Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1215
Views
15
Helpful
6
Replies

SGT Enforcement - Legacy Hardware

Go to solution
Midnight Rodeo
Level 1
Level 1

ā€Ž10-08-2022 05:04 AM

Hi guys, deploying SDWAN/SDA fabric across an enterprise. Mainly hardware refresh to Nexus 9K but in some remote locations there are legacy networks/server farms 'out of scope' that are connecting in on legacy hardware such as a Cisco 2900 router or Nexus 5k for example.

For the cEdge it will be  the 8300 model and my question is around enforcing SGT policy with the legacy environment. Will I be able to bring those legacy networks in on the cEdge and have the cEdge talk SXP with ISE and apply IP-SGT mappings or would I need to refresh the legacy hardware to Catalyst 9k for example.

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Midnight Rodeo

ā€Ž10-08-2022 07:29 AM

@Midnight Rodeo you could use SXP as both ISR 2900 and Nexus 5K support it, however if you've a lot of legacy devices to manage it might be easier to inline tag if possible.

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

ā€Ž10-08-2022 05:57 AM

@Midnight Rodeo if i were a Cisco salesman I'd say you have to buy new hardware. However, the ISE 2900 routers and Nexus 5K switches support TrustSec (inling tagging, SXP and SGACL/SG firewall etc) so you could probably do something on the legacy hardware, even if you just inline tag traffic to newer hardware which would be used as an enforcement point.

Check the TrustSec matrix for hardware feature support. https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-6-0-platform-capability-matrix.pdf note the minumum supported versions.

 

Go to solution
Midnight Rodeo
Level 1
Level 1
In response to Rob Ingram

ā€Ž10-08-2022 07:18 AM

So you could just use the 8300 as the enforcement point and have the legacy hardware speak sxp to the 8300?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Midnight Rodeo

ā€Ž10-08-2022 07:29 AM

@Midnight Rodeo you could use SXP as both ISR 2900 and Nexus 5K support it, however if you've a lot of legacy devices to manage it might be easier to inline tag if possible.

Go to solution
Midnight Rodeo
Level 1
Level 1
In response to Rob Ingram

ā€Ž10-08-2022 07:32 AM

Thank you Rob. So you what would the flow look like? The ISE would have the centralised policy with the SGT-IP mapping which would then push push the policy down to the Nexus 5K for example?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Midnight Rodeo

ā€Ž10-08-2022 07:46 AM

@Midnight Rodeo no, ISE would push down a policy (SGACL) to the 8300 for enforcement. You would create an SXP pairing between the N5K and the 8300, in order for the 8300 to learn the IP/SGT bindings of the endpoints connected to the N5K.

Go to solution
Midnight Rodeo
Level 1
Level 1
In response to Rob Ingram

ā€Ž10-08-2022 07:47 AM

Thank you sir.

0 Helpful
Customers Also Viewed These Support Documents