tsaro na mahaɗin tushen. Ana yada SGT tare da zirga-zirga a fadin yankin. A wurin egress na yankin Cisco TrustSec, na'urar egress tana amfani da tushen SGT da lambar ƙungiyar tsaro na mahallin da aka nufa (makomar SG, ko DGT) don tantance wace manufar samun damar aiki daga matrix manufofin SGACL.
Hoto mai zuwa yana nuna yadda aikin SGT da tilastawar SGACL ke aiki a yankin Cisco TrustSec.
Hoto 4: SGT da SGACL a cikin Cisco TrustSec Domain
CISCO Trustsec Yana Gina Amintaccen hanyar sadarwa - Hoto 4
  1. Mai watsa shiri PC yana watsa fakiti zuwa ga web uwar garken. Ko da yake PC da kuma web uwar garken ba membobi ne na yankin Cisco TrustSec ba, hanyar bayanan fakitin ya ƙunshi yankin Cisco TrustSec.
  2. Na'urar ingress ta Cisco TrustSec tana gyara fakitin don ƙara SGT tare da lambar ƙungiyar tsaro 3, lambar ƙungiyar tsaro da uwar garken tantace don PC mai masaukin ke sanyawa.
  3. Na'urar Cisco TrustSec egress tana aiwatar da manufar SGACL da ta shafi rukunin tushe 3 da rukunin 4 na gaba, lambar rukunin tsaro da uwar garken tabbatarwa ta sanya don web uwar garken.
  4. Idan SGACL ya ba da izinin tura fakitin, Cisco TrustSec egress switch yana gyara fakitin don cire SGT kuma ya tura fakitin zuwa ga web uwar garken.
Ƙayyade Ƙungiyoyin Tsaro na Source
Na'urar hanyar sadarwa a shigar da yankin Cisco TrustSec dole ne ta ƙayyade SGT na fakitin shigar da yankin Cisco TrustSec ta yadda zai iya. tag fakitin tare da wannan SGT lokacin da yake tura shi zuwa yankin Cisco TrustSec. Dole ne na'urar hanyar sadarwar egress ta ƙayyade SGT na fakitin don amfani da SGACL.
Na'urar cibiyar sadarwa na iya ƙayyade SGT don fakiti a ɗayan hanyoyin masu zuwa:
  • Sami tushen SGT yayin sayen manufofin-Bayan lokacin tantancewar Cisco TrustSec, na'urar hanyar sadarwa tana samun bayanan manufofin daga sabar tantancewa, wanda ke nuna ko an amince da na'urar takwarorinsu ko a'a. Idan ba a amince da na'urar takwarorinsu ba, to uwar garken tantancewa kuma na iya samar da SGT don amfani da duk fakitin da ke fitowa daga na'urar takwarorinsu.
  • Sami tushen SGT daga fakiti - Idan fakiti ya fito daga amintaccen na'urar tsara, fakitin yana ɗaukar SGT. Wannan ya shafi na'urar sadarwar da ba ita ce na'urar cibiyar sadarwa ta farko a yankin Cisco TrustSec don fakitin ba.
  • Nemo tushen SGT dangane da asalin tushen-Tare da Taswirar Tashar Tashar Shafi (IPM), zaku iya saita hanyar haɗin da hannu tare da asalin abokin haɗin gwiwa. Na'urar cibiyar sadarwa tana buƙatar bayanin manufofin, gami da SGT da kuma amintaccen jihar, daga sabar tantancewa.
  • Nemo tushen SGT dangane da tushen adireshin IP-A wasu lokuta, zaku iya saita manufofin da hannu don yanke shawarar SGT na fakiti bisa tushen adireshin IP ɗin sa. SGT Exchange Protocol (SXP) kuma na iya cika teburin taswirar IP-address-zuwa-SGT.
Ƙayyade Ƙungiya Tsaro
Na'urar cibiyar sadarwar egress a cikin yankin Cisco TrustSec yana ƙayyade ƙungiyar alkibla (DGT) don amfani da SGACL. Na'urar hanyar sadarwa tana ƙayyade rukunin tsaro na fakiti ta amfani da hanyoyi iri ɗaya da aka yi amfani da su don tantance ƙungiyar tsaro, ban da samun lambar ƙungiyar daga fakiti. tag. Ba a haɗa lambar ƙungiyar tsaro ta zuwa cikin fakiti ba tag.
A wasu lokuta, na'urori masu shigowa ko wasu na'urorin da ba sa fita ba na iya samun bayanan rukunin makoma. A waɗancan lokuta, ana iya amfani da SGACLs a cikin waɗannan na'urori maimakon na'urorin fitarwa.
Ƙaddamar da SGACL akan Motsawa da Canjawar Traffic
Ana amfani da tilastawa ta SGACL akan zirga-zirgar IP kawai, amma ana iya aiwatar da tilastawa ko dai ta hanyar zirga-zirgar ababen hawa ko canja wuri.
Don zirga-zirgar zirga-zirgar ababen hawa, ana aiwatar da tilasta SGACL ta hanyar sauyawar egress, yawanci sauyawar rarrabawa ko madaidaicin shiga tare da tashar jiragen ruwa da ke haɗawa da mai masaukin baki. Lokacin da kuka kunna tilasta SGACL a duniya, ana kunna aiwatarwa ta atomatik akan kowane ƙirar Layer 3 ban da musaya na SVI.
Don zirga-zirgar zirga-zirgar ababen hawa, ana aiwatar da tilasta SGACL akan zirga-zirgar zirga-zirgar da ke gudana tsakanin yanki guda ɗaya ba tare da wani aikin tuƙi ba. ExampLe zai zama tilasta SGACL da aka yi ta hanyar sauya hanyar shiga cibiyar bayanai akan zirga-zirgar sabar-zuwa uwar garke tsakanin sabar guda biyu da aka haɗa kai tsaye. A cikin wannan exampHar ila yau, zirga-zirgar sabar-zuwa-uwar garke za ta kasance yawanci sauyawa. Ana iya amfani da tilastawar SGACL zuwa fakitin da aka canza a cikin VLAN ko tura zuwa SVI mai alaƙa da VLAN, amma dole ne a kunna aiwatarwa a sarari ga kowane VLAN.
SGACL Logging da ACE Statistics
Lokacin da aka kunna shiga cikin SGACL, na'urar tana yin rikodin bayanan masu zuwa:
  • Kungiyar tsaro ta tushe tag (SGT) da kuma manufa SGT
  • Sunan manufofin SGACL
  • Nau'in ka'idar fakiti
  • Ayyukan da aka yi akan fakitin
Zaɓin log ɗin ya shafi ACE guda ɗaya kuma yana haifar da fakiti waɗanda suka dace da ACE don shiga. Fakitin farko da aka shigar da kalmar shiga yana haifar da saƙon syslog. Ana haifar da saƙon log na gaba kuma ana ba da rahoto a tazara na mintuna biyar. Idan ACE mai shigar da shiga ya dace da wani fakiti (tare da halaye masu kama da fakitin da ya haifar da saƙon log ɗin), adadin fakitin da suka dace yana ƙaruwa (masu ƙima) sannan a ba da rahoto.
Don kunna shiga, yi amfani da kalmar shiga gaban ma'anar ACE a cikin tsarin SGACL. Don misaliample, ba da izinin ip log.
Lokacin da aka kunna shigar SGACL, ICMP Buƙatar saƙon daga na'urar zuwa abokin ciniki ba sa shiga
IPv4 da IPv6 ladabi. Duk da haka; Ana shigar da saƙonnin amsawa na ICMP daga abokin ciniki zuwa na'urar.
Mai zuwa kamar hakaample log, nuna tushen SGTs da manufa, matches ACE (don izini ko ƙin aiki), da ƙa'idar, wato, TCP, UDP, IGMP, da bayanin ICMP:
*Yuni 2 08:58:06.489:%C4K_IOSINTF-6-SGACLHIT: list deny_udp_src_port_log-30 An ƙi udp 24.0.0.23(100) -> 28.0.0.91(100), SGT8 DGT 12
Baya ga kididdigar SGACL 'kowace tantanin halitta' data kasance, wanda za'a iya nunawa ta amfani da tushen rawar cts.
umarnin counters, Hakanan zaka iya nuna kididdigar ACE, ta amfani da umarnin ip access-list sgacl_name. Ba a buƙatar ƙarin tsari don wannan.
Mai zuwa example yana nuna yadda zaku iya amfani da nunin ip access-list order don nuna adadin ACE
Na'ura# nuna ip access-control deny_udp_src_port_log-30
Jerin isa ga IP na tushen rawar deny_udp_src_port_log-30 (an sauke)
10 sun ƙaryata udp src eq 100 log (matches 283)
20 izinin ip log (matches 50)
Alamar bayanin kulaLokacin da zirga-zirga mai shigowa yayi daidai da tantanin halitta, amma bai dace da SGACL na tantanin halitta ba, ana ba da izinin zirga-zirgar kuma ana ƙara ƙididdiga a cikin HW-Izinin tantanin halitta.
Mai zuwa example nuna yadda SGACL na tantanin halitta ke aiki:
An tsara manufofin SGACL daga 5 zuwa 18 tare da "insan icmp echo" kuma akwai zirga-zirga mai shigowa daga 5 zuwa 18 tare da shugaban TCP. Idan tantanin halitta ya yi daidai daga 5 zuwa 18 amma zirga-zirga bai yi daidai da icmp ba, za a ba da izinin zirga-zirgar zirga-zirga kuma counter na HW-Izinin cell 5 zuwa 18 zai ƙaru.
CISCO Trustsec Yana Gina Amintaccen hanyar sadarwa - An tsara manufofin SGACL daga 5 zuwa 18 tare da " musun icmp echo
VRF-sane da SGACL Shiga
Rubutun tsarin SGACL zai ƙunshi bayanin VRF. Baya ga filayen da aka shigar a halin yanzu, bayanan shiga za su haɗa da sunan VRF. Za a sabunta bayanan shiga kamar yadda aka nuna a ƙasa:
* Nuwamba 15 02: 18: 52.187: % RBM-6-SGACLHIT_V6: ingress_interface = 'GigabitEthernet1/0/15' sgacl_name = 'IPV6_TCP_DENY' mataki = 'Kin' yarjejeniya ='tcp' srcSrcV -ip = '25 :: 2' src-tashar jiragen ruwa ='20'
dest-vrf = 'CTS-VRF' dest-ip ='49:: 2' tashar tashar jiragen ruwa ='30' sgt='200' dgt='500' logging_interval_hits='1'
Yanayin Kulawa na SGACL
A lokacin ƙaddamar da aikin Cisco TrustSec, mai gudanarwa zai yi amfani da yanayin saka idanu don gwada manufofin tsaro ba tare da tilasta su don tabbatar da cewa manufofin suna aiki kamar yadda aka yi niyya ba. Idan manufofin tsaro ba su yi aiki kamar yadda aka yi niyya ba, yanayin saka idanu yana samar da ingantacciyar hanya don gano hakan kuma yana ba da dama don gyara manufofin kafin ba da damar tilasta SGACL. Wannan yana bawa masu gudanarwa damar samun ƙarin gani ga sakamakon ayyukan manufofin kafin aiwatar da shi, da kuma tabbatar da cewa manufar batun ta cika buƙatun tsaro (an hana samun dama ga albarkatu idan ba masu amfani ba ne.
izini).
Ana ba da damar sa ido a matakin biyu na SGT-DGT. Lokacin da kuka kunna fasalin yanayin sa ido na SGACL, ana aiwatar da ƙin aikin azaman izinin ACL akan katunan layi. Wannan yana ba da damar ƙidayar SGACL da shiga don nuna yadda tsarin SGACL ke sarrafa haɗin gwiwa. Tunda an ba da izinin duk zirga-zirgar ababen hawa, babu wani cikas na sabis saboda SGACLs yayin da ke cikin yanayin saka idanu na SGACL.
Izini da Samun Siyasa
Bayan tabbatar da na'urar ta ƙare, duka mai roƙo da mai gaskatawa suna samun tsarin tsaro daga sabar tantancewa. Sa'an nan takwarorinsu biyu suna yin izinin hanyar haɗin gwiwa kuma suna tilasta manufar tsaro ta hanyar haɗin gwiwa bisa ga ID na na'urar Cisco TrustSec. Ana iya saita hanyar tantance hanyar haɗin kai azaman ko dai 802.1X ko ingantaccen aikin hannu. Idan tsaron hanyar haɗin kai shine 802.1X, kowane ɗan'uwa yana amfani da ID na na'urar da aka karɓa daga sabar tantancewa. Idan tsaro na hanyar haɗin kai na hannu ne, dole ne ka sanya ID na na'urar takwaro.
Sabar ta tabbatar tana mayar da sifofi masu zuwa:
  • Amintaccen Cisco TrustSec-Ya nuna ko za a amince da na'urar takwarorinsu don manufar sanya SGT a cikin fakiti.
  • Peer SGT—Yana nuna ƙungiyar tsaro wacce takwarorinsu ke cikinta. Idan ba a amince da takwarorinsu ba, duk fakitin da aka karɓa daga takwarorinsu ne tagtare da wannan SGT. Idan na'urar ba ta san ko wasu SGACLs suna da alaƙa da SGT na takwarorinsu ba, na'urar na iya aika buƙatar ci gaba zuwa uwar garken tabbatarwa don zazzage SGACLs.
  • Lokacin ƙarewar izini-Yana nuna adadin daƙiƙai kafin manufar ta ƙare. Na'urar Cisco TrustSec yakamata ta sabunta manufofinta da izini kafin ta ƙare. Na'urar za ta iya adana bayanan gaskatawa da manufofin kuma ta sake amfani da su bayan sake yi idan bayanan bai ƙare ba.
Alamar bayanin kula Kowace na'urar Cisco TrustSec yakamata ta goyi bayan wasu ƙaƙƙarfan manufofin isa ga tsoho idan ba ta sami damar tuntuɓar uwar garken tabbatarwa don samun manufa mai dacewa ga takwarorinsu ba.
Ana nuna tsarin shawarwarin NDAC da SAP a cikin adadi mai zuwa
Hoto 5: Tattaunawar NDAC da SAP
CISCO Trustsec Yana Gina Amintaccen hanyar sadarwa - Hoto 5
Zazzage bayanan muhalli
Bayanan muhalli na Cisco TrustSec tarin bayanai ne ko manufofin da ke taimaka wa na'urar yin aiki azaman kumburin Cisco TrustSec. Na'urar tana samun bayanan mahalli daga uwar garken tabbatarwa lokacin da na'urar ta fara shiga yankin Cisco TrustSec, kodayake kuna iya saita wasu bayanan akan na'urar da hannu. Don misaliampDon haka, dole ne ka saita nau'in na'urar Cisco TrustSec tare da bayanan uwar garken, wanda daga baya za'a iya haɓaka ta jerin sabar da na'urar ta samu daga uwar garken tabbatarwa.
Dole ne na'urar ta sabunta bayanan muhallin Cisco TrustSec kafin ya ƙare. Na'urar kuma za ta iya adana bayanan muhalli ta sake amfani da su bayan sake yi idan bayanan bai ƙare ba.
Na'urar tana amfani da RADIUS don siyan bayanan mahalli masu zuwa daga sabar tabbatarwa:
  • Lissafin uwar garken: Jerin sabobin da abokin ciniki zai iya amfani da su don buƙatun RADIUS na gaba (don duka tabbaci da izini). Farfaɗowar PAC yana faruwa ta waɗannan sabar.
  • Na'urar SG: Ƙungiyar tsaro wacce na'urar ta ke.
  • Lokacin ƙarewa: Tazarar da ke sarrafa sau nawa na'urar Cisco TrustSec zata sabunta bayanan muhallinta.
Ayyukan Relay RADIUS
Na'urar da ke taka rawar Cisco TrustSec authenticator a cikin tsarin tabbatarwa na 802.1X yana da haɗin haɗin IP zuwa uwar garken tabbatarwa, yana barin na'urar ta sami manufofin da izini daga uwar garken tabbatarwa ta hanyar musayar saƙonnin RADIUS akan UDP/IP. Maiyuwa na'urar mai roƙo ba ta da haɗin IP tare da sabar tantancewa. A irin waɗannan lokuta, Cisco TrustSec yana ba mai gaskatawa damar yin aiki azaman mai ba da labari na RADIUS ga mai roƙo.
Mai roƙo yana aika saƙon EAPOL na musamman ga mai tabbatarwa wanda ya ƙunshi adireshin IP na uwar garken RADIUS da tashar tashar UDP da cikakken buƙatar RADIUS. Mai tabbatarwa yana fitar da buƙatar RADIUS daga saƙon EAPOL da aka karɓa kuma ya aika akan UDP/IP zuwa uwar garken tantancewa. Lokacin da martanin RADIUS ya dawo daga uwar garken tantancewa, mai gaskatawa yana tura saƙon zuwa ga mai roƙo, an lulluɓe shi a cikin firam ɗin EAPOL.
Link Security
Lokacin da ɓangarorin biyu na hanyar haɗin gwiwa ke tallafawa 802.1AE Media Access Control Security (MACsec), ana yin shawarwarin ƙungiyar tsaro (SAP). Musayar maɓalli na EAPOL yana faruwa tsakanin mai roƙo da mai gaskatawa don yin shawarwari kan babban ɗakin ajiya, musayar sigogin tsaro, da sarrafa maɓalli. Samun nasarar kammala dukkan ayyuka guda uku ya haifar da kafa ƙungiyar tsaro (SA).
Dangane da sigar software ɗin ku, lasisin crypto, da tallafin kayan masarufi, shawarwarin SAP na iya amfani da ɗayan hanyoyin aiki masu zuwa:
  • Yanayin Galois/Counter (GCM) — Yana ƙayyadad da tantancewa da ɓoyewa
  • Tabbatar da GCM (GMAC)—Yana ƙayyadaddun tantancewa kuma babu ɓoyewa
  • Babu Encapsulation-Ba ya ƙayyadad da babu abin rufewa (rubu bayyananne)
  • Null-Yana ƙayyadaddun ɓoyewa, babu tabbaci kuma babu ɓoyewa
Duk hanyoyi ban da Babu Ƙwaƙwalwa na buƙatar kayan aikin Cisco TrustSec mai iya aiki.
Ana saita SAP-PMK don Tsaron Haɗin kai
CISCO Trustsec Yana Gina Amintaccen hanyar sadarwa - Yana daidaita SAP-PMK don Tsaron haɗin gwiwa
CISCO Trustsec Yana Gina Amintaccen hanyar sadarwa - Yana daidaita SAP-PMK don Tsaro na Link 2
SXP don Yadawar SGT Tsakanin Cibiyoyin Samun damar Legacy
Tagfakitin ging tare da SGTs na buƙatar tallafin hardware. Kuna iya samun na'urori a cikin hanyar sadarwar ku waɗanda, yayin da suke da ikon shiga cikin amincin Cisco TrustSec, ba su da ikon hardware tag fakiti da
SGTs. Ta amfani da SGT Exchange Protocol (SXP), waɗannan na'urori na iya wuce taswirar IP-adireshin-zuwa-SGT zuwa na'urar takwarorinsu na Cisco TrustSec wanda ke da kayan aikin Cisco TrustSec mai iya aiki.

SXP yawanci yana aiki tsakanin na'urori masu shiga shiga a gefen yankin Cisco TrustSec da na'urori masu rarrabawa a cikin yankin Cisco TrustSec. Na'urar Layer samun damar yin aikin Cisco TrustSec ingantaccen na'urorin tushen waje don tantance SGTs masu dacewa don fakitin shiga. Na'urar Layer samun damar koyon adiresoshin IP na na'urori masu tushe ta amfani da bin diddigin na'urar IP da (na zaɓi) snooping DHCP, sannan yana amfani da SXP don ƙaddamar da adiresoshin IP na na'urorin tushen tare da SGTs ɗin su zuwa na'urorin rarraba.
Na'urorin rarrabawa tare da kayan aikin Cisco TrustSec masu iya amfani da wannan bayanin taswirar IP-zuwa-SGT zuwa tag fakiti daidai kuma don tilasta manufofin SGACL.

Hoto 6: SXP Protocol don Yada Bayanin SGT
CISCO Trustsec Yana Gina Amintaccen hanyar sadarwa - Hoto 6
Dole ne ku daidaita haɗin SXP da hannu tsakanin takwara ba tare da tallafin kayan aikin Cisco TrustSec ba da kuma takwara tare da tallafin hardware na Cisco TrustSec. Ana buƙatar ayyuka masu zuwa lokacin daidaita haɗin SXP:
  • Idan kuna buƙatar amincin bayanan SXP da tantancewa, dole ne ku saita kalmar sirri ta SXP iri ɗaya akan na'urorin takwarorinsu biyu. Kuna iya saita kalmar wucewa ta SXP ko dai a bayyane don kowane haɗin ɗan adam ko na duniya don na'urar. Ko da yake ba a buƙatar kalmar sirri ta SXP, muna ba da shawarar amfani da shi.
  • Dole ne ku saita kowane takwara akan haɗin SXP azaman ko dai mai magana da SXP ko mai sauraron SXP. Na'urar magana tana rarraba bayanan taswirar IP-zuwa-SGT zuwa na'urar sauraron.
  • Kuna iya ƙididdige adireshin IP na tushen don amfani da kowane alaƙar takwarorinsu ko za ku iya saita adireshin IP na asali don haɗin ƙwararru inda ba ku saita takamaiman adireshin IP na tushen ba. Idan ba ku ƙididdige kowane adireshin IP na tushen ba, na'urar za ta yi amfani da adireshin IP mai mu'amala da haɗin kai zuwa abokin tarayya.
SXP yana ba da damar hops da yawa. Wato, idan takwarorin na'urar da ba ta da tallafin kayan masarufi na Cisco TrustSec kuma ba su da tallafin kayan masarufi na Cisco TrustSec, takwarorin na biyu na iya samun haɗin SXP zuwa takwarorinsu na uku, yana ci gaba da yaɗuwar bayanan taswirar IP-to-SGT har sai hardware- an kai takwara mai iya. Ana iya saita na'ura azaman mai sauraron SXP don haɗin SXP ɗaya azaman lasifikar SXP don wani haɗin SXP.
Na'urar Cisco TrustSec tana kiyaye haɗin kai tare da takwarorinta na SXP ta amfani da tsarin kiyayewa na TCP.
Don kafa ko dawo da haɗin takwarorinsu, na'urar za ta yi ƙoƙarin saita haɗin kai akai-akai ta amfani da lokacin sake gwadawa mai daidaitawa har sai haɗin ya yi nasara ko har sai an cire haɗin daga tsarin.
Sufuri na Layer 3 SGT don Faɗakar da Yankunan da ba AmintattuSec ba
Lokacin da fakiti ya bar yankin Cisco TrustSec don wurin da ba na TrustSec ba, na'urar egress Cisco TrustSec tana cire kan Cisco TrustSec da SGT kafin tura fakitin zuwa cibiyar sadarwar waje. Idan, duk da haka, fakitin yana wucewa ne kawai zuwa yankin da ba na TrustSec ba akan hanyar zuwa wani yanki na Cisco TrustSec, kamar yadda aka nuna a cikin adadi mai zuwa, ana iya adana SGT ta amfani da fasalin Cisco TrustSec Layer 3 SGT Transport. A cikin wannan fasalin, na'urar Cisco TrustSec egress tana ɗaukar fakiti tare da taken ESP wanda ya haɗa da kwafin SGT. Lokacin da fakitin da aka lullube ya isa yankin Cisco TrustSec na gaba, na'urar Cisco TrustSec mai shigowa tana cire murfin ESP kuma ta yada fakitin tare da SGT.
Hoto 7: Faɗakar da yankin Non-TrustSec
CISCO Trustsec Yana Gina Amintaccen hanyar sadarwa - Hoto 7
Don tallafa wa Cisco TrustSec Layer 3 SGT Transport, duk na'urar da za ta yi aiki a matsayin Cisco TrustSec ingress ko egress Layer 3 ƙofa dole ne ta kula da bayanan manufofin zirga-zirga wanda ya jera madaidaitan ma'auni a cikin yanki na Cisco TrustSec mai nisa da kuma duk wani yanki da aka keɓe a cikin waɗannan yankuna. Kuna iya saita wannan bayanan da hannu akan kowace na'ura idan ba za a iya sauke su ta atomatik daga Cisco Secure ACS ba.
Na'ura za ta iya aika bayanan sufuri na Layer 3 SGT daga tashar jiragen ruwa ɗaya kuma ta karɓi bayanan sufuri na Layer 3 SGT akan wata tashar jiragen ruwa, amma duka mashigai da mashigai dole ne su sami kayan aikin Cisco TrustSec mai iya aiki.
Alamar bayanin kula Cisco TrustSec baya ɓoye fakitin jigilar SGT na Layer 3. Don kare fakitin da ke ratsa yankin da ba na TrustSec ba, zaku iya saita wasu hanyoyin kariya, kamar IPsec.
VRF-Aware SXP
Aiwatar da SXP na Riga-kafi da Gabatarwa (VRF) yana ɗaure haɗin SXP tare da takamaiman VRF. Ana ɗauka cewa an saita topology na cibiyar sadarwa daidai don Layer 2 ko Layer 3 VPNs, tare da daidaita duk VRFs kafin kunna Cisco TrustSec.
Ana iya taƙaita tallafin SXP VRF kamar haka:
  • Haɗin SXP ɗaya kaɗai zai iya ɗaure zuwa VRF ɗaya.
  • VRF daban-daban na iya samun saɓanin saƙon SXP ko tushen adiresoshin IP.
  • Za a iya sabunta taswirar IP-SGT da aka koya (ƙara ko share) a cikin VRF ɗaya kawai a cikin yankin VRF iri ɗaya.
    Haɗin SXP ba zai iya sabunta taswirar da aka ɗaure zuwa wani VRF na daban ba. Idan babu haɗin SXP da ya fita don VRF, IP–SGT taswirar VRF ɗin ba za a sabunta ta SXP ba.
  • Iyalan adireshi da yawa akan kowane VRF ana tallafawa. Don haka, haɗin SXP ɗaya a cikin yankin VRF zai iya tura duka IPV4 da IPV6 taswirar IP-SGT.
  • SXP ba shi da iyakancewa akan adadin haɗin kai da adadin taswirar IP–SGT akan kowane VRF.
Layer 2 VRF-Aware SXP da VRF Assignment
An kayyade ayyukan VRF zuwa Layer 2 VLANs tare da cts tushen rawar l2-vrf vrf-name vlan-jerin umarnin daidaitawar duniya. Ana ɗaukar VLAN a matsayin Layer 2 VLAN muddin babu wani canji na gani na gani (SVI) tare da adireshin IP da aka saita akan VLAN. VLAN ya zama Layer 3 VLAN da zarar an saita adireshin IP akan SVI.
Ayyukan VRF da aka tsara ta hanyar cts rawar-tushen umarnin l2-vrf suna aiki muddin VLAN ya kasance Layer 2 VLAN. Abubuwan ɗaurin IP-SGT da aka koya yayin da aikin VRF ke aiki kuma ana ƙara su zuwa teburin Bayar da Bayani (FIB) mai alaƙa da VRF da sigar ƙa'idar IP. Idan SVI ya zama mai aiki don VLAN, aikin VRF zuwa VLAN ya zama mara aiki kuma duk abubuwan da aka koya akan VLAN ana matsa su zuwa teburin FIB mai alaƙa da VRF na SVI.
Ana riƙe aikin VRF zuwa VLAN koda lokacin da aikin ya zama mara aiki. Ana sake kunnawa lokacin da aka cire SVI ko lokacin da aka canza adireshin IP na SVI. Lokacin da aka sake kunnawa, ana matsar da ɗaurin IP-SGT baya daga teburin FIB mai alaƙa da SVI's VRF zuwa teburin FIB mai alaƙa da VRF wanda aka ba da umarnin tushen rawar cts l2-vrf.
Tarihin fasalin Sisiko TrustSec Overview
Wannan tebur yana ba da saki da bayanai masu alaƙa don fasalulluka da aka bayyana a cikin wannan rukunin.
Waɗannan fasalulluka suna samuwa a cikin duk abubuwan da aka fitar bayan wanda aka gabatar da su a ciki, sai dai in an lura da su.
CISCO Trustsec Yana Gina Amintaccen hanyar sadarwa - Tarihin Fasalo don Cisco TrustSec Overview
Yi amfani da Cisco Feature Navigator don nemo bayani game da dandamali da tallafin hoton software. Don shiga
Cisco Feature Navigator, je zuwa http://www.cisco.com/go/cfn.

Takardu / Albarkatu

CISCO Trustsec Yana Gina Amintaccen hanyar sadarwa [pdf] Jagorar mai amfani
Trustsec Yana Gina Amintaccen hanyar sadarwa, Trustsec, Yana Gina Amintaccen hanyar sadarwa, Amintaccen hanyar sadarwa, hanyar sadarwa

Magana

Bar sharhi

Ba za a buga adireshin imel ɗin ku ba. Ana yiwa filayen da ake buƙata alama *