07-26-2017 07:21 AM - edited 03-11-2019 12:53 AM
Hi,
Evaluating TrustSec / ISE prior to deployment, I've already come across the pitfalls of using a "default deny" / deny policy with the 'unknown' destination SGT - as the DGT is only known at the destination (but enforced at the source).
Is there any way to create a policy that applies to 'all known SGTs' so we could default-deny traffic between devices that have been classified and assigned SGTs without having to manually create the policy (or programatically via the API etc) and update each time we create a new SGT?
Example scenario is NAC/TrustSec across campus where we don't want east-west communication, but off-campus traffic (DC, Internet etc) doesn't get SGTs and is allowed within TrustSec land (using external firewalls to actually police this).
Cheers,
-Jeff
07-26-2017 09:43 AM
Hi Jeff,
let's start with asking if you're familiar with using 'unknown' in the TrustSec policy matrix.
See unknown as both a SGT choice and a DGT choice in the matrix:
Does this help with a default deny whereby you can assign permits if the destination is unknown?
Firewalls also support the concept of unknown SGT (it is SGT 0).
Let us know.
Thanks.
07-27-2017 04:31 AM
Hi,
Thanks. Adding a matrix of permit from every SGT to <unknown> destination would work (although feels a little clunky). As a side problem, our 4500-X are having issues with BFD when a PERMIT trustsec policy is applies to the NDAC SGT (support case is currently open on this).
Our firewall isn't TrustSec aware / capable, so we're not able to use anything within this.
Cheers,
-Jeff
07-27-2017 04:42 AM
If you forward the support case reference for the 4500-X BFD issue I'll take a look.
Would like to know the software release running.
08-17-2017 09:03 AM
I've finally got the case raised to TAC - reference number is SR682886788.
07-27-2017 04:54 AM
We're running 3.8.4 on the 4500-X (a VSS pair). The support request is currently with our provider, so I don't have a Cisco TAC reference to give you (yet).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: