cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
82
Views
1
Helpful
3
Replies

Microsegmenation - using ACLs

carl_townshend
Spotlight
Spotlight

Hi All

We are evaluating some microsegmentation products, they effectively use ACLs to enforce on each port, trustsec isnt possible as wee have lots of older switches.

Has anyone successfully implemented third party segmentation products using Cisco switches and using ACLs?

The potential tcam table utilization concerns me so I would be interested to see if others have achieved it and it runs fine?

we use lots of older 2960x's still, alot of sites are 9200s and the rest will go to 9200s on the edge soon.

3 Replies 3

paboer
Level 2
Level 2

What I've encountered in some environments when striving for a certain level of microsegmentation is DACLs distributed via ISE.

This is scalable up to a certain point; beyond that, you can take a “shortcut” by using VRFs and firewalls for traffic between VRFs, which allows you to reduce the size of (D)ACLs because the firewall handles this traffic when it leaves the VRF.

preston-presley
Visitor

You can definitely do this with ISE - it just depends on how scalable you need it to be and what kind of visibility you need to have. I'll give an example - previous engineers at my workplace put APs and Printers on the same VLAN. I had since upgraded WLC and moved over the compatible APs, but there were still a lot of APs that were not compatible with the new WLC so to mitigate, I created a policy in ISE to match on my printers and associated a DACL for that policy to only allow it to talk to the print server, DHCP and DNS, etc. This works great and is really what should be done for every MAB policy. The downside is that you don't get the granular visibility that you would see in an FMC Unified Events pane. I would never suggest doing this, but if you deploy ISE correctly, you could lock your network down very securely even on a flat network without traditional vlan segmentation.

Sure FortiNAC comes to mind for a primarily SNMP/CLI based-NAC.

As others have mentioned, scale is the big issue here. Also imo if you have switches that are old enough not to support TrustSec, you are fixing the wrong problem here.