Re: ISE SGT: TrustSec_Devices

ryanbess · ‎01-18-2024

Hello all,

What is the purpose of the TrustSec_Devices SGT?

Rob Ingram · ‎01-18-2024

@ryanbess TrustSec SGTs (Scalable Group Tags or Security Group Tags) are used for segmentation purposes. The SGTs are assigned dynamically by ISE (or can be statically configured) to the endpoint/users and can be used to classify network traffic and enforce security policies on devices including switches, routers, ASA/FTD, WSA etc.

https://community.cisco.com/t5/security-knowledge-base/group-based-policy-fundamentals/ta-p/3764433

ryanbess · ‎01-18-2024

Yeah i get that. We were advised by Cisco SME's to not enable trustsec on interfaces that interacted with ISE. Doing some self learning on if this is appropriate or not. It does eliminate the need to ensure that trustsec are permitted to unknown (our ISE servers are outside the fabric as i suspect most environment are).

Aref Alsouqi · ‎01-18-2024

I think I would disagree with that statement but maybe there is more context behind it. ISE would be considered a network appliance which would be treated in the same way any other appliance you want to protect on your network. You can still assign a TAG to ISE IP addresses and then apply the enforcement. So if ISE is connected to a switch which is setting outside the SDA fabric, you would need to add those switches to DNA-C for management purpose and to ease the TrustSec configuration which will be taken care by the DNA-C, or you can leave them out of the DNA-C and configure SXP on the fabric ports and the shared services switch ports.

That encapsulation will carry out the tags between the fabric and the external switches. One thing to keep in mind with TrustSec is that the enforcement happens at the exit, which means if you want to block the traffic from an SGT to another, the exist switch will be the enforcement point, and the enforcement happens based on the security matrix that would have been pushed by ISE to the switches.

Regarding the unknown traffic, usually you don't want to block anything to unknown mainly because unknown means internet traffic and any device that wasn't assigned a tag, whether manually or dynamically.

ryanbess · ‎01-18-2024

Our ISE is outside the fabric and protected by NGFW. All our SDA switches are inside the fabric. ISE connects to these switches via the loopback and visa versa. Access to the loopback is controlled via the NGFW so only certain IP's can communicate with them. The loop back interfaces connected to upstream devices had trustsec enabled on them. What we ran into was if we forgot assign the NADs to the SGT trustsec_devices AND we forgot to permit trustsec_devices to unknown and unknown to trustsec_devices, the NADs lost their ability to be managed. It was a chicken of the egg situation. We couldn't revert the change so we ended up having to console into those switches and remove the trust sec configs.

Cisco brought in some architects and they just told us to not enable trustsec on the uplink interfaces. To me, this seems reasonable since access to the loopbacks are controlled via the NGFW. But me being me is like, "why did cisco add the built-in trustsec_devices SGT only for us to be told to not use it"

Aref Alsouqi · ‎01-18-2024

In that scenario I would still try to assign a tag for ISE, same concept for the switches, all those appliances shouldn't fall into the unknown SGT exactly to avoid that risk.