Advanced Group-Based Segmentation with ISE
Cisco TME Jonathan Eaves is back to share more about how to do group-based segmentation policy with ISE. 00:00 Intro 00:18 Prerequisite: Group-Based Segmentation Basics: https://youtu.be/rq7bSgO_GPg 01:57 Agenda 03:10 Dynamic & Static Classification Methods 07:10 Cisco TrustSec (CTS) Provisioning and Network Device Enrollment 11:12 Unknown Security Group Tag (SGT) 0 13:41 `policy static sgt n trusted` 16:17 Order of Precedence: CMD, dynamic SGT, SXP, static SGT, static subnet, static VLAN 19:39 SGT Environment Data Downloads 21:10 Default Route SGT 22:56 Propagation 23:05 Static Mappings on ISE (SSH & SXP) 25:23 ISE SXP Domains 29:30 Monitor Capture Commands (Cat9K) 31:45 SXP Reflection (speakers and listeners) 34:20 SXP High Availability 37:56 SXP Filters 40:29 SXPv5 Introduction 41:47 SXPv5 Example 44:13 Enforcement 44:18 Monitor Mode 45:47 Logging 46:48 Enforcement Counters 48:04 Cisco 9800 WLC with SGTs Validation 49:28 Resources: - Catalyst Wireless Group-Based Policy Guide: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/tech-notes/Wireless_9800_Group-Based_Policy_Guide_edited.pdf - Cisco Segmentation Strategy Guide: https://community.cisco.com/t5/security-knowledge-base/segmentation-strategy/ta-p/3757424 - Group-Based SGT Troubleshooting Guide: https://community.cisco.com/t5/security-knowledge-base/trustsec-troubleshooting-guide/ta-p/3647576 - Group-Based SGT YouTube Channel: https://www.youtube.com/channel/UCPF6-PTafN8NjomtLccIopw - Group-Based Policy Resources: https://community.cisco.com/t5/security-knowledge-base/segmentation-amp-group-based-policy-resources/ta-p/3656481 - ISE Resources : https://cs.co/ise-resources - ISE Community : https://cs.co/ise-community - ISE Integration Guides : https://cs.co/ise-guides - ISE Compatibility : https://cs.co/ise-compatibility - ISE Webinars : https://cs.co/ise-webinars - ISE YouTube Channel : https://cs.co/ise-videos - ISE Licensing & Evaluations : https://cs.co/ise-licensing - ISE in Cisco DevNet: https://cs.co/ise-devnet - ISE API Reference: https://cs.co/ise-api
Cisco TME Jonathan Eaves is back to share more about how to do group-based segmentation policy with ISE. 00:00 Intro 00:18 Prerequisite: Group-Based Segmentation Basics: https://youtu.be/rq7bSgO_GPg 01:57 Agenda 03:10 Dynamic & Static Classification Methods 07:10 Cisco TrustSec (CTS) Provisioning and Network Device Enrollment 11:12 Unknown Security Group Tag (SGT) 0 13:41 `policy static sgt n trusted` 16:17 Order of Precedence: CMD, dynamic SGT, SXP, static SGT, static subnet, static VLAN 19:39 SGT Environment Data Downloads 21:10 Default Route SGT 22:56 Propagation 23:05 Static Mappings on ISE (SSH & SXP) 25:23 ISE SXP Domains 29:30 Monitor Capture Commands (Cat9K) 31:45 SXP Reflection (speakers and listeners) 34:20 SXP High Availability 37:56 SXP Filters 40:29 SXPv5 Introduction 41:47 SXPv5 Example 44:13 Enforcement 44:18 Monitor Mode 45:47 Logging 46:48 Enforcement Counters 48:04 Cisco 9800 WLC with SGTs Validation 49:28 Resources: - Catalyst Wireless Group-Based Policy Guide: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/tech-notes/Wireless_9800_Group-Based_Policy_Guide_edited.pdf - Cisco Segmentation Strategy Guide: https://community.cisco.com/t5/security-knowledge-base/segmentation-strategy/ta-p/3757424 - Group-Based SGT Troubleshooting Guide: https://community.cisco.com/t5/security-knowledge-base/trustsec-troubleshooting-guide/ta-p/3647576 - Group-Based SGT YouTube Channel: https://www.youtube.com/channel/UCPF6-PTafN8NjomtLccIopw - Group-Based Policy Resources: https://community.cisco.com/t5/security-knowledge-base/segmentation-amp-group-based-policy-resources/ta-p/3656481 - ISE Resources : https://cs.co/ise-resources - ISE Community : https://cs.co/ise-community - ISE Integration Guides : https://cs.co/ise-guides - ISE Compatibility : https://cs.co/ise-compatibility - ISE Webinars : https://cs.co/ise-webinars - ISE YouTube Channel : https://cs.co/ise-videos - ISE Licensing & Evaluations : https://cs.co/ise-licensing - ISE in Cisco DevNet: https://cs.co/ise-devnet - ISE API Reference: https://cs.co/ise-api