02-27-2017 02:17 PM
Gurus,
We are in a Trustsec Design for a customer with remote sites that are using WAN accelerators and trying to verify the best design.
Scenario
1. the endpoint comes onto the network
2. Authenticated/Authorized by ISE and receive SGT tag
3. Packet starts toward destination and gets WCCP redirected to WAN Accelerator
4. WAN Accelerator sends the packet out with a GRE header back to the router
5. The Router does what it does and routes the packet.
6. Where is the best place for SXP? WAN router or Switch? or Both?
Endpoint ----- Layer2-Switch ------ WAN Accelerator -------- router ---------- Headend (ISE)
SGT and Load-Balancer
1. Does the Load-Balancer drops the SGT packet?
Solved! Go to Solution.
02-28-2017 11:04 AM
Hello jogorham,
Before I can answer, I'd need to understand what devices will be enforcing the traffic via TrustSec policies. Without this information and by looking at your diagram, I think the simplest approach would be to send the IP to SGT mappings directly from ISE to the enforcement device via ISE SXP. By doing so, the diagram indicates that you'd be able to avoid your concern about the wan accelerator/load balancer but you would need to keep in mind ISE SXP scale.
ISE 2.1 supports 100,000 bindings, 20 SXP peers
ISE 2.2. support 250,000 bindings, 100 SXP peers
We recommend using dedicated nodes for ISE SXP functions.
Does this help?
Fay-Ann
02-28-2017 11:04 AM
Hello jogorham,
Before I can answer, I'd need to understand what devices will be enforcing the traffic via TrustSec policies. Without this information and by looking at your diagram, I think the simplest approach would be to send the IP to SGT mappings directly from ISE to the enforcement device via ISE SXP. By doing so, the diagram indicates that you'd be able to avoid your concern about the wan accelerator/load balancer but you would need to keep in mind ISE SXP scale.
ISE 2.1 supports 100,000 bindings, 20 SXP peers
ISE 2.2. support 250,000 bindings, 100 SXP peers
We recommend using dedicated nodes for ISE SXP functions.
Does this help?
Fay-Ann
03-02-2017 06:27 AM
I don't see where load balancers fit into this design. Either the access device which receives the RADIUS authorization (or SXP binding) is natively tagging the packets on network, or communicating the IP-SGT bindings via SXP to another device in the network. Native encapsulation of SGT into WAN VPN is possible, but not seeing that implemented here. If need to communicate the bindings to enforce policy at the upstream device, then that is likely where peering should occur, or else peers are created as aggregation points for IP-SGT bindings. Are you saying that your WAN accelerator is trying to optimize or cache SXP packets from switch to its remote peer? If so and it is interfering with SXP communication, then Fay's option to communicate bindings directly from ISE is an option.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide