cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1552
Views
5
Helpful
6
Replies

Authenticate users from internal to data centre network

aok
Level 1
Level 1

Hi all

 

Hoping for some solution suggestions here...

 

We have a data centre environment connected to our internal user network via a 10G port between two Nexus 9Ks. Currently when a machine is connected to our internal network all users can access the data centre resources. Our goal is to only allow certain users access from the internal network to the data centre resources. What options do we have to achieve this? Let me know if you need more info.

 

Thanks
A

1 Accepted Solution

Accepted Solutions

kthiruve
Cisco Employee
Cisco Employee

This is a forum for Anyconnect, Segmentation for Trustsec and ISE.

 

Few things to think about is assigning tags to switchports for the users. Using SXP to transport tags to another switch that can consume it.

 

If you have Nexus 9k and planning to use ACI, suggest considering ISE since we have integration with ACI. SGT's can be mapped to ACI (EPGs) and viceversa and you can do enforcement at the Datacenter.

 

Here is the Trustsec compatibility matrix that will show the validated solution and support for Trustsec.

 

https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/solution-overview-listing.html

 

Thanks

Krishnan

 

View solution in original post

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

You have 2 Options,

 

1. You can have ACL in place to control this.

2. you can plan FW to protect botht the sides.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Jason Kunst
Cisco Employee
Cisco Employee
Have you thought about implementing Identity Services Engine and doing segmentation that way? Recommendation would ultimately be using SGTs

Hi Jason

 

Thanks for the recommendation, I have looked at ISE and it seems to be quite involved. We only have about 5 users that we want to allow access across the switch port, is there a simpler way to achieve this?

 

Thanks

A

Just to provide some more information, we only want traffic going over the port from the internal network to the data centre to be tested for authenticated users. We don't want to specify IP addresses or anything like that so a layer 3/4 access-list won't work. Any ideas? We don't want to change the way our users authenticate overall, only when a user on the internal network is trying to access something that's on the other side of the specific switch port.

 

Thanks
A

To add to the complexity, we want to allow all traffic on ports 80 and 443 but block all other ports except for this small subset of users, which all traffic should be allowed for. We thought about using sticky mac-address port-security but I don't think there is a way to also allow other macs on ports 80 and 443. Going back to BB's note about using a firewall, is that a viable option given that we're not permitting/denying on layer 3?

 

Thanks
A

kthiruve
Cisco Employee
Cisco Employee

This is a forum for Anyconnect, Segmentation for Trustsec and ISE.

 

Few things to think about is assigning tags to switchports for the users. Using SXP to transport tags to another switch that can consume it.

 

If you have Nexus 9k and planning to use ACI, suggest considering ISE since we have integration with ACI. SGT's can be mapped to ACI (EPGs) and viceversa and you can do enforcement at the Datacenter.

 

Here is the Trustsec compatibility matrix that will show the validated solution and support for Trustsec.

 

https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/solution-overview-listing.html

 

Thanks

Krishnan