Security; Cisco Trustsec; Security Group Access Control Lists (Sgacls) - Cisco Catalyst 6500-E Series Manual

The previous section talked about GOLD tests helping to prevent future network issues. When using GOLD with
EEM, network administrators can be alerted to a GOLD health-monitoring test failure before the system would
normally send the notification. The EEM script will see the failure of the test and send notification by any means
possible (syslog, SNMP, email, text, and so on). If the test was scheduled for a period of low network activity, the
EEM policy could be configured to force the module to reload and to collect detailed data, using simple show
commands and exporting the output to a file, in order to gather information that can allow the root cause of the
problem to be determined more quickly, leading to a lower mean time to repair and higher availability.
For those who may not be as comfortable with scripting or who need assistance with building a script, an online
community is available at http://www.cisco.com/go/ciscobeyond. The site contains scripts that have been built by
other users, helpful "how to" examples, and a discussion forum in which EEM technical experts from Cisco will
answer questions.

Security

When it comes to building a unified access campus architecture to support BYOD, the number-one issue that
comes to mind is usually security. With the influx of personally owned devices on the network, network
administrators must build an infrastructure that is both flexible and secure enough to allow users access to their
work environment regardless of the device they are using. The Cisco Catalyst 6500-E with Supervisor Engine 2T
®
supports features such as Cisco TrustSec , easy virtual networks (EVNs), and control plane policing (CoPP) to
provide user access control, network segmentation, and infrastructure protection in a BYOD environment.

Cisco TrustSec

Cisco TrustSec offers a superior experience on a Cisco infrastructure, using features such as security group
access control lists (SGACLs) for security policy enforcement, network device admission control (NDAC) for
infrastructure protection, and 802.1AE MAC Security (MACsec) encryption for data integrity. The Cisco Catalyst
6500-E with Supervisor Engine 2T supports all of these capabilities and more, giving network administrators a
highly flexible suite of features with which they can secure the backbone of the unified access campus
architecture.

Security Group Access Control Lists (SGACLs)

The Cisco Catalyst 6500-E with Supervisor Engine 2T can act as both a security group tag (SGT) imposition point
and an SGACL enforcement point. SGTs are usually applied at the access layer of the unified access campus
architecture, using an ISE to assign the tags based on user authentication, device profiling, or a combination of
the two. Figure 10 shows an example of the flexibility that Cisco ISE has in assigning SGTs.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 28