07-16-2023 01:28 PM
Hi
I'm looking at securing a High Performance Compute (HPC) node. The node will be accessible from outwith the LAN but access through a stateful firewall causes latency issues - to secure access, I'm planning on a "Science DMZ" using Cisco TrustSec - see diagram for physical topology.
Has anyone ever used TrustSec outwith the LAN like this? Any other comments on the design?
Thanks
Andy
07-16-2023 03:27 PM
It is a real environment? I´ve never deployed or saw it to be deployed and I´d like to see your progress on this, if you dont mind to share.
One comment I have is about the ISE placement. If the ISE have any trouble reaching the BGP CAT 9K it will not enforce the trustsec and you may loose access to HPC.
07-16-2023 03:43 PM
Hi Flavio
Yes, this will become a production environment. My main concern was the loss of connection between ISE and BGP switch leading to the loss of SXP bindings and ISE SGACLs. To mitigate this, there would be some SGT-IP bindings with some SGACLs configured locally on the BGP switch - these would be overridden by SXP and ISE ACLs when ISE was available.
I'll keep the thread updated with any findings.
Thanks
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide