Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1169
Views
0
Helpful
1
Replies

Trustsec questions

carl_townshend
Spotlight
Spotlight

‎11-28-2020 02:42 AM

Hi alli

I have a few questions around trustsec.

 

1.I believe the packets are tagged on ingress, what happens if the switch the client is connected to does not do online tagging ? Does it tag on the first switch that supports it?

 

2.what is sxp used for ? Why is it needed and do all switches etc have to use it?

 

3.do the tags come from ISE? are they only learnt when the Authenticator speaks to ISE and they are returned back in a radius packet? Are these cached on the local switch ?

 

cheers 

Labels:
0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎11-29-2020 06:15 PM

1.I believe the packets are tagged on ingress, what happens if the switch the client is connected to does not do online tagging ? Does it tag on the first switch that supports it?

Inline tagging is a pain and you need to support it along every hop of the way. This is one of the reasons that TrustSec didn't find great adoption because it requires specific Cisco hardware in the path. The semi-solution to this problem is to use SDA (SD Access) instead, because the SGT is embedded in the VXLAN header. Sure, the endpoint and control/border nodes still have to be specific Cisco switches, but all the intermediate switches do not - all they need is to support Ethernet  frames of < 1540 bytes (encapsulate VXLAN)

 

2.what is sxp used for ? Why is it needed and do all switches etc have to use it?

SXP is used to exchange SGTs between devices that don't support inline tagging. it's a 'workaround' and not a pretty one. Better solution is SDA.

 

3.do the tags come from ISE? are they only learnt when the Authenticator speaks to ISE and they are returned back in a radius packet? Are these cached on the local switch ?

Tags can be defined in ISE and sent to devices that need them. Or they can be hard coded on the end devices themselves. In SDA, ISE becomes central repository of all the SGTs for the campus fabric.

 

I'd hazard a guess and say that folks are not keen to deploy CTS (Cisco TrustSec) on its own - because of all the point above. SDA is the way forward. Have a read of this document - it's probably a good place to start.

cheers 

 

0 Helpful
Customers Also Viewed These Support Documents