"Science DMZ" using Cisco TrustSec

andrewswanson · ‎07-16-2023

Hi

I'm looking at securing a High Performance Compute (HPC) node. The node will be accessible from outwith the LAN but access through a stateful firewall causes latency issues - to secure access, I'm planning on a "Science DMZ" using Cisco TrustSec - see diagram for physical topology.

The HPC "outside" interface connects into the BGP switch (bypassing the stateful firewall)
Using SXP, ISE will send HPC SGT-IP bindings to the BGP Switch
BGP switch will be configured for CTS environment to download ISE SGACLs for HPC SGTs
BGP switch will also have generic local SGT-IP bindings and SGACLS configured in case communication with ISE goes down and CTS environment data is lost.

Has anyone ever used TrustSec outwith the LAN like this? Any other comments on the design?

Thanks
Andy

Flavio Miranda · ‎07-16-2023

Hi @andrewswanson

It is a real environment? I´ve never deployed or saw it to be deployed and I´d like to see your progress on this, if you dont mind to share.

One comment I have is about the ISE placement. If the ISE have any trouble reaching the BGP CAT 9K it will not enforce the trustsec and you may loose access to HPC.

andrewswanson · ‎07-16-2023

Hi Flavio

Yes, this will become a production environment. My main concern was the loss of connection between ISE and BGP switch leading to the loss of SXP bindings and ISE SGACLs. To mitigate this, there would be some SGT-IP bindings with some SGACLs configured locally on the BGP switch - these would be overridden by SXP and ISE ACLs when ISE was available.

I'll keep the thread updated with any findings.

Thanks

Andy