cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

902
Views
1
Helpful
2
Replies
Highlighted
Cisco Employee

Migating from Default Permit to Default Deny in Trustsec Policies

Hi Team,

One of my customers with an existing SDA deployment, has asked us to help them move from the "Default permit" to "Defauly Deny" in the Trustsec policies. Since this a brownfield deployment, we are little skeptical in doing this without getting the information on "what all to allow"?

We have received the information about all destinations that specific SGT needs to access. The question is mostly about traffic that is not known and not tagged at this time e.g Control Plane and Management traffic from the switches.

We would like to know the best approach to handle this without impacting the production. I can think of a couple of approaches, but need to know the additional details:

1: Putting the default deny in Trust Matrix in "Monitor" mode with log keyword in SGACL. This way we can monitor what all is hitting the deny rule, and then open accordingly.

2: Allowing all traffic to and from "Trustsec_Devices" SGT to "Unknown" SGT to cater to the control plane and management traffic.

The first one seems time consuming, and will probably require us to go through a huge chunk of logs. The second approach has security issues. I was unable to find some documentation which provides a list of all control plane and management services that need to be opened in these scenarios. We would like to know how other customers have handled this.

Please provide your valuable inputs.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Migating from Default Permit to Default Deny in Trustsec Policies

I wouldn't particularly recommend number 1 with monitor mode without extensively testing it in the lab first.

For control plane, I don't think you need TrustSec_Devices to be allowed to communicate with unknown. Unless you can think of any corner cases you probably only need TrustSec_Devices -> TrustSec_Devices (allowing routing protocol updates etc) plus communication to servers like ISE, syslog servers etc however you have classified them.

One recommendation would be to extensively use 'source unknown group to all destination groups' and all source groups to destination unknown group' in the transition. Basically, this means fill the unknown row with permits and the unknown column with permits. When you switch to default deny, initially all your traffic sourced or destined for unknown will be permitted rathar than default denied. That will permit you to remove the unknown entries in a controlled manner to slowly introduce the default deny.

Interested in what others have to say. Particularly those that have gone through the exercise.

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Re: Migating from Default Permit to Default Deny in Trustsec Policies

I wouldn't particularly recommend number 1 with monitor mode without extensively testing it in the lab first.

For control plane, I don't think you need TrustSec_Devices to be allowed to communicate with unknown. Unless you can think of any corner cases you probably only need TrustSec_Devices -> TrustSec_Devices (allowing routing protocol updates etc) plus communication to servers like ISE, syslog servers etc however you have classified them.

One recommendation would be to extensively use 'source unknown group to all destination groups' and all source groups to destination unknown group' in the transition. Basically, this means fill the unknown row with permits and the unknown column with permits. When you switch to default deny, initially all your traffic sourced or destined for unknown will be permitted rathar than default denied. That will permit you to remove the unknown entries in a controlled manner to slowly introduce the default deny.

Interested in what others have to say. Particularly those that have gone through the exercise.

View solution in original post

Highlighted
Cisco Employee

Re: Migating from Default Permit to Default Deny in Trustsec Policies

Just bumping this one up as we have a few more requests like these and still haven't found any guidelines. We are anyway setting this up in lab, but anyone who has done this firsthand, please feel free to provide your inputs.