cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1116
Views
5
Helpful
5
Replies
Highlighted
Contributor

TrustSec ACL and VRF design questions

We are working on setting up TrustSec for a retirement community.  They are going to use it to segment their residents internet from the rest of their networks.  What we are trying to find out is the following:

1. What is the size of the ACL's we can use in TrustSec

2. Can we build out the vlan's for TrustSec in a separate VRF.

TIA,

Dan

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Re: TrustSec ACL and VRF design questions

Just going through the community questions and saw this was unanswered.

Sorry for the delay, your retirement community project is probably completed by now but wanted to reply anyway.

The supported size of the  SGACL's is product dependent but is not generally a limiting factor. Remember that SGACL's are a list of L4 ports with no IP information, hence are much smaller than equivalent ACL's.

For example, a 3850 supports 680 L4 SGACE entries, a Cat9300 supports 5000 and so on..

Yes, TrustSec is VRF aware. Dynamic and Static mappings are placed in VRFs and propagation is carried out per VRF.

View solution in original post

Highlighted
Cisco Employee

Re: TrustSec ACL and VRF design questions

Hi,

there would need to be an SXP connection from ISE to each VRF on the switch. All mappings on ISE would then be duplicated to each VRF.

If you would like to have different mappings in each VRF then you can segregate mappings in ISE by using ISE SXP domains. Then, ISE SXP domain1 would have an SXP connection to switch VRF1, ISE SXP domain2 an SXP connection to switch VRF2 etc.

I wrote a guide for an SDA border deployment but the concept is the same, check it out here:

https://community.cisco.com/t5/security-documents/policy-enforcement-within-sda-border/ta-p/3646816

Hope that helps.

 

View solution in original post

5 REPLIES 5
Highlighted
Cisco Employee

Re: TrustSec ACL and VRF design questions

Just going through the community questions and saw this was unanswered.

Sorry for the delay, your retirement community project is probably completed by now but wanted to reply anyway.

The supported size of the  SGACL's is product dependent but is not generally a limiting factor. Remember that SGACL's are a list of L4 ports with no IP information, hence are much smaller than equivalent ACL's.

For example, a 3850 supports 680 L4 SGACE entries, a Cat9300 supports 5000 and so on..

Yes, TrustSec is VRF aware. Dynamic and Static mappings are placed in VRFs and propagation is carried out per VRF.

View solution in original post

Highlighted
Beginner

Re: TrustSec ACL and VRF design questions

Hi,

When you say Trustsec is VRF aware, what mechanisms need to be in place to propagate trustsec tags from ISE to multiple VRFs on a switch? Do I need an SXP definition to ISE to get sgt's from ISE to register outside the default VRF on the switch? Are there any How To's or Cisco Documentation on doing TrustSec with VRF's?

 

Highlighted
Cisco Employee

Re: TrustSec ACL and VRF design questions

Hi,

there would need to be an SXP connection from ISE to each VRF on the switch. All mappings on ISE would then be duplicated to each VRF.

If you would like to have different mappings in each VRF then you can segregate mappings in ISE by using ISE SXP domains. Then, ISE SXP domain1 would have an SXP connection to switch VRF1, ISE SXP domain2 an SXP connection to switch VRF2 etc.

I wrote a guide for an SDA border deployment but the concept is the same, check it out here:

https://community.cisco.com/t5/security-documents/policy-enforcement-within-sda-border/ta-p/3646816

Hope that helps.

 

View solution in original post

Highlighted
Cisco Employee

Re: TrustSec ACL and VRF design questions

Hi,

there would need to be an SXP connection from ISE to each VRF on the switch. All mappings on ISE would then be duplicated to each VRF.

If you would like to have different mappings in each VRF then you can segregate mappings in ISE by using ISE SXP domains. Then, ISE SXP domain1 would have an SXP connection to switch VRF1, ISE SXP domain2 an SXP connection to switch VRF2 etc.

I wrote a guide for an SDA border deployment but the concept is the same, check it out here:

https://community.cisco.com/t5/security-documents/policy-enforcement-within-sda-border/ta-p/3646816

Hope that helps.

 

Highlighted
Beginner

Re: TrustSec ACL and VRF design questions

Thanks for the quick reply. This definitely helps.