08-18-2019 01:44 AM
Hello
With ISE monitor mode and low impact mode, you can have a interface ACL on switch.
When you switch to trustsec, how do you implement something like that. Is there a way to have a initial trustsec group for example for low impact mode to put the user into before they are authenticated or a device is profiled ? initially they would need minimal access in low impact mode - then they would get moved into the right SGT.
Please share your thoughts on this
Solved! Go to Solution.
08-19-2019 10:44 AM
08-18-2019 01:15 PM
08-19-2019 12:31 AM
thx Damien.
what I was implying is that I never saw any best practices doc on how to integrate the monitor mode, low impact, closed in a trustsec environment.
I am not suggesting that I want to go to trustsec enforcement day 1. I just want to allow any to any for the most part.
I am just looking for how others have implemented this. The way I see for example if I implement low impact mode with a pre-auth ACL and then if I don't push a DACL after successful auth of the machine, then the pre-auth ACL will take precedence even if trustsec allows everything. So what I have to do is then have a DACL that allows the required traffic. Or a permit any, and then let trustsec block what it needs to block.
My questions is around how others have implemented in the phased approach of monitor,low impact, and closed.
Also, I know this discussion is around ISE, do you guys see that small deployment of trustsec can just do SXP (like less than 1000 endpoints) and not have to worry about inline tagging etc.. ?
08-19-2019 10:44 AM
08-20-2019 12:25 AM
Looking for how others have implemented.
Like I said the only way I found was that - you need a pre-auth ACL for low -impact mode on the interface.
Once that's done and its profiled, then you have a push a DACL to allow everything, otherwise trustsec wont work.
So, If I understand correctly for low impact mode you need the following:
1) pre-auth interface ACL
2) DACL after MAB/DOT1x to allow everything
3) trustec SGT assigned will dictate now what the device can access based on SGACLS
is that the way others have done it ?
Also for SXP, i would have a hierarchy. l2 only switches will be sxp speakers to a upstream dist/core switch. The dist/core will have entire SXP and also peer to ISE.
08-20-2019 01:59 AM
Hello Tomase,
Trusec phase modes is explained below :
So saying the above , TrustSec is independent of any predefined ACL , is role is to tag traffic according to function defined and apply applicable SGT policy (Role Base access ) to such flow. I guess this is why we normally permit all flow when in Low Impact mode and this is dependent on the SGT tag define on Radius Server.
08-20-2019 03:02 AM
@tomalexis let me know if this has helped you
08-25-2019 12:51 PM
Not really (: .. I was hoping somebody who really implemented trustsec with low impact mode, would talk about their experience and how they implemented the ACLs either default interface ACL and then trustsec ACL migration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide