06-03-2020 08:53 AM
Hello,
Does ISE TrustSec replace regular internal L3/L4 ASA Firewalls? These firewalls could be protecting two subnets from talking to each other or protecting the DMZ from internal/external traffic. I'm trying to understand if I deploy TrustSec, will I throw out my L3/L4 Firewalls?
Thanks
06-03-2020 12:15 PM
Hi,
The enforcement point can either be a firewall, router or switch. However a firewall is the best device to act as an enforcement point, that's what it is designed to do.
A switch or router is fine (to an extent) to protect resources within the DC from users on the access layer, but you definitely want to be using a firewall on the perimeter to protect your network from outside threats.
With an FTD NGFW you get the L7 features that a switch or router acting as enforcement point do not have.
HTH
06-03-2020 12:40 PM
06-03-2020 12:50 PM
06-04-2020 02:14 PM
We have Cat 9300s over but at the same time we have 500 sites and around 25K endpoints.
Are you saying 9300 aren't capable of handling ip-to-sgt mappings for 25K endpoints?
06-04-2020 02:35 PM
You should check out the TrustSec matrix to confirm scalability for your devices.
The Catalyst 9300 supports a maximum of 10,000 IP SGT Bindings. You wouldn't expect to have all IP SGT bindings for the entire network on an access layer switch, normally just IP SGT bindings that have been dynamically assigned to devices authenticating to a port on the switch.
What is your intended trustec design?
What type of traffic are you attempting to filter? Lateral movement on the same switch, Access layer to DC?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide