Professional Documents
Culture Documents
Brksec-2046 (2013)
Brksec-2046 (2013)
Tagging
BRKSEC-2046
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Housekeeping
We value your feedback- don't forget to complete your online
session evaluations after each session & the Overall
Conference Evaluation which will be available online from
Thursday
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Secure Access Overview
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Access Overview
Comprehensive Contextual
COMPREHENSIVE IP
Devices Awareness of the Who,
VISIBILITY
What, Where, When, How
Centralised Management
EFFECTIVE MANAGEMENT of Secure Access Services
and Scalable Enforcement
Data Centre Intranet Internet Security Zones
Identity Profiling
1 Cisco® ISE HTTP
IEEE 802.1x EAP NetFlow
User Authentication
SNMP
DNS
2
RADIUS
Profiling to
Company Asset Identify Device Corporate DHCP
4 Resources
HQ
Wireless LAN
Controller Policy
2:38 p.m. Decision Internet Only
Personal 3 5
6
Asset Posture Enforce Policy in the
of the Device Network Full or Partial Access
Unified Access
Management Granted
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
SGT Overview
SGT Overview
Business Policy
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
SGT Overview
Rich Context Classification with
ISE BYOD Use Case
Classification Result:
Device Type: Apple iPAD
User: Mary
Group: Employee Personal Asset SGT
Corporate Asset: No
ISE Profiling
Along with authentication,
various data is sent to ISE
for device profiling
ISE (Identity Services Engine)
SGT
Profiling Data
Security Group
Policy
ID &
DC Resource
Company asset NetFlow Access
DCHP
DNS
HTTP
OUI
RADIUS
NMAP
SNMP
AP Wireless LAN
Controller Restricted
Employee
Internet Only
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
SGT Overview
Traditional Ingress Authorisations
VLAN Segmentation dACL based ingress Filtering
Data VLAN Data VLAN
Voice VLAN Voice VLAN
Quarantine VLAN
L2 Access L3 Distribution L2 Access Distribution
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
SGT Overview
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
SGT Overview
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
SGT Overview
SGT In Action
SGT Transport
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
SGT Platform Support
Classification
Policy
Management Catalyst 2K Catalyst 4K WLC (7.2) Nexus 7000 Nexus 1000v
Catalyst 3K Catalyst 6K Nexus 5000
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Classification
Enterprise
Backbone
SRC: 10.1.100.98
Hypervisor SW
VLAN is mapped to
WLC FW
SGT
Virtual Machine is
BYOD device is mapped to SGT
classified with SGT
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Classification
SGT Classification
Process to map SGT to IP Address
Classification can be dynamic or static
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Classification
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Classification
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Classification
Static Classification
802.1X RADIUS
ISE 1.1
Contractor MAC:0050.56BC.14AE Cat6500/Sup2T
11.11.11.11/32 3K-X
Employee MAC:0070.56BC.237B
10.1.10.100/32
Traffic
Cat6500/Sup2T Tagging
3K-X
SRC: 11.11.11.11 SGT (11/000B) 11.11.11.11
Tagging
SRC:10.1.10.100 SGT (10/000A) 10.1.10.100
g3/0/2
Business
Partners Route Updates
Hypervisor SW
43.1.1.0/24
49.1.1.0/24
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Classification
SGT Assignment
Access Layer Classification
Cat2960-S Cat3K Cat4K Cat6K ISR WLC Notes
Dynamic 802.1X X X X X X X
MAB X X X X X X
Web Auth X X X X X X
Static Port Definition X X - X - -
Layer 2 X X - X - - Dynamic query
Identity to Port to ISE for SGT
Mapping based “identity
on port”
VLAN/SGT - X* - X* - - 3K-X only for
CY12
Subnet/SGT - - - X - - Via Sup2T
Layer 3 - - - X - - Based on routes
Identity to Port learned from
Mapping port via dynamic
routing
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
SGT Platform Support
Classification
Policy
Management Catalyst 2K Catalyst 4K WLC (7.2) Nexus 7000 Nexus 1000v
Catalyst 3K Catalyst 6K Nexus 5000
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport
DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC
Security
Group
Tag
CMD EtherType Version Length SGT Opt Type SGT Value Other CMD Options
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport
SGT Exchange Protocol (SXP)
Control plane protocol that conveys the
IP-SGT map of authenticated hosts to
enforcement point
SXP
SW RT
SXP uses TCP as the transport layer SXP (Aggregation)
SXP (aggregation)
Two roles: Speaker (initiator) and
Listener (receiver) SW
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport
How SGT is Transported?
Inline SGT Tagging SXP
CMD Field IP Address SGT
10.1.100.98 50
Enterprise
Backbone
WLC FW
IP Address SGT SRC
• SXP: If there are devices are not SGT-capable SXP IP-SGT Binding Table
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport
Decrypt at Encrypt at
Ingress Egress
everything in clear
01101001010001001 01101001010001001
128bit AES GCM Encryption 128bit AES GCM Encryption 128bit AES GCM Encryption
ASIC
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Transport
IP-SGT Binding Exchange with SXP
TCP-based SXP is established between Non-TrustSec capable
User A User C and TrustSec-Capable devices
Contractor Employee
User is assigned to SGT
10 30
Switch binds endpoint IP address and assigned SGT
Non SGT Switch builds binding
capable device table Switch uses SXP to send binding table to SGT capable device
SGT capable device tags packet based on source IP address
when packet appears on forwarding table
SXP SXP
ISE
User A User C
PCI_DB Web_Dir CRM Directory Untagged Traffic Untagged Traffic
Service
CMD Tagged Traffic CMD Tagged Traffic
111 222 333
Once SGT is tagged, then
SGACL can be applied
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Transport
SXP Connection Types
Single-Hop SXP SXP
Speaker Listener
Non-TrustSec Domain
SGT Capable HW
SGT Enabled SW/WLC
SXP
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Transport
SXP WAN Deployment Data Centre
IP Address SGT
N7K
10.1.10.1 Contractor - 10 NDAC/SAP
SXP
10.1.10.4 Employee - 30 802.1AE
10.1.254.1 Contractor - 10 Encryption
10.1.254.4 Employee - 30
SXP
6K w/720
6K w/ SUP 2T
• ISRG2 – 15.2(2)T
SXP
• ASR1K - IOS XE 3.4 ASR1K
ASR1K
Listener-1 Listener-2
• Cat6K(SUP 2T) - IOS 12.2(50)SY1 SXP WAN
SXP
• Unidirectional only
• No loop detection Speaker-1 Speaker-300
• Branch to DC enforcement only
...
IP Address SGT IP Address SGT
MACSec
WLC
AP SGT L2 Frame
Finance Catalyst® Switch
ISE
SXP Internet
Contractor
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Transport
SXPv4 WAN Deployment Data Centre
N7K
10.1.10.1 Contractor - 10
• ASR1K- 3.9 10.1.10.4 Employee - 30
10.1.254.1 Contractor - 10
• Cat6K(SUP 2T) – MA2 10.1.254.4 Employee - 30 6K 6K
IP Address
10.1.10.1
SGT
Contractor - 10
IP Address
... SGT
10.1.10.4 Employee - 30
10.1.10.1
10.1.254.1 Contractor - 10
10.1.254.1 Contractor - 10
10.1.10.4
10.1.254.4 Employee - 30
10.1.254.4 Employee - 30
10.1.254.1 Contractor - 10
10.1.254.4 Employee - 30
42
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport
SGT- GETVPN WAN Deployment
ISRG2 15.(x)T and ASR 3.9* SGACL
MACSec
AP SGT L2 Frame
WLC
Finance
ISE
SXP Internet
GETVPN
Nexus 7000 Data Center
Employee Remote Networks
HR GETVPN
Catalyst® Switch
Contractor
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
SGT Platform Support
Classification
Policy
Management Catalyst 2K Catalyst 4K WLC (7.2) Nexus 7000 Nexus 1000v
Catalyst 3K Catalyst 6K Nexus 5000
Enforcement
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enforcement
Destination Classification
Web_Dir: SGT 20
CRM: SGT 30
End user authenticated
FIB Lookup
Classified as Employee (5)
Destination MAC/Port SGT 20
ISE
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enforcement
Centralised Policy Management
Portal_ACL
Portal_ACL
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enforcement
SGACL Platform Support
Cat3K-X Cat4500E Cat6500/Sup2T Nexus 7000 Nexus 5000/2000
Software 15.0(2)SE Spring, 2013 IOSIOS 12.2.50-SY NXOS 5.2.1 NXOS 5.0(3)N2(2b)
Inline SGT Catalyst 3750X Catalyst 45xx-E Catalyst 65xx-E N7K-C70xx N5K-C5548P
Tagging Catalyst 3560X WS-X45-Sup7-E VS-S2T-10G N7K-SUP1 N5K-C5548UP
C3KX-SM-10G WS-X4712-SFP+E VS-S2T-10G-XL N7K-M108X2-12L N5K-C5596UP
C3KX-NM-1G WS-X4748-UPOE+E WS-X6908-10G-2T N7K-M132XP-12 N5K-C5596T
C3KX-NM-10G WS-X4748-RJ45V+E WS-X6908-10G-2TXL N7K-M132XP-12L N2K-C2224TP
C3KX-NM-10GT WS-X4748-RJ45-E WS-X6904-40G-2T N7K-M148GT-11 N2K-C2248TP
WS-X6904-40G-2TXL
N7K-M148GT-11L N2K-C2248TP-E
N7K-M148GS-11 N2K-C2232PP
N7K-M148GS-11L N2K-C2232TM
N7K-M224XP-23L N2K-C2148T-1GE
N7K-M206FQ-23L N2K-C2224TP-1GE
N7K-M202CF-22L N2K-C2248TP-1GE
N7K-F248XP-25 N2K-C2232PP-10GE
N2K-C2232TM-10GE
SGACL 15.0(2)SE Spring, 2013 IOSIOS 12.2.50-SY NXOS 5.2.1 NXOS 5.0(3)N2(2b)
Availability Available Now Available Now Available Now Available Now Available Now
(requires Enterprise (requires Enterprise
Services) Services)
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enforcement
SGFW Platform Support
ASR1000 ISR-G2 ASA
Software IOS 15.2(1)S or IOS 15.2(1)T ASA 9.0
IOS-XE3.5
Security PR1/PR2 CISCO89x ASA5505
Group ASR1001 CISCO19xx ASA5510
based ASR1002 CISCO29xx ASA5520
Firewall ASR1004 CISCO39xx ASA5540
ASR1006 ASA5550
ASA5580
ASR1000-ESP10 ASA5585-X
ASR1000-ESP20 ASASM
ASR1000-ESP40 ASA5512-X
ASR1000-PR1 ASA5515-X
ASR1000-PR2 ASA5525-X
ASR1000-SIP10 ASA5545-X
ASR1000-SIP40 ASA5555-X
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Case Review
Use Cases
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Use Cases
Campus LAN Deployment Campus Access
Employee
10
Contractor
20
Cat6500
Directory
SRC \ DST PCI_Web (111) PCI_App (222) Service
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Use Cases
Branch LAN Deployment Campus Access
Directory
SRC \ DST PCI_Web (111) PCI_App (222) Service
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Use Cases
SGTs with Wired 802.1X Monitor Mode
Egress Enforcement
Security Group ACL
PCI Server
HR Server
ACME Server
Campus
Personal asset
Network
HR User on iPad
N7K
ACME Server
SRC \ DST HR Server (111) Unknown
(222)
HR iPad (8) Deny all Permit all Permit all
HR User (10) Permit all Permit all Permit all
Guest (30) Deny all Deny all Permit all
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Security Group Firewall - SGFW
Use Cases
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Use Cases
SGFW – ASA Architecture Benefits ASDM Policies ISE for SGACL
Policies
SGT Name
SGFW Download
Enforcement on a
SXP firewall SGT 10 = PCI_User
SGT 100 = PCI_Svr
IP Address SGT
SXP SGFW
Enforcement on a ASR
I
C
P SGACL
Campus Network
SGFW
IP Address SGT Enforcement on a ISR
10.1.10.1 Marketing (10)
Data Centre
SXP
• Design Considerations Enforcement on a switch
Segmentation
• Logical separation of resources across common DC infrastructure
• Segment servers into logical zones
• Control access to these different logical DC entities based on role
• Apply controls to physical or virtual systems (Virtual servers, VDI…)
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Use Cases
Use Case: Segmentation
Physical or VM server Segmentation for Compliance
DC Access Layer
Security Group ACLs
• Segmentation defined in a simple
policy table or matrix Virtual Access
• Applied across Nexus
Physical Servers
7000/5500/2000 independent of
the topology Virtual Servers SGACL enabled Device
SG Firewall enabled Device
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Cases
Use Case: Segmentation
Physical or VM Server Segmentation for Compliance
Server
VM VM VM VM
#1 #2 #3 #4
Hypervisor
VIC
Finance VM DB VM
App VM
Web VM
Finance Server Web Server App Server DB Server Nexus 5500/Nexus 1000V
• Manually tag servers or using dynamic lookup (IPM, Port Profile, 802.1X, MAB)
• Use SGACL to enforce traffic between servers (VM, physical, VM-physical)
• Applicable for inter-security zone and intra-security zone (inside a VLAN)
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Use Cases
Nexus 1000V 2.1
SGT Capabilities
• Port Profile
Container of network
properties
Applied to different
interfaces
• VMs inherit network
properties of the port-
profile after vMotion
has occurred
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Cases
Nexus 1000V v2.1
SGT Capabilities
PCI_DB
PCI_Web
GeneralServers
Employees
PCI_Users
• The Nexus 1000V propagates the SGT using SXP to peer switches or firewalls:
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Cases
Customer End State in the DC PCI_Users
Campus Network
SXP SXP
User credentials
Active Directory
Receives connection requests from thin-clients typically using RDP, PCoIP or ICA protocols
Authenticates the user, typically against AD
Maps the user to a pool of Virtual Machines or a specific VM
Hands off the user to the allocated VM
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Use Cases
Using TrustSec SGA in a VDI/VXI Environment
Nexus 1000V
Server 1 Server 2
VM VM VM VM VM VM VM VM
#1 #2 #3 #4 #5 #6 #7 #8
Connection
Broker VMware vSwitch
Nexus 1000V VMware vSwitch
Nexus 1000V
Nexus 1000V DVS
VMW ESX VMW ESX
Network Access
SG-ACL or SGFW
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Campus Security Overlay
Use Cases
3750X
WAN Enterprise Server
Employee
Noncompliant
Deny
Enterprise Server
ISE 1.1
Employee
Compliant
Employee
Network Services Enterprise
SRC \ DST Compliant Remediation (222)
1. EmployeeNoncompliant is allowed to Remediation via (10)
(111) Servers (333)
intersecion of 20/222
2. EmployeeNoncompliant is denied access to Employee
Permit Any Permit Any Permit Any Permit Any
Compliant (10)
EmployeeCompliant via intersecion of 20/10
Employee- Permit DHCP
Deny All Permit Any Deny All
Noncompliant (20) Permit DNS
Permit DHCP
Unknown (0) Deny All Deny All Deny All
Permit DNS
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Use Cases
Security Overlay – Layer 2 /Layer 3 SGACL
Permit Remediation
Network Services
3750X 3750X
Backbone Enterprise Server
Employee
Noncompliant
Enterprise Server
Deny
ISE 1.1
Employee Compliant
Employee
Network Services Enterprise
SRC \ DST Compliant Remediation (222)
1. Traffic from EmployeeNoncompliant must be tagged from (10)
(111) Servers (333)
3750X to L3 Switch
2. L3-Switch implements SGACL. Employee
Permit Any Permit Any Permit Any Permit Any
Compliant (10)
3. EmployeeNoncompliant is allowed to Remediation via
intersecion of 20/222 Employee- Permit DHCP
Deny All Permit Any Deny All
4. EmployeeNoncompliant is denied access to Noncompliant (20) Permit DNS
Can SGT encrypt the link between multiple Data Centre for
secure backup / DR purpose?
802.1AE technology can be used to encrypt point-to-point link
with following conditions
• 40 Gbps, 10Gbps or 1Gbps link between Nexus 7000s if both
Nexus 7Ks are connected with dark fibre or passive repeater
between DCs so that L2 frame is not manipulated
• Or use EoMPLS Pseudowire to encapsulate 802.1AE frame
between two Data Centres
• Catalyst 6500s with 69xx line cards as well
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Use Cases
SGT for Secure Data Centre Interconnect
Dual Access with MPLS Connectivity
DC-1 DC-2
Nexus 7010 Nexus 7010
Cat6K Cat6K
PE Device PE Device
vPC vPC
MPLS
PE Device PE Device
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Basic Customer Case
Study Review
Basic Case Study
Customer Problem Statement
Customer has several challenges for “network access”
Regulatory Compliance
‒ This requires compensating controls for to control traffic for different types of
device/users on the network
Business Strategy Support
‒ The business is moving to a model where more contractors/vendors will be doing
work
‒ This requires that particular contractors have very specific and limited access to the
network
BYOD Trend
‒ Support the mobile device BYOD
‒ In addition it’s a stated goal to move the cost centre for general computing endpoints
out of IT and into the employees hands
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Basic Case Study
Customer Goals When Evaluating “Access
Control”
Customer has been evaluating “access control” solutions for over
a decade to meet regulatory compliance. All have failed to
address critical use cases
The supporting criteria is that if they could dynamically identify the
device/user that they could dynamically provision the necessary
network controls to meet their regulatory compliance objectives.
With the primary objective being device/user identification this
same goal supports the business moving to more
contractor/vendor support as well as BYOD
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Basic Case Study
Customer Policy
Corporate Users with a corporate asset
‒ full permissions at the access layer
‒ restricted permissions based on role at the data centre and restricted area.
Corporate users with a personal asset, or contractors/vendors that opt to use the
asset for “work”
‒ restricted permissions at the access layer
Internet only
VDI access
‒ restricted permissions at the DC
Basic services like DNS/DHCP
VDI
Guests or corporate with a personal asset that opt “out” and use the device for
personal only use
‒ Restricted permissions at the access layer
Internet only
Restricted permissions at the DC
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Basic Case Study
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Basic Case Study
Internet Block
Corp User – Corp Asset SGFW Outbound
DC Block
Role 1 Zone 1
CorpAssetRole-1
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Basic Case Study
Internet Block
Corp User – Corp Asset SGFW Outbound
DC Block
Role 2 Zone 1
CorpAssetRole-2
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Basic Case Study
Internet Block
Corp User/NonAsset – VDI SGFW Outbound
DC Block
Role 1 Zone 1
CorpNonAsset_VDI
CorpAsset-Role 1
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Basic Case Study
Internet Block
Contractor SGFW Outbound
DC Block
Zone 1
Contractor
Contractor_VDI
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Basic Case Study
Internet Block
Guest/Corp/Contractor – SGFW Outbound
DC Block
Internet Only Zone 1
Corp_Contractor_InetOnly
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Summary
Other sessions
‒ BRKSEC-2022 - Demystifying TrustSec, Identity, NAC and ISE
‒ BRKCRS-2199 - Secure Converged Wired, Wireless Campus
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Recommended Reading
Network Complexity - Michael H. Behringer: Classifying Network Complexity; slides;
ACM ReArch'09 workshop; 2009
http://networkcomplexity.org/wiki/index.php?title=References
Cisco TrustSec 2.1 Design and Implementation Guide
http://www.cisco.com/go/trustsec/
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Resources
Main TrustSec Page
‒ http://www.cisco.com/go/trustsec
More Documents
‒ http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_De
nZone_TrustSec.html
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Q&A
Complete Your Online Session
Evaluation
Give us your feedback and receive
a Cisco Live 2013 Polo Shirt!
Complete your Overall Event Survey and 5
Session Evaluations.
Directly from your mobile device on the
Cisco Live Mobile App
By visiting the Cisco Live Mobile Site
www.ciscoliveaustralia.com/mobile
Visit any Cisco Live Internet Station located
Don’t forget to activate your
throughout the venue
Cisco Live 365 account for
Polo Shirts can be collected in the World of access to all session material,
Solutions on Friday 8 March 12:00pm-2:00pm communities, and on-demand and live activities throughout
the year. Log into your Cisco Live portal and click the
"Enter Cisco Live 365" button.
www.ciscoliveaustralia.com/portal/login.ww
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
BRKSEC-2046 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public