Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1068
Views
0
Helpful
2
Replies

Trustsec SGT Design around WAN accelerators and Load-balancers

Go to solution
jogorham
Level 1
Level 1

‎02-27-2017 02:17 PM

Gurus,

We are in a Trustsec Design for a customer with remote sites that are using WAN accelerators and trying to verify the best design.

Scenario

1. the endpoint comes onto the network

2. Authenticated/Authorized by ISE and receive SGT tag

3. Packet starts toward destination and gets WCCP redirected to WAN Accelerator

4. WAN Accelerator sends the packet out with a GRE header back to the router

5. The Router does what it does and routes the packet.

6. Where is the best place for SXP? WAN router or Switch? or Both?

Endpoint ----- Layer2-Switch ------ WAN Accelerator -------- router ---------- Headend (ISE)

SGT and Load-Balancer

1. Does the Load-Balancer drops the SGT packet?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
faylee
Cisco Employee
Cisco Employee

‎02-28-2017 11:04 AM

Hello jogorham,

Before I can answer, I'd need to understand what devices will be enforcing the traffic via TrustSec policies.  Without this information and by looking at your diagram, I think the simplest approach would be to send the IP to SGT mappings directly from ISE to the enforcement device via ISE SXP.  By doing so, the diagram indicates that you'd be able to avoid your concern about the wan accelerator/load balancer but you would need to keep in mind ISE SXP scale.

ISE 2.1 supports 100,000 bindings, 20 SXP peers

ISE 2.2. support 250,000 bindings, 100 SXP peers

We recommend using dedicated nodes for ISE SXP functions.

Does this help?

Fay-Ann

View solution in original post

0 Helpful
2 Replies 2

Go to solution
faylee
Cisco Employee
Cisco Employee

‎02-28-2017 11:04 AM

Hello jogorham,

Before I can answer, I'd need to understand what devices will be enforcing the traffic via TrustSec policies.  Without this information and by looking at your diagram, I think the simplest approach would be to send the IP to SGT mappings directly from ISE to the enforcement device via ISE SXP.  By doing so, the diagram indicates that you'd be able to avoid your concern about the wan accelerator/load balancer but you would need to keep in mind ISE SXP scale.

ISE 2.1 supports 100,000 bindings, 20 SXP peers

ISE 2.2. support 250,000 bindings, 100 SXP peers

We recommend using dedicated nodes for ISE SXP functions.

Does this help?

Fay-Ann

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to faylee

‎03-02-2017 06:27 AM

I don't see where load balancers fit into this design.  Either the access device which receives the RADIUS authorization (or SXP binding) is natively tagging the packets on network, or communicating the IP-SGT bindings via SXP to another device in the network.  Native encapsulation of SGT into WAN VPN is possible, but not seeing that implemented here.  If need to communicate the bindings to enforce policy at the upstream device, then that is likely where peering should occur, or else peers are created as aggregation points for IP-SGT bindings.   Are you saying that your WAN accelerator is trying to optimize or cache SXP packets from switch to its remote peer?   If so and it is interfering with SXP communication, then Fay's option to communicate bindings directly from ISE is an option.

0 Helpful
Customers Also Viewed These Support Documents