Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1409
Views
0
Helpful
2
Replies

Possible to use ISE Trustsec SGT for Data Center Microsegmentation?

TerenceLockette
Level 1
Level 1

‎04-18-2022 08:38 AM

Hello all,

I understand that Cisco ISE is a network access/admission control product that is deployed for enterprise campus wired & wireless networks.  Although nodes are typically located in the data center, I was wondering if CTS using ISE can be used for Data Center hosts to implement microsegmentation?  I'm sure it may depend on what hardware you're servers/VMs are connected to but let's assume you are running supported hardware.  I also understand that SGTs typically consists of a username and AD group so with that in mind, if this can be done in the data center, could we simply use computer name and AD group to form the SGT?

I'm sure someone may suggest going ACI but I'm not sure how much more complex that would be from a config and management standpoint in addition to the purchase of 3 APICs and potential spine/leaf nodes.  Just trying to find every possible option.

Thanks!

0 Helpful
2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-18-2022 09:10 AM

To start, this is an interesting question since this could be rather complex and have several options so I am interested in seeing what others share.  ACI is a beast in itself and it seems that you are already aware of that as an option.  So I am going to hit on this with one option: I was wondering if CTS using ISE can be used for Data Center hosts to implement microsegmentation?

-Not sure what your environment looks like or consists of, but in theory you have the ability to publish ip-to-sgt mappings via SXP.  In this type of scenario you would enable cts role-based enforcement on the device that perhaps has all of your L3 SVIs for all of your data center (dc) vlans.  This process looks like this from a high level: You will enable cts enforcement per dc vlan, setup sxp on dc core, then in ISE create cts sxp peer, create ip-to-sgt static mappings (individual hosts or by subnets), and publish those along with your cts role-based policy to the dc core.  HTH & good luck!

0 Helpful

Flavio Miranda
VIP
VIP

‎04-18-2022 12:18 PM

I see it as technically possible. Perhaps, for  virtuallized environment, ACI is much supperior as it has some integration with virtualization vendor but thinking about physical device, It is possible. However, you probably still want to use Nexus and that can be a problem. If I am not wrong, only Nexus 7K is supported for DNAC and this can narrow your possibilities.

If I were to develop a project on this, for sure I´d go deeper on ACI world just to perform a fare comparisson as I am considering here only the segmentation point of view.

 End just to add something more, It was told to me by cisco in the past that the final solution will be SGT and EPG as one thing and all managed by DNAC.  It seems that ACI, SDA and SDWAN will become one somewhere in the future.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card