Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1363
Views
5
Helpful
6
Replies

Authenticate users from internal to data centre network

Go to solution
aok
Level 1
Level 1

‎01-03-2019 09:22 AM

Hi all

 

Hoping for some solution suggestions here...

 

We have a data centre environment connected to our internal user network via a 10G port between two Nexus 9Ks. Currently when a machine is connected to our internal network all users can access the data centre resources. Our goal is to only allow certain users access from the internal network to the data centre resources. What options do we have to achieve this? Let me know if you need more info.

 

Thanks
A

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to aok

‎01-03-2019 01:48 PM

This is a forum for Anyconnect, Segmentation for Trustsec and ISE.

 

Few things to think about is assigning tags to switchports for the users. Using SXP to transport tags to another switch that can consume it.

 

If you have Nexus 9k and planning to use ACI, suggest considering ISE since we have integration with ACI. SGT's can be mapped to ACI (EPGs) and viceversa and you can do enforcement at the Datacenter.

 

Here is the Trustsec compatibility matrix that will show the validated solution and support for Trustsec.

 

https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/solution-overview-listing.html

 

Thanks

Krishnan

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-03-2019 10:25 AM

You have 2 Options,

 

1. You can have ACL in place to control this.

2. you can plan FW to protect botht the sides.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-03-2019 10:28 AM

Have you thought about implementing Identity Services Engine and doing segmentation that way? Recommendation would ultimately be using SGTs
0 Helpful

Go to solution
aok
Level 1
Level 1
In response to Jason Kunst

‎01-03-2019 10:39 AM

Hi Jason

 

Thanks for the recommendation, I have looked at ISE and it seems to be quite involved. We only have about 5 users that we want to allow access across the switch port, is there a simpler way to achieve this?

 

Thanks

A

0 Helpful

Go to solution
aok
Level 1
Level 1
In response to aok

‎01-03-2019 11:06 AM

Just to provide some more information, we only want traffic going over the port from the internal network to the data centre to be tested for authenticated users. We don't want to specify IP addresses or anything like that so a layer 3/4 access-list won't work. Any ideas? We don't want to change the way our users authenticate overall, only when a user on the internal network is trying to access something that's on the other side of the specific switch port.

 

Thanks
A

0 Helpful

Go to solution
aok
Level 1
Level 1
In response to aok

‎01-03-2019 12:18 PM

To add to the complexity, we want to allow all traffic on ports 80 and 443 but block all other ports except for this small subset of users, which all traffic should be allowed for. We thought about using sticky mac-address port-security but I don't think there is a way to also allow other macs on ports 80 and 443. Going back to BB's note about using a firewall, is that a viable option given that we're not permitting/denying on layer 3?

 

Thanks
A

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to aok

‎01-03-2019 01:48 PM

This is a forum for Anyconnect, Segmentation for Trustsec and ISE.

 

Few things to think about is assigning tags to switchports for the users. Using SXP to transport tags to another switch that can consume it.

 

If you have Nexus 9k and planning to use ACI, suggest considering ISE since we have integration with ACI. SGT's can be mapped to ACI (EPGs) and viceversa and you can do enforcement at the Datacenter.

 

Here is the Trustsec compatibility matrix that will show the validated solution and support for Trustsec.

 

https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/solution-overview-listing.html

 

Thanks

Krishnan

 

0 Helpful
Customers Also Viewed These Support Documents