Thanks Damien. I was also thinking of piloting first. We do have a bunch of old cisco switches in some offices that I want to upgrade first. You also brought up a good point about IOS versions on switches. Been burned by this way too many times. Regardless, security is obviously paramount and we have now seen enough incidents to finally have the backing of business to move forward with this and that's why I was looking into it.

Great topic of discussion @Ricky Sandhu  .  I work mainly in wireless space and I am surprised at how many customers I come across who still hang onto their PSK WLANs because the thought of 802.1X fills them with dread.  Most networking kit can handle the tech, but the organisations/people are not ready for it.  Therefore I think there is still a lot of good work to be done out in the field to educate customers about wireless and wired 802.1X - I believe the wired variant is a bit special compared to wireless and this is the one that trips up most folks.

 

  @Damien Miller it would be nice to have a separate thread to hear your perspectives on getting customers ready for the TrustSec journey.  How do you approach it, and how do you plan for it. 

In my world that is still the ultimate unknown for many customers and I don't claim to fully understand it myself - but I am slowly getting there. In fact I think I had a Eureka moment today after watching a bunch of Labminutes videos on trustSec from way back.  I find his stuff so well done and more digestable than any book or white paper.  Or at least, I find it's a fantastic ice breaker for this scary topic.  I think TrustSec has great potential but in my experience as soon as someone mentions the T-word, the room goes uncomfortably silent.  People need to "see to believe" :)

Good Topic. I have to appropriate and put my input though. It much easier to implement 802.1X on wireless compare to wired. as you have to push the config on each single switch which is a time consuming and as said ealier in above post with different IOS version/s. in contract to wireless it more easire as all the setting are in one place in the controller.

 

in regards to Trust-Sec yes its scary in a way. Engineer do not have the exposure of this technology yet. we are still living in old school ACLs and most of us a happy and not ready to adopt the new technology as we have to go to read and lab again. just to your attention of cisco DNA where a trustsec rule can be deploy with a single click of touch. 

 

would be great to hear how you guy are implementing in what phase of tsec. technology is keep reinvent very fast. having said in this domain we have to still on top of skill of encounter these technologies. 

 

 

Yes there is a danger of getting "left behind" while the world is moving on with Cisco SDA/DNA-C etc.  When you have to explain what LISP and VXLAN is to customers, you can see the momentary blink in their eyes as they try to regain their composure.  "Ah yeah, sure, right, yes I see ... ermm"

 

I am also trying to get my head around Cisco DNA-C and Cisco SDA and it's pretty on Powerpoint.  I think if one manages to deploy it and all works well, then it's a win for the customer.  But when stuff breaks, who is left to debug this stuff?  It will be a handful of wizards somewhere, while the rest of us contemplate "reboot/rebuilt/reset" strategies.  LOL.  Ok. Maybe not - but it would be some knee jerk reaction UNLESS you knew what was going on under the hood. 

Speaking of under the hood - people make the analogy of cars and the complexity in modern cars - no average person knows how to fix a car anymore.  If something breaks then we see a mechanic - most of the time they don't know either - and they just rip and replace until it works.

Thanks Arne.  I agree with all your points on TrustSec. "There's a storm coming!!" (What movie?)

I was recently in a Cisco course and when we came across the topic of TrustSec, the instructor paused for a second, turned away from the whiteboard, and said, "Folks, if you REALLY want to make good money in future, TrustSec is the way to go.  Master TrustSec today and you will be ahead of the majority."

I think TrustSec is an excellent technology, if implemented correctly. All the small pieces have to work perfectly in unison.  This could get a major nightmare for larger deployments. A tiny mis-configuration somewhere could cause massive headaches elsewhere.  Phased approach in this case would be your saviour. 

In theory, DNAC could potentially simplify the TrustSec roll out from a config standpoint, but the thought of troubleshooting advanced problems in topics not many traditional networking people have worries me. SDA puts me off because it aims to simplifying networking with those advance technologies. The config for just TrustSec (no SDA) is not complicated. Over simplifying a bit, but a few global commands change, configuring uplinks and WAN to carry tags, all easily rinse and repeat.

I really like TrustSec, but it has some large technical and operations challenges. It really is a discussion of it's own.

1. You really need supported hardware to take full advantage, sgacl's and inline tagging are the heart and soul of the solution.
2. If you want east-west enforcement then you also need a scalable way of carrying sgt's across the WAN. SXP can work in small environments but it's an inscalable resource hog when used across the WAN. You're then left with iwan/dmvpn to carry the tags inline, iwan is the walking dead, and inline sgt support is not available yet in the viptela/cisco sdwan.
3. Finger pointing. Pre TrustSec, everyone blamed the firewall guys when traffic flows failed. Post TrustSec, everyone just blames TrustSec. It's silent and deadly when you start assigning different tags to various business units, users, endpoints, and servers. It honestly requires a dedicated team, treating it like firewalls in the large enterprises. Most companies don't have dedicated ISE resources and have trouble hiring people, even fewer of the people in the market can troubleshoot TrustSec. The talent usually has to be homegrown.
4. The unknown traffic conundrum. You can write policy for tagged to tagged traffic, but it gets complicated when you introduce untagged traffic that's present in every environment. Some examples of this are sites yet to be implemented, B2B tunnels, or internet traffic. You can either block of allow untagged traffic, you have to account for and work around this.

It's time intensive to build and manage solutions.

Thanks for unleashing the hidden truths of trustsec.

Ive only worked with ISE for 802.1x for a short time. Its such a heavy, fickle, ponderous beast! At its back end, its a full Oracle database server. Ive worked with up to version 2.4. Are the later versions lighter and more robust?