03-23-2021 05:35 AM - edited 03-23-2021 05:39 AM
Dears,
I am working on OOB Management design for connectivity of management of various categories of Data Center traffic such as DMZ (e.g. Internet routers), Servers, Network, Application, Security (KMS, HSM, etc.) and PCI.
I looked for Cisco best practices recommendations for physical connectivity or switching design of OOB but no luck.
1: Please provide useful and supporting link that can be used as a reference and can guide on OOB connectivity/switching and Firewall design for various categories of MGT traffic.
2: Please also providing recommendations and opinions on the options mentioned in the attached diagram.
Thanks.
04-26-2021 02:44 AM
any opinion from experts?
04-26-2021 04:46 AM
I don't there is an reference guide for your exact scenario, but it seems like TrustSec segementation would be a good fit.
Use an FTD pair between the Core and Agg as in your diagrams, the connecting endpoints requiring segmentation would be connected to the same switch stack and just use the SGT to permit/deny communication between the endpoints using an SGACL. You'd need ISE to classify the endpoints, assign an SGT and manage the SGACL - although you could manually configure on the switch, but not really advised nor scalable.
Any communication to/from the SOC block/monitoring systems could be routed via the FTD and controlled according to the FTD Access Control Policies.
TrustSec reference materials:-
https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/index.html#~features
https://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/index.html
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide