cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1241
Views
0
Helpful
1
Replies
Highlighted
Contributor

Using TrustSec for Campus and Branch segmentation

I have a client that is looking to segment their network.  They were initially thinking either ACL's on their switches or using a FW.  However, after talking to them about ISE and TrustSec, they are interested in that solution.  The client is an international company, so they have a branch/campus network layout.  In researching how TrustSec works in this scenario, I found the following guide:

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/branch-segmentation.pdf

It mentions having the WAN connectivity being encrypted, but I also heard there is an encapsulation method that you can use instead.  However, I cannot find anything on the encapsulation method, how it works and what devices are required.  Issue we have at this client is even though their WAN links are connected with Cisco routers, they do not manage them.  So getting this provider to implement a VPN across the WAN links for TrustSec may not happen. 

If someone can provide me that information, it would be appreciated.

Dan

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

I would highly recommend you watching Cisco Live presentations on TrustSec if you are just starting with the technology.

I think what you are referring to is how you'll be able to propagate tags from branch to headquarters and vice versa.

Propagation of tags can be via data plane like you mentioned over VPN - dmvpn or getvpn etc.

If propagation via data plane is not possible then SXP allows you to achieve propagation in control plane by sending the mappings over a separate protocol.

View solution in original post

1 REPLY 1
Highlighted
Cisco Employee

I would highly recommend you watching Cisco Live presentations on TrustSec if you are just starting with the technology.

I think what you are referring to is how you'll be able to propagate tags from branch to headquarters and vice versa.

Propagation of tags can be via data plane like you mentioned over VPN - dmvpn or getvpn etc.

If propagation via data plane is not possible then SXP allows you to achieve propagation in control plane by sending the mappings over a separate protocol.

View solution in original post

Content for Community-Ad