cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

70
Views
0
Helpful
1
Replies
Beginner

CTS manual without ISE

Good day -

 

Does anyone know if CTS can be used without ISE (a citation would certainly be helpful!)?

If I configure TrustSec static policies (via cts manual) and manually define role-based policies (via cts role-based permission...), and then manually enable enforcement, should SGT inline tagging operate and policy be enforced?

 

I appreciate your comments.

1 REPLY 1
VIP Advocate

Re: CTS manual without ISE

The short answer is yes, CTS can be deployed manually. But the published TrustSec solution guides really rely on the dynamic functions of ISE to provide classification of endpoints, and administration of policy. I cannot stress enough the value that ISE provides in being able to control this solution.

What you described is entirely possible, you can manually configure SGT mappings, you can manually configure SGACLs, but consider the operational cost that manually maintaining all of this requires. ISE provides a central policy service to tune and push these constructs and it's very good at it. CTS manual will forward tags inline without ISE being involved, SXP can be configured without ISE (doesn't scale well), and policy can be enforced if you created it in the correct spots.


I would strongly recommend against going down this path.


This guide provides the configurations to manually configure TrustSec on IOS XE devices. Because no one section contains everything, this will also be the link that provides the SGT to IP options you would require.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-16/sec-usr-cts-xe-16-book/sec-usr-cts-xe-16-book_chapter_01101.html

This specific section provides the steps to manually configure SGACLs.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-16/sec-usr-cts-xe-16-book/sec-cts-sgacl.html

CTS manual/CTS propagation is described in its own section.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-16/sec-usr-cts-xe-16-book/cts-sgt-handling-imp-fwd.html