Solved: Cisco ISE - VLANs versus TrustSec for Network Access Control - Question

ankaushi · ‎06-23-2017

Hi Team,

I’m currently working with a partner for a new site proposal. This new site will also be used to trial (proof of concept) Cisco ISE for provision of Network Access Control for both the wired and wireless networks. My question is around the use of network segmentation for security purposes, and I’m wondering if you believe my current thinking has some merit and logic to it.

Below is the Cisco Medical NAC at-a-glance paper and on top of page 2 it states “Cisco offers two means of segmentation: VLANs or Cisco TrustSec”.

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/at-a-glance-c45-738024.pdf

To me this statement implies either one or the other, but I would have thought we could use and combine both e.g. use ISE to dynamically assign both the layer 2 VLAN and tag traffic with a TrustSec layer 3 security group number. The reason behind my question is because I don’t just want VLAN network segmentation, and I don’t just want TrustSec network segmentation. I want to be able to have both concurrently for an optimal segmentation design.

For me there are different pros and cons associated with VLANs versus TrustSec with regards to network segmentation.

Historically, the reason layer 2 VLANs evolved was to segment network broadcast domains to facilitate more scalable, robust and secure network design.

So (to my way of thinking) moving away from layer 2 VLAN segmentation and just using layer 3 security groups via ACLs (TrustSec) instead, seems to ignore some of the benefits previously provided by VLANs such as grouping hosts at both a layer 2 and layer 3 network level.

In the case of a multi-tenanted network design (which I’m currently proposing), surely it would make sense to group company A desktops in a separate VLAN from company B desktops e.g. a virus outbreak on company A would have a more difficult time spreading to company B if they were segmented both at layers 2 and 3? Is my assumption re virus outbreaks correct e.g. would some viruses, bots, etc spread more easily and rapidly in an open layer 2 broadcast domain (common VLAN) as opposed to separate VLANs?

I understand some of the benefits of TrustSec such as keeping the access network design simple and avoiding VLAN proliferation. However I believe there are scenarios such as multi-tenant environments where it would make more sense to leverage both layer 2 VLANs and layer 3 TrustSec concurrently. Yes it means more complexity, but it also means greater security. Horses for courses.

Do you think I’m on the right track or have I missed or overlooked something?

Please share your thoughts.

Regards,

Anshul

ankaushi · ‎06-23-2017

24 June 2017

Hey Krishna

How are you?

6:50 am

Hi Anshul

6:51 am

Many Thanks for your response on the communities….Regarding the statement "Cisco offers two means of segmentation: VLANs or Cisco TrustSec”. Is my understanding right that we can combine both e.g. use ISE to dynamically assign both the layer 2 VLAN and tag traffic with a TrustSec layer 3 security group number?

6:51 am

Or it has to be one or the other

Understands the advantages of using TrustSec but the question is more on the use of both

6:52 am

VLAN is traditional, Trustsec is contemporary. You dont need to care abt VLAN's when you use Tags.

6:53 am

even if you are using VLAN 1, you can assign a Tag

VLAN 1 being the default VLAN

6:54 am

so we can use only one and not both at the same time, right?

6:55 am

What is the use case here?

6:56 am

Partner specifically wants to confirm on this section - Whether he can use combine both or it has to be one only?

6:56 am

What is the problem you are trying to solve?

6:56 am

It was there in the description , I guess

6:56 am

How can we segment the different networks - Can we use both VLANs and TrustSec both?.Trying to implement NAC for Wired and Wireless users in the network

6:58 am

These serve different purpose, it is more of an education the partner needs. You cannot get rid of VLAN's since by default you have switchport in VLAN 1, traditionally IP's are associated based on VLAN's. VLAN will still be the underlay, however you dont need to expand VLAN's as you expand your network, rather consolidate VLAN as a means of endpoints to get IP's. Use Trustsec for segmentation.

7:00 am

Got it …thanks much Krish

7:00 am

NP...please copy/paste rest of the discussion in community site for others to benefit as well.

7:01 am

View solution in original post

kthiruve · ‎06-23-2017

Hi Anshul,

Yes you are right VLAN segmentation are traditional means to separate broadcast domain. So if you think about VLANs, it needs an IP subnet at L3.

If you have 1000 VLAN’s you have 1000 subnets just for an example (adds reliance and need for IP subnets).

To segment endpoints wherever they are in an enterprise, you need to have all these VLAN’s across all the access devices for flexibility.

That may not be practically possible or needed. If an employee from US goes to Europe or is on Road connecting via VPN how do you segment that employee(mobility). Ofcourse ACL’s right.

Now think about a large enterprise, 50000 users/endpoints trying to reach different resources in the network. How many ACL’s to do you need across different network devices( in Datacenter, branch, Campus etc)? ( Complexity)

What is the cost involved in maintaining these in terms of person hours per day? (Cost)

Now think about 50000 endpoints having Security group Tags and these tags are recognized by all the devices in the network( whether the user is in/out of campus, moving from one location to another), propagated across the network, enforced at any location automatically.

Ofcourse these endpoints will need IP’s, however the enforcement ( SGACL) is not based on IP’s, it is based on port numbers/protocols. Access control (Enforcement) is based on destination IP that the network device will know based on the classification of resources.

Finally, think about managing access control policies from one single window in a simple matrix view. Also think about access control in terms of resources not IP’s. That is User A will have access to Server A not Server B, Server C will have only https access etc. It makes sense from a work flow standpoint right.

That is what Trustsec provides you. It does not eliminate the need for VLAN. However reduces the complexity of segmentation, helps mobility, reduces cost thereby reduces the dependency of VLAN based segmentation, helps consolidation of VLANs and reduces complexity in managing IP’s.

Here is the while paper discussing ROI of Trustsec from Forrester for your reference

https://www.cisco.com/c/dam/en/us/products/collateral/security/secure-access-control-system/tei-of-cisco-trustsec.pdf

Hope it helps.

Thanks

Krishnan

ankaushi · ‎06-23-2017

24 June 2017

Hey Krishna

How are you?

6:50 am

Hi Anshul

6:51 am

Many Thanks for your response on the communities….Regarding the statement "Cisco offers two means of segmentation: VLANs or Cisco TrustSec”. Is my understanding right that we can combine both e.g. use ISE to dynamically assign both the layer 2 VLAN and tag traffic with a TrustSec layer 3 security group number?

6:51 am

Or it has to be one or the other

Understands the advantages of using TrustSec but the question is more on the use of both

6:52 am

VLAN is traditional, Trustsec is contemporary. You dont need to care abt VLAN's when you use Tags.

6:53 am

even if you are using VLAN 1, you can assign a Tag

VLAN 1 being the default VLAN

6:54 am

so we can use only one and not both at the same time, right?

6:55 am

What is the use case here?

6:56 am

Partner specifically wants to confirm on this section - Whether he can use combine both or it has to be one only?

6:56 am

What is the problem you are trying to solve?

6:56 am

It was there in the description , I guess

6:56 am

How can we segment the different networks - Can we use both VLANs and TrustSec both?.Trying to implement NAC for Wired and Wireless users in the network

6:58 am

These serve different purpose, it is more of an education the partner needs. You cannot get rid of VLAN's since by default you have switchport in VLAN 1, traditionally IP's are associated based on VLAN's. VLAN will still be the underlay, however you dont need to expand VLAN's as you expand your network, rather consolidate VLAN as a means of endpoints to get IP's. Use Trustsec for segmentation.

7:00 am

Got it …thanks much Krish

7:00 am

NP...please copy/paste rest of the discussion in community site for others to benefit as well.

7:01 am

ankaushi · ‎06-26-2017

Thank you so much for your responses and a quick chat. After further discussion with partner, I do however have a few follow up questions for what is obviously a very important subject:

1) Is TrustSec fully supported for a “wired” device connected via a Cisco IP phone? e.g. Cisco IP phones are typically implemented as a two port LAN switch (one port operating as a trunk with a voice and data VLAN, the other port as a data only VLAN), therefore wired devices such as PCs and laptops are often one step removed from the actual Cisco LAN access network. So whilst the Cisco LAN access switch e.g. Catalyst 3850 supports 802.1x, TrustSec classification and TrustSec enforcement, do Cisco IP phones support this if they’re connected to e.g. a Catalyst 3850 switch?

2) Am I correct to assume that computer viruses would spread more easily via a single site VLAN than they would via multiple site VLANs? Consider the scenario of a greenfield site with multiple tenants (different organisation PCs and desktop SOEs), would it still make sense in this scenario to provision multiple data VLANs (one per tenant organisation) to facilitate improved security against a virus outbreak? Or does TrustSec provide sufficient controls to negate this risk of virus outbreaks?

3) Best practise security network design for voice and video implementation (e.g. CUCM and Jabber Video) was always to implement separate voice, video and data VLANs. Has this now changed if we implement TrustSec, or not really?

Thanks in Advance.

Regards,

Anshul