11-07-2017 10:34 AM
If I have deployed TrustSec and I have a user at a remote site who wants to access a resource, normally the switch will get the policy for that user from ISE located at the data center over the WAN. What happens if the WAN connection fails? Do I need a ISE at every location to protect from this? If the switch can't get a policy, what happens to my users access request?
Solved! Go to Solution.
11-08-2017 08:05 AM
You can use Critical authentication in case none of the ISE nodes are available to the network device:
11-08-2017 08:05 AM
You can use Critical authentication in case none of the ISE nodes are available to the network device:
11-08-2017 09:12 AM
Thank you, very useful
06-20-2018 12:44 PM
What are you guys using for CE to CE connections? SXP over MPLS?
06-20-2018 12:59 PM
SXP is a valid method of spanning TrustSec domains across paths that don't support inline tagging. In large scale deployments it requires proper planning to ensure that it scales appropriately. The total ip-sgt mappings count or remote site SXP connections will greatly influence decisions made.
Another alternative is to set up a DMVPN overlay and leverage native inline tagging. In a perfect world you would have IWAN at all your sites and leverage inline tagging with DMVPN.
06-20-2018 01:05 PM
Appreciate the quick response. So over the WAN, inline tagging is not an option unless we use an overlay (ESP). We would build SXP peers between all the sites and you are saying to make sure its plan properly when it comes to IP to SGT mappings. Im sure the routers would be some sort of ASR.
Thanks
06-20-2018 01:28 PM
Yes, you would need an overlay that is TrustSec SGT aware to accommodate inline tagging across the WAN. From an overlay perspective ipsec accommodates this, DMVPN just makes it easier to manage, and IWAN leverages both. I'm not aware of any carrier provided transport that will support CTS inline but I have not looked in to it.
The ISE and TrustSec BU have been working on scaling with SXP recently and ISE v2.4 brought enhancements in this area. In some environments you may be able to use ISE nodes as the central SXP connection point.
One method of scaling SXP in large environments is to leverage dedicated ASR's as your central collection point. You would place these ASR's in the data center(s) and then feed mappings from the reflectors to other remote sites/enforcement points.
SXP scaling numbers with ISE 2.4
The end of this document also explores SXP and IP SGT mapping scaling from a theoretical point of view. I have found that a lot of it comes down to how equipment is being utilized vs how scale testing is performed. Total IP-SGT mappings in combination with total SXP connection count will impact scale.
If you are going down a path of TrustSec enforcement in a large environment I would recommend engaging the TrustSec BU before starting.
06-21-2018 06:07 AM
Thanks Damien. Makes perfect sense.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide