cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
892
Views
15
Helpful
6
Replies

SGT Enforcement - Legacy Hardware

Midnight Rodeo
Level 1
Level 1

Hi guys, deploying SDWAN/SDA fabric across an enterprise. Mainly hardware refresh to Nexus 9K but in some remote locations there are legacy networks/server farms 'out of scope' that are connecting in on legacy hardware such as a Cisco 2900 router or Nexus 5k for example.

For the cEdge it will be  the 8300 model and my question is around enforcing SGT policy with the legacy environment. Will I be able to bring those legacy networks in on the cEdge and have the cEdge talk SXP with ISE and apply IP-SGT mappings or would I need to refresh the legacy hardware to Catalyst 9k for example.

Thanks

1 Accepted Solution

Accepted Solutions

@Midnight Rodeo you could use SXP as both ISR 2900 and Nexus 5K support it, however if you've a lot of legacy devices to manage it might be easier to inline tag if possible.

View solution in original post

6 Replies 6

@Midnight Rodeo if i were a Cisco salesman I'd say you have to buy new hardware. However, the ISE 2900 routers and Nexus 5K switches support TrustSec (inling tagging, SXP and SGACL/SG firewall etc) so you could probably do something on the legacy hardware, even if you just inline tag traffic to newer hardware which would be used as an enforcement point.

Check the TrustSec matrix for hardware feature support. https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-6-0-platform-capability-matrix.pdf note the minumum supported versions.

 

So you could just use the 8300 as the enforcement point and have the legacy hardware speak sxp to the 8300?

@Midnight Rodeo you could use SXP as both ISR 2900 and Nexus 5K support it, however if you've a lot of legacy devices to manage it might be easier to inline tag if possible.

Thank you Rob. So you what would the flow look like? The ISE would have the centralised policy with the SGT-IP mapping which would then push push the policy down to the Nexus 5K for example?

@Midnight Rodeo no, ISE would push down a policy (SGACL) to the 8300 for enforcement. You would create an SXP pairing between the N5K and the 8300, in order for the 8300 to learn the IP/SGT bindings of the endpoints connected to the N5K.

Thank you sir.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: