cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
435
Views
0
Helpful
3
Replies

TrustSec campus segmentation design approach

richard.harvey
Level 1
Level 1

Hi,

I am getting to grips with a TrustSec design for a large multi-service building LAN where I intend to segregate guest, building management services, CCTV, lighting, etc using SGTs. Components will be 3850 L2 access, 4500x L3 distribution/core, ISE, Firepower 4100.

I love the potential flexibility of allocating flat subnets per floor, then using SGTs to segregate guest/BMS/CCTV/etc all in one VLAN. Problem is, I can see there will be flows between user groups whereby we would clearly want to screen traffic through Firepower for threat prevention, inline AV, etc.

Does this mean that the flat design will not work, or is there some magic TrustSec enforcement method that transports traffic up to the firewall for enforcement ?

I want to avoid creating multiple VLANs and VRFs for each service, as this would negate much of the management benefit of TrustSec in my mind.

Appreciate any views.

3 Replies 3

andrewswanson
Level 7
Level 7

Hi

I'm also looking at a TrustSec deployment. Deployment is on a "brown field" site where devices are already logically segmented into VLANs.

The first stage of the deployment is to do static classification/enforcement intra-vlan.

This is working well but we have a number of different vlans for different devices - CCTV, PoS.

My main concern of moving different type devices into the same vlan and using ISE to dynamically assign SGTs to filter, is what happens in the event of ISE being unavailable. Do you plan to use EEM scripting for this?

Cheers
Andy

Sounds like an interesting / similar project Andy.

I would have planned to use Critical Authentication mode for the ISE down situation. I understand the existing cached SGT data is used until ISE is back.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-sy/sec-cts-15-sy-book/cts-critical-auth.pdf

I imagine you will face a similar issue though if you require peer-to-peer security (beyond stateless ACLs) on the access layer.

Config T
Level 1
Level 1

Something is going to need to inspect that traffic to provide the filtering you're looking for. There's nothing in TrustSec that will inspect that traffic for you. You're going to have to inspect the traffic on the endpoint via some agent software, send the traffic to your Firepower, span the traffic from the access switches to an external traffic inspector or export flows for threat analysis. Look for products that can integrate with ISE with pxGrid so ISE can act on the threat analysis.