Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1812
Views
0
Helpful
1
Replies

Using TrustSec for Campus and Branch segmentation

Go to solution
deyster94
Level 5
Level 5

‎03-05-2018 08:43 AM - last edited on ‎03-25-2019 05:36 PM by Community Manager

I have a client that is looking to segment their network.  They were initially thinking either ACL's on their switches or using a FW.  However, after talking to them about ISE and TrustSec, they are interested in that solution.  The client is an international company, so they have a branch/campus network layout.  In researching how TrustSec works in this scenario, I found the following guide:

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/branch-segmentation.pdf

It mentions having the WAN connectivity being encrypted, but I also heard there is an encapsulation method that you can use instead.  However, I cannot find anything on the encapsulation method, how it works and what devices are required.  Issue we have at this client is even though their WAN links are connected with Cisco routers, they do not manage them.  So getting this provider to implement a VPN across the WAN links for TrustSec may not happen. 

If someone can provide me that information, it would be appreciated.

Dan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
umahar
Cisco Employee
Cisco Employee

‎03-05-2018 11:39 AM

I would highly recommend you watching Cisco Live presentations on TrustSec if you are just starting with the technology.

I think what you are referring to is how you'll be able to propagate tags from branch to headquarters and vice versa.

Propagation of tags can be via data plane like you mentioned over VPN - dmvpn or getvpn etc.

If propagation via data plane is not possible then SXP allows you to achieve propagation in control plane by sending the mappings over a separate protocol.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
umahar
Cisco Employee
Cisco Employee

‎03-05-2018 11:39 AM

I would highly recommend you watching Cisco Live presentations on TrustSec if you are just starting with the technology.

I think what you are referring to is how you'll be able to propagate tags from branch to headquarters and vice versa.

Propagation of tags can be via data plane like you mentioned over VPN - dmvpn or getvpn etc.

If propagation via data plane is not possible then SXP allows you to achieve propagation in control plane by sending the mappings over a separate protocol.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents