06-15-2017 03:05 AM - edited 03-11-2019 12:47 AM
Hi,
I am getting to grips with a TrustSec design for a large multi-service building LAN where I intend to segregate guest, building management services, CCTV, lighting, etc using SGTs. Components will be 3850 L2 access, 4500x L3 distribution/core, ISE, Firepower 4100.
I love the potential flexibility of allocating flat subnets per floor, then using SGTs to segregate guest/BMS/CCTV/etc all in one VLAN. Problem is, I can see there will be flows between user groups whereby we would clearly want to screen traffic through Firepower for threat prevention, inline AV, etc.
Does this mean that the flat design will not work, or is there some magic TrustSec enforcement method that transports traffic up to the firewall for enforcement ?
I want to avoid creating multiple VLANs and VRFs for each service, as this would negate much of the management benefit of TrustSec in my mind.
Appreciate any views.
06-15-2017 06:23 AM
Hi
I'm also looking at a TrustSec deployment. Deployment is on a "brown field" site where devices are already logically segmented into VLANs.
The first stage of the deployment is to do static classification/enforcement intra-vlan.
This is working well but we have a number of different vlans for different devices - CCTV, PoS.
My main concern of moving different type devices into the same vlan and using ISE to dynamically assign SGTs to filter, is what happens in the event of ISE being unavailable. Do you plan to use EEM scripting for this?
Cheers
Andy
06-15-2017 07:19 AM
Sounds like an interesting / similar project Andy.
I would have planned to use Critical Authentication mode for the ISE down situation. I understand the existing cached SGT data is used until ISE is back.
I imagine you will face a similar issue though if you require peer-to-peer security (beyond stateless ACLs) on the access layer.
06-19-2017 08:53 AM
Something is going to need to inspect that traffic to provide the filtering you're looking for. There's nothing in TrustSec that will inspect that traffic for you. You're going to have to inspect the traffic on the endpoint via some agent software, send the traffic to your Firepower, span the traffic from the access switches to an external traffic inspector or export flows for threat analysis. Look for products that can integrate with ISE with pxGrid so ISE can act on the threat analysis.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide