cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5585
Views
10
Helpful
10
Replies

SD-Access without TrustSec

Hi everyone,

For SD-Access, the nice cool feature is having a software policy-based LAN segmentation. This needs, of source, a TrustSec-ready ISE, a TrustSec security policy and all.

How will SD-Access behave without TrustSec? Does it make sense to propose SD-Access without TrustSec?

1 Accepted Solution

Accepted Solutions

csolder
Cisco Employee
Cisco Employee

Hi Jose

In the current implementation of SD-Access, ISE is a mandatory element in the solution. We use ISE to not only authenticate and authorize the on-boarding of hosts into the SD-Access fabric, but also to push policy to the fabric edge nodes that is eventually carried in users data packets as they traverse the fabric. While policy is defined in the DNA-C UI, the actual policy is stored in ISE. Net-Net you will need to include ISE in any SD-Access deployments that you plan.

View solution in original post

10 Replies 10

csolder
Cisco Employee
Cisco Employee

Hi Jose

In the current implementation of SD-Access, ISE is a mandatory element in the solution. We use ISE to not only authenticate and authorize the on-boarding of hosts into the SD-Access fabric, but also to push policy to the fabric edge nodes that is eventually carried in users data packets as they traverse the fabric. While policy is defined in the DNA-C UI, the actual policy is stored in ISE. Net-Net you will need to include ISE in any SD-Access deployments that you plan.

This is not accurate in DNAC 1.1, you can deploy SDA without ISE/TrustSec. You just won't be able to do any end point segmentation (SGT's). But you would gain endpoint mobillity and macro-segmentation benefits(VRF), as well as several other benefits.  You could use another product for 802.1X, it just couldn't be used with SDA unless their is PxGrid support and it is interoperable with DNAC.

That was my point. SD-Access by definition is about providing both macro and micro segmentation. Without ISE then you do not really have SD-Access. You just have a fabric and VN.

Your statement was that "ISE is a mandatory element in the solution". That is inaccurate, since it implies you cannot do SDA without ISE. And not sure where you got your definition of SDA but it provides much more then just micro and macro seg. A fabric and a VN (along with LISP/VXLAN) is indeed SDA if it is being managed with DNAC.

Although I agree you do lose most of the value of SDA (dot1x, CTS, contextual data in assurance) without it. And I cannot figure out why an organization wouldn't use ISE since the licensing is included with the SDA license (DNA Advantage).

Just disagree with your broad statements.

I think we both see the value of SDA, as a complete solution we just need to be careful mixing facts with opinions and causing more confusion.

Good question on where I get my definition of SDA   I currently own technical strategy for SDA here at Cisco, and I am also one of the original engineering team members who brought SDA to life here at Cisco. From it’s inception, policy has been both fundamental and a foundational element for SDA. You are right that DNAC can create a fabric and create VNs etc without ISE, and you can get many benefits but by our original definition and vision of SDA it is not SDA without policy. Sorry to be pedantic.

i Guess we will agree to disagree on definition. Foundational and fundamental is different then required. Given your role at Cisco  and how you define SDA, advise developers to remove the optional DNA-C ISE integration

Respectfully we should not agree to disagree. I would ask that you help us by aligning to our common definition of SDA.  The definition you are using is incorrect sorry and is not aligned to what our teams are telling the many customers we meet with. If there are inconsistencies in our documentation then I can have our teams correct this. Do let me know where you see those and we can have them fixed.

Also note note your earlier statement about using another device (not ISE) to do 802.1x is supported  but still requires ISE to be a proxy to that external authentication device. This might change in the future but is the way it works even with the recently released 1.2 version.

I should also add I confirmed with our engineering team that we have not validated running SDA “without” ISE and as such if a customer were to run this and hit a problem they would likely not be supported by TAC. Hence again I would respectfully ask that you let your peers and customers know that SDA 1.0, 1.1 and 1.2 does require ISE.

Thank you

You should probably let people on the floor know. We talked with several Cisco employees and a speaker for SDA at CiscoLive Orlando that specifically told us we can run DNAC/SDA without ISE. If of course we could live without certain features and menus complaining.

 

Also, the feature of "no authentication" would imply not having ISE or any authentication.

TOEC is right, we can implement DNA-C with out ISE, by using "no authentication" in "host onboarding"

 

You will need ISE if you need SGT, DOT1X authentication and grouping of network users.

 

ADD all the IP pools in the same VN or multiple VN and use Fusion to leak the routes