Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
323
Views
0
Helpful
3
Replies

TrustSec campus segmentation design approach

richard.harvey
Level 1
Level 1

‎06-15-2017 03:05 AM - edited ‎03-11-2019 12:47 AM

Hi,

I am getting to grips with a TrustSec design for a large multi-service building LAN where I intend to segregate guest, building management services, CCTV, lighting, etc using SGTs. Components will be 3850 L2 access, 4500x L3 distribution/core, ISE, Firepower 4100.

I love the potential flexibility of allocating flat subnets per floor, then using SGTs to segregate guest/BMS/CCTV/etc all in one VLAN. Problem is, I can see there will be flows between user groups whereby we would clearly want to screen traffic through Firepower for threat prevention, inline AV, etc.

Does this mean that the flat design will not work, or is there some magic TrustSec enforcement method that transports traffic up to the firewall for enforcement ?

I want to avoid creating multiple VLANs and VRFs for each service, as this would negate much of the management benefit of TrustSec in my mind.

Appreciate any views.

Labels:
0 Helpful
3 Replies 3

andrewswanson
Level 7
Level 7

‎06-15-2017 06:23 AM

Hi

I'm also looking at a TrustSec deployment. Deployment is on a "brown field" site where devices are already logically segmented into VLANs.

The first stage of the deployment is to do static classification/enforcement intra-vlan.

This is working well but we have a number of different vlans for different devices - CCTV, PoS.

My main concern of moving different type devices into the same vlan and using ISE to dynamically assign SGTs to filter, is what happens in the event of ISE being unavailable. Do you plan to use EEM scripting for this?

Cheers
Andy

0 Helpful

richard.harvey
Level 1
Level 1
In response to andrewswanson

‎06-15-2017 07:19 AM

Sounds like an interesting / similar project Andy.

I would have planned to use Critical Authentication mode for the ISE down situation. I understand the existing cached SGT data is used until ISE is back.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-sy/sec-cts-15-sy-book/cts-critical-auth.pdf

I imagine you will face a similar issue though if you require peer-to-peer security (beyond stateless ACLs) on the access layer.

0 Helpful

Config T
Level 1
Level 1

‎06-19-2017 08:53 AM

Something is going to need to inspect that traffic to provide the filtering you're looking for. There's nothing in TrustSec that will inspect that traffic for you. You're going to have to inspect the traffic on the endpoint via some agent software, send the traffic to your Firepower, span the traffic from the access switches to an external traffic inspector or export flows for threat analysis. Look for products that can integrate with ISE with pxGrid so ISE can act on the threat analysis.

0 Helpful
Customers Also Viewed These Support Documents