https://community.cisco.com/t5/network-access-control/authenticate-users-from-internal-to-data-centre-network/m-p/3772511#M25031 <P>To add to the complexity, we want to allow all traffic on ports 80 and 443 but block all other ports except for this small subset of users, which all traffic should be allowed for. We thought about using sticky mac-address port-security but I don't think there is a way to also allow other macs on ports 80 and 443. Going back to BB's note about using a firewall, is that a viable option given that we're not permitting/denying on layer 3?</P> <P>&nbsp;</P> <P>Thanks<BR />A</P> Thu, 03 Jan 2019 20:18:48 GMT aok 2019-01-03T20:18:48Z https://community.cisco.com/t5/network-access-control/authenticate-users-from-internal-to-data-centre-network/m-p/3772382#M25001 <P>Hi all</P> <P>&nbsp;</P> <P>Hoping for some solution suggestions here...</P> <P>&nbsp;</P> <P>We have a data centre environment connected to our internal user network via a 10G port between two Nexus 9Ks. Currently when a machine is connected to our internal network all users can access the data centre resources. Our goal is to only allow certain users access from the internal network to the data centre resources. What options do we have to achieve this? Let me know if you need more info.</P> <P>&nbsp;</P> <P>Thanks<BR />A</P> Thu, 03 Jan 2019 17:22:24 GMT https://community.cisco.com/t5/network-access-control/authenticate-users-from-internal-to-data-centre-network/m-p/3772382#M25001 aok 2019-01-03T17:22:24Z https://community.cisco.com/t5/network-access-control/authenticate-users-from-internal-to-data-centre-network/m-p/3772419#M25006 <P>You have 2 Options,</P><P>&nbsp;</P><P>1. You can have ACL in place to control this.</P><P>2. you can plan FW to protect botht the sides.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 03 Jan 2019 18:25:32 GMT https://community.cisco.com/t5/network-access-control/authenticate-users-from-internal-to-data-centre-network/m-p/3772419#M25006 balaji.bandi 2019-01-03T18:25:32Z https://community.cisco.com/t5/network-access-control/authenticate-users-from-internal-to-data-centre-network/m-p/3772422#M25028 Have you thought about implementing Identity Services Engine and doing segmentation that way? Recommendation would ultimately be using SGTs<BR /> Thu, 03 Jan 2019 18:28:16 GMT https://community.cisco.com/t5/network-access-control/authenticate-users-from-internal-to-data-centre-network/m-p/3772422#M25028 Jason Kunst 2019-01-03T18:28:16Z https://community.cisco.com/t5/network-access-control/authenticate-users-from-internal-to-data-centre-network/m-p/3772443#M25029 <P>Hi Jason</P> <P>&nbsp;</P> <P>Thanks for the recommendation, I have looked at ISE and it seems to be quite involved. We only have about 5 users that we want to allow access across the switch port, is there a simpler way to achieve this?</P> <P>&nbsp;</P> <P>Thanks</P> <P>A</P> Thu, 03 Jan 2019 18:39:01 GMT https://community.cisco.com/t5/network-access-control/authenticate-users-from-internal-to-data-centre-network/m-p/3772443#M25029 aok 2019-01-03T18:39:01Z https://community.cisco.com/t5/network-access-control/authenticate-users-from-internal-to-data-centre-network/m-p/3772461#M25030 <P>Just to provide some more information, we only want traffic going over the port from the internal network to the data centre to be tested for authenticated users. We don't want to specify IP addresses or anything like that so a layer 3/4 access-list won't work. Any ideas? We don't want to change the way our users authenticate overall, only when a user on the internal network is trying to access something that's on the other side of the specific switch port.</P> <P>&nbsp;</P> <P>Thanks<BR />A</P> Thu, 03 Jan 2019 19:06:57 GMT https://community.cisco.com/t5/network-access-control/authenticate-users-from-internal-to-data-centre-network/m-p/3772461#M25030 aok 2019-01-03T19:06:57Z https://community.cisco.com/t5/network-access-control/authenticate-users-from-internal-to-data-centre-network/m-p/3772511#M25031 <P>To add to the complexity, we want to allow all traffic on ports 80 and 443 but block all other ports except for this small subset of users, which all traffic should be allowed for. We thought about using sticky mac-address port-security but I don't think there is a way to also allow other macs on ports 80 and 443. Going back to BB's note about using a firewall, is that a viable option given that we're not permitting/denying on layer 3?</P> <P>&nbsp;</P> <P>Thanks<BR />A</P> Thu, 03 Jan 2019 20:18:48 GMT https://community.cisco.com/t5/network-access-control/authenticate-users-from-internal-to-data-centre-network/m-p/3772511#M25031 aok 2019-01-03T20:18:48Z https://community.cisco.com/t5/network-access-control/authenticate-users-from-internal-to-data-centre-network/m-p/3772555#M25032 <P>This is a forum for Anyconnect, Segmentation for Trustsec and ISE.</P> <P>&nbsp;</P> <P>Few things to think about is assigning tags to switchports for the users. Using SXP to transport tags to another switch that can consume it.</P> <P>&nbsp;</P> <P>If you have Nexus 9k and planning to use ACI, suggest considering ISE since we have integration with ACI. SGT's can be mapped to ACI (EPGs) and viceversa and you can do enforcement at the Datacenter.</P> <P>&nbsp;</P> <P>Here is the Trustsec compatibility matrix that will show the validated solution and support for Trustsec.</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/solution-overview-listing.html" target="_blank">https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/solution-overview-listing.html</A></P> <P>&nbsp;</P> <P>Thanks</P> <P>Krishnan</P> <P>&nbsp;</P> Thu, 03 Jan 2019 21:48:51 GMT https://community.cisco.com/t5/network-access-control/authenticate-users-from-internal-to-data-centre-network/m-p/3772555#M25032 kthiruve 2019-01-03T21:48:51Z