CCIE Study Notes

One of the biggest things about the ISE material concerns SGAs, SGTs and Cisco TrustSec. It's not really spelled out in the blueprint, but know that it is fair game and could likely be on the test. The ISE book is good and covers most of it, but the better material on CTS is in the Cisco Live Lessons. These courses can be found in Safari Online. There is a series of Cisco TrustSec by Natalie Timms and another series on BYOD by Kevin Redmon. Natalie also has a video series on CCIE Security v4.0 Live Lessons. "Natalie Timms is a former program manager with the CCIE certification team at Cisco, managing exam curricula and content for the CCIE Security track before becoming an independent consultant." Hey, it's really obvious to me that she would cover the appropriate material, right?

Security Group Access (SGA) is a complimentary enforcement technology that removes the concerns of TCAM space and ACE explosion. The goal of SGA is to assign a tag (SGT) to the user/device's traffic at INGRESS and then enforce the access elsewhere in the infrastructure. The SGT should be representative of some overarching goals within the company. Yeah - like those nice little matrix tables that you find in your Security Policy documents!

Each user or end device may only be assigned a single SGT. You use them for bulk access control and do your fine-grained access control within the application security itself. An SGT is a 16-bit value that ISE assigns to the user or endpoint's session upon login. Think about this - if endpoints have SGTs, you can differentiate easily between the same user on a corporate asset versus a personal device and have different policies that provide varied levels of access.

ISE serves as the single-source-of-truth for what SGTs exist and considers an SGT a policy result. In order to use the SGT, the tag needs to be assigned. This may happen dynamically or downloaded as a result of an ISE Authorization, assigned manually at the port level, or even mapped to IP addresses and downloaded to SGT capable devices.

cts manual

cts role-based sgt-map 192.168.26.0/24 sgt 4

These commands should look familiar to you. So what about devices that don't support SGTs? Well, that's where SXP (Security Group eXchange Protocol) comes into play. [Covered in Section 2.0] You should know about SXP on IOS devices, WLCs and ASAs. Note that the Catalyst 6500 is a special case! This is because the line cards can be mixed between those which are SXP capable and those which are not. Know the ingress reflector mode and egress reflector mode.

Know what an SGACL is and how it is used. An SGACL can be visualized in a format similar to a spreadsheet. [Or to your Security Policy's access matrix.] It is always based on a source tag to a destination tag. There are two main ways to deploy SGACLs: North-South and East-West. North-South refers to a user/device being classified at the access layer with enforcement of the SGACL occurring at the Data Center. East-West refers to an SGACL protecting resources that exist on the same switch. [NOTE: This is different from the Northbound and Southbound protocols in SDN.]

Once you finish creating the SGACLs, you need to configure ISE so that they can be downloaded to the switches. You also need to configure the switches to download the SGACLs from ISE. Know what a PAC file (Protected Access Credentials) is and how to verify its download. The ASA and IOS FWs do not download the SGACLs from ISE, but they must download the list of SGTs that exist and the static IP to SGT mappings. This would be in the "Identity by TrustSec" menu item in the ASDM. Once that is set up, you can use SGTs in your firewall rule sets.

So once you set all this up, you don't want an attacker sniffing traffic on your LAN and then crafting packets with SGTs to elevate privileges, right? So if you don't know MACSec, go back and learn it. [Listed in the 2.0 section - so it will be on the exam.] MACSec provides Layer 2 encryption on the LAN between endpoints and the switch, as well as between the switches themselves. The encryption also encapsulates and protects the Cisco Meta Data (CMD) field, which carries the SGT. MACSec support will vary with the authentication host-mode configuration on an interface.

Network Device Admission Control (NDAC) [also covered in section 6.2] - relates to authenticating the switch via 802.1x to allow the switch to join the network infrastructure. Once it does this, the communication on the links between devices is secured with MACSec. There are three main roles: Supplicant, Authentication Server and Authenticator. But there is also at least one seed device - which has knowledge of at least one ISE PSN. The seed device begins or creates the NDAC-trusted domain.

Network Edge Authentication Topology (NEAT) allows you to configure a switch to act as a supplicant to another switch. The components of NEAT are:
- Client Information Signaling Processing (CISP)
- 802.1X supplicant switch
- Authenticator switch

The configuration of the NEAT solution requires an authorization policy on ISE, and some basic configuration on the authenticator and supplicant switches. I wouldn't memorize the configurations, but at least be able to recognize the configuration and be familiar with its functionality.

And then there are the MnT nodes that exist. Be familiar with the ISE dashboard and dashlets. Know what the dashboard displays - the INE videos and LiveLessons videos will cover this well. Know the "Live Authentications Log" and how to drill down to answer a question about a log item (or initiate a CoA). You will want to know ISE Reporting (and report groups) and where to find the ISE Alarms.

You should really know how to perform RADIUS Authentication Troubleshooting. I can see this as a screen capture question and also see this as something that would show up on the Lab.

Know the "Evaluate Configuration Validator" - what it does and its limitations. Know that TCP Dump is included in ISE - and how to grab a capture from any ISE node on the deployment. You will also want to understand what a "support bundle" is and which logs can be added/removed from the support bundle. The ISE book is pretty thorough on the Troubleshooting material (versus the videos). These are things that could show up, so you will want to read that and at least be familiar with the troubleshooting scenarios.

Backups, Restore and Repositories may be fair game, but more likely would be a question on Upgrading. You should be familiar with the SPF flow (Secondary PAN First). You perform the upgrade on the Secondary PAN and it becomes the Primary PAN for the upgraded deployment. Then you upgrade one of the MnT nodes. Then take each PSN out of service and upgrade it. Once it's upgraded, it joins the new PAN. The last node to be upgraded should be the original Primary PAN. Once the upgrade is over, you can manually promote the node you want as Primary.

And with that, I am ending my review of the ISE material. Now, take a look at the blueprint and see that 5.x covers about 18 -20 questions. However - look at the integration between the topics in this section and the topics in the 2.0 and 6.0 sections. It's very possible that you could get more than one or two questions on this material. The question may be based on a screen shot of ISE, but it's actually considered a question from another section. I would really know this material as well as you know the ASA material.