Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1359
Views
0
Helpful
5
Replies

Default Policy between SGTs

jnfern1589
Level 1
Level 1

‎07-26-2017 07:21 AM - edited ‎03-11-2019 12:53 AM

Hi,

Evaluating TrustSec / ISE prior to deployment, I've already come across the pitfalls of using a "default deny" / deny policy with the 'unknown' destination SGT - as the DGT is only known at the destination (but enforced at the source).

Is there any way to create a policy that applies to 'all known SGTs' so we could default-deny traffic between devices that have been classified and assigned SGTs without having to manually create the policy (or programatically via the API etc) and update each time we create a new SGT?

Example scenario is NAC/TrustSec across campus where we don't want east-west communication, but off-campus traffic (DC, Internet etc) doesn't get SGTs and is allowed within TrustSec land (using external firewalls to actually police this).

Cheers,

-Jeff

Labels:
0 Helpful
5 Replies 5

jeaves@cisco.com
Cisco Employee
Cisco Employee

‎07-26-2017 09:43 AM

Hi Jeff,

let's start with asking if you're familiar with using 'unknown' in the TrustSec policy matrix.

See unknown as both a SGT choice and a DGT choice in the matrix:

Does this help with a default deny whereby you can assign permits if the destination is unknown?

Firewalls also support the concept of unknown SGT (it is SGT 0).

Let us know.

Thanks.

0 Helpful

jnfern1589
Level 1
Level 1
In response to jeaves@cisco.com

‎07-27-2017 04:31 AM

Hi,

Thanks. Adding a matrix of permit from every SGT to <unknown> destination would work (although feels a little clunky). As a side problem, our 4500-X are having issues with BFD when a PERMIT trustsec policy is applies to the NDAC SGT (support case is currently open on this).

Our firewall isn't TrustSec aware / capable, so we're not able to use anything within this.

Cheers,

-Jeff

0 Helpful

jeaves@cisco.com
Cisco Employee
Cisco Employee
In response to jnfern1589

‎07-27-2017 04:42 AM

If you forward the support case reference for the 4500-X BFD issue I'll take a look.

Would like to know the software release running.

0 Helpful

jnfern1589
Level 1
Level 1
In response to jeaves@cisco.com

‎08-17-2017 09:03 AM

I've finally got the case raised to TAC - reference number is SR682886788.

0 Helpful

jnfern1589
Level 1
Level 1

‎07-27-2017 04:54 AM

We're running 3.8.4 on the 4500-X (a VSS pair). The support request is currently with our provider, so I don't have a Cisco TAC reference to give you (yet).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents