CCNP Security FAQ: TrustSec and MACSec

CCNP Security FAQ: TrustSec and MACSec


Figure: MACSec Layer-2 hop-by-hop encryption.

Q1. What is a security group tag?
a. A luggage tag applied by TSA workers at airports to flag bags as they enter security checkpoints
b. An internal assignment used in ISE to represent a local copy of an Active Directory group
c. A 16-bit value that represents the context of a user and/or a device
d. An RFID tag used to identify a wireless asset to ISE

Answer: C. A security group tag (SGT) is a 16-bit value that ISE assigns to the user’s or endpoint’s session upon login. The SGT can represent the context of the user and device and can be carried in the Layer-2 frame or communicated through SXP. The SGT is assigned at ingress and enforced upon egress.

Q2. Where are security groups defined in the ISE administrative GUI?
a. Administration > System > Security Group Access > Security Group
b. Policy > Policy Elements > Results > Security Group Access
c. Policy > Policy Elements > Dictionaries > System > Security Group Access
d. Policy > Firewall > Identity by TrustSec

Answer: B. SGTs are considered an authorization result in the ISE administrative GUI. They are defined within the policy elements section of the GUI as an authorization result. They also can be defined from the Policy > Security Group Access > Egress Policy screens by clicking on Configure > Create New Security Group; however, that method was never discussed in the text of this chapter.

Q3. What are three ways that an SGT can be assigned to network traffic?
a. Manual binding of the IP address to an SGT
b. Manually configured on the switch port
c. Dynamically assigned by the network access device
d. Dynamically assigned by the 802.1X authorization result
e. Manually configured in the NAC agent profile
f. Dynamically assigned by the AnyConnect network access manager

Answer: A, B, D. To use the SGT, the tag needs to be assigned (known as classification). This can happen dynamically and be downloaded as the result of an ISE authorization; they also can be assigned manually at the port level or even mapped to IP addresses and downloaded to SGT-capable devices.

Q4. True or False? An SGT-capable device can automatically map traffic to an SGT based on the VLAN of that traffic.
a. True
b. False

Answer: A. Although that gear might not support the classification and transport natively, it might be capable of assigning different VLANs or IP addresses per authorization result. A distribution layer device may have the ability to map subnets and VLANs and assign all source IP addresses from the subnet or VLAN to a specific tag.

Q5. Which peering protocol can be used to transmit a mapping of IP address to SGTs between SGTcapable devices when traffic is crossing non–SGT-capable network segments?
a. Enhanced Interior Gateway Routing Protocol (EIGRP)
b. Intermediate System—Intermediate System (IS-IS)
c. Border Gateway Protocol (BGP)
d. Security Group Exchange Protocol (SXP)

Answer: D. Cisco has developed a peering protocol (similar to BGP or LDP) to enable devices to communicate their database of IP-address-to-SGT mappings to one another. This peering protocol is called Security Group Exchange Protocol (SXP).

Q6. What are two modes of SXP peers?
a. Speaker
b. SGT-Reflector
c. Listener
d. SGT-Sender

Answer: A, C. Every SXP peer session has a speaker and listener. A speaker sends the mappings of IP addresses to SGTs. The listener receives those updates and records them. A peer can be configured for both roles simultaneously and can have numerous peers.

Q7. How is the SGT transmitted when using native tagging?
a. The SGT is included in the Cisco Metadata (CMD) portion of the Layer-2 Frame.
b. The SGT is included in 802.1Q trunking.
c. The SGT is included in Inter-Switch-Link (ISL) trunking.
d. The SGT is carried in Cisco Discovery Protocol (CDP) messages.

Answer: A. Native tagging of SGTs includes the 16-bit tag as a portion of the Cisco Metadata field of the Layer-2 Ethernet frame. It also can be included as part of an IPSec link.

Q8. When using native tagging of SGTs, how can an administrator ensure confidentiality and integrity of the tag?
a. By enabling MD5 authentication between SGT peers
b. By enabling IEEE 802.1AE (MACSec) between the switches
c. By enabling IEEE 802.1AE (MACSec) between the endpoint and the access switch
d. By configuring peer-to-peer GRE tunnels between the switches

Answer: B. The tag can be encrypted within a MACSec encrypted link between network infrastructure devices or even an IPSec connection. The endpoint is never aware of the tag that has been assigned, so enabling downlink MACSec between the endpoint and the switch will not help.

Q9. What are two methods of enforcement with SGTs?
a. SG-ACLs on switches.
b. SG-ACLs on routers.
c. SG-Firewalls.
d. SG-Appliances.
e. SGTs are not enforced.

Answer: A, C. SGTs can be enforced with security group ACLs, which are egress ACLs that use source and destination tags as the condition upon which to invoke the egress ACL. Additionally the ASA, ASR, and ISR can act as security group firewalls, using the source and/or destination tag as ACL conditions.

Q10. What is the difference between uplink MACSec and downlink MACSec?
a. Uplink MACSec defines the encrypted traffic entering the switch from the endpoint, whereas downlink MACSec is the encrypted traffic leaving the switch, destined to the endpoint itself.
b. There is no difference between uplink and downlink MACSec.
c. The difference is solely based on the encryption algorithm used.
d. Uplink MACSec defines the encrypted connection between network infrastructure components, whereas downlink MACSec defines the encrypted connection between the access layer device and the endpoint.

Answer: D. Uplink MACSec defines the encrypted connection between network infrastructure components, whereas downlink MACSec defines the encrypted connection between the access layer device and the endpoint. Although uplink and downlink MACSec use different keying mechanisms today, both are still using the same encryption algorithm of AES-GCM-128.

About the author

James Palmer

Leave a Comment