Solved: Trustsec and VMware static SGT assignment

mnkojima · ‎04-19-2019

Hello

we want to implement Trustsec in our environment. We have Cat9300 (core and server farm) and Cat2960X (access). One thing that is not clear for me is, since we have virtual machines running in our VMware, must we have Nexus1000V to have static SGT assignment for our virtual servers or we can map SGT to each IP Address virtual server in our Cat9300?

Thank you

Marcos

Damien Miller · ‎04-19-2019

You have a number of options here. We can rule out the 2960 right off the bat since it doesn't support any of the useful TrustSec features.

You can create static IP-SGT mappings on the Cat 9300 as you already indicated. Enforcement could take place on this switch via SGACLs. This scenario is OK for North-South enforcement.

Another option is to create IP-SGT mappings in ISE, then leverage SXP to advertise them to the 9300. I tend to prefer this since you don't have to go to the CLI to update/add/change mappings. You have to be careful scaling SXP, but this is a good use case for it. Again, OK for North-South enforcement.

Yet another option is to keep the SGT's out of the datacenter entirely, doing SGACL enforcement in a centralized enforcement location where user traffic enters/exits the DC. You can create or advertise your IP-SGT mappings to this central point and effectively perform North-South user-DC traffic flows for the entire DC.

The only East-West enforcement option is to leveraging the Nexus 1000v, it is SGACL capable, meaning that if you have both source and destination mappings on it, you can enforce East-West server traffic, and North-South user-server traffic.

How you go about this is probably determine by what you are trying to accomplish from a security perspective. The ideal solution with TrustSec is always to leverage inline tagging, but end to end inline tagging is not always possible. In your scenario, if you were leveraging 1000v's, you still couldn't use inline tagging because the upstream 2960 is not capable of line tagging.

View solution in original post

kthiruve · ‎04-22-2019

It depends on what you want to accomplish as mentioned by others. You might want to step back and plan out a few things before implementing it.

If your access is 2960, even though it may not be capable of enforcement, you can assign SGT's. You can use ISE for SXP to Datacenter. ISE scales up well for SXP.

You need to look at the compatibility matrix to see where you want to classify end users/machine and where to do enforcement.

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-platform-capability-matrix.pdf

Here is the relevant documentation, check out User to DC segmentation.

https://community.cisco.com/t5/security-documents/ise-community-resources/ta-p/3621621#Segmentation

Thanks

Krishnan

View solution in original post

Mike.Cifelli · ‎04-19-2019

You will be able to accomplish ip-to-sgt static mappings on your cat9300. As an FYI, I have enabled static mappings on other nexus hardware models outside of the one you have mentioned. Ensure that you have your you cts and your sxp connection properly setup on your device and with ISE. You will want to manually enable enforcement on whatever vlan/s in your data center. HTH!

Damien Miller · ‎04-19-2019

You have a number of options here. We can rule out the 2960 right off the bat since it doesn't support any of the useful TrustSec features.

You can create static IP-SGT mappings on the Cat 9300 as you already indicated. Enforcement could take place on this switch via SGACLs. This scenario is OK for North-South enforcement.

Another option is to create IP-SGT mappings in ISE, then leverage SXP to advertise them to the 9300. I tend to prefer this since you don't have to go to the CLI to update/add/change mappings. You have to be careful scaling SXP, but this is a good use case for it. Again, OK for North-South enforcement.

Yet another option is to keep the SGT's out of the datacenter entirely, doing SGACL enforcement in a centralized enforcement location where user traffic enters/exits the DC. You can create or advertise your IP-SGT mappings to this central point and effectively perform North-South user-DC traffic flows for the entire DC.

The only East-West enforcement option is to leveraging the Nexus 1000v, it is SGACL capable, meaning that if you have both source and destination mappings on it, you can enforce East-West server traffic, and North-South user-server traffic.

How you go about this is probably determine by what you are trying to accomplish from a security perspective. The ideal solution with TrustSec is always to leverage inline tagging, but end to end inline tagging is not always possible. In your scenario, if you were leveraging 1000v's, you still couldn't use inline tagging because the upstream 2960 is not capable of line tagging.

kthiruve · ‎04-22-2019

It depends on what you want to accomplish as mentioned by others. You might want to step back and plan out a few things before implementing it.

If your access is 2960, even though it may not be capable of enforcement, you can assign SGT's. You can use ISE for SXP to Datacenter. ISE scales up well for SXP.

You need to look at the compatibility matrix to see where you want to classify end users/machine and where to do enforcement.

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-platform-capability-matrix.pdf

Here is the relevant documentation, check out User to DC segmentation.

https://community.cisco.com/t5/security-documents/ise-community-resources/ta-p/3621621#Segmentation

Thanks

Krishnan