Using TrustSec for Campus and Branch segmentation

deyster94 — Tue, 26 Mar 2019 00:36:26 GMT

I have a client that is looking to segment their network. They were initially thinking either ACL's on their switches or using a FW. However, after talking to them about ISE and TrustSec, they are interested in that solution. The client is an international company, so they have a branch/campus network layout. In researching how TrustSec works in this scenario, I found the following guide:

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/branch-segmentation.pdf

It mentions having the WAN connectivity being encrypted, but I also heard there is an encapsulation method that you can use instead. However, I cannot find anything on the encapsulation method, how it works and what devices are required. Issue we have at this client is even though their WAN links are connected with Cisco routers, they do not manage them. So getting this provider to implement a VPN across the WAN links for TrustSec may not happen.

If someone can provide me that information, it would be appreciated.

Dan

Re: Using TrustSec for Campus and Branch segmentation

umahar — Mon, 05 Mar 2018 19:39:36 GMT

I would highly recommend you watching Cisco Live presentations on TrustSec if you are just starting with the technology.

I think what you are referring to is how you'll be able to propagate tags from branch to headquarters and vice versa.

Propagation of tags can be via data plane like you mentioned over VPN - dmvpn or getvpn etc.

If propagation via data plane is not possible then SXP allows you to achieve propagation in control plane by sending the mappings over a separate protocol.

topic Re: Using TrustSec for Campus and Branch segmentation in Network Access Control

Using TrustSec for Campus and Branch segmentation

Re: Using TrustSec for Campus and Branch segmentation