Showing results for 
Search instead for 
Did you mean: 

Re: TrustSec deployment in large environment

I'm not sure I'm following you completely, still digging into the technology a bit. To clarify currently I have a similar setup in a lab as you described, in that I have ISE configured to be a speaker to a nexus switch that is then a speaker to the access layer 9300 switches. The Nexus learns the dynamic mappings from the auth sessions via SXP and then the 9300 learns the static ip->sgt mappings via SXP from the nexus reflector(s), in addition to the local dynamic mappings. What I am trying to do in the short term is keep most of the SGT configurations on the 9300's versus the 4k routers since they technically will be replaced with sd-wan devices, I don't want any dependencies on the wan routers that drives the code version I deploy on the sd-wan boxes, at least not initially. 

VIP Engager

Re: TrustSec deployment in large environment

The only reason I suggested leveraging WAN edge was because it would fewer SXP connections than going to each access switch which can be a scaling issue. Total mappings support on the Cat 9k's is also quite limited, they can only handle 10,000 IP-SGT mappings where as an ISR can support 125,000+. It sounds like you have a fairly large environment, so 10k mappings could easily be a scale issue.

I would want to inline tag everything in the LAN to enable east west enforcement anyways. You would be dealing with fewer connections and no inline tagging work to add in for the future state. When (if) SDWAN ever supports native SGT inline tagging, then you would still need inline tagging in the LAN up to the router, you would just be dropping the SXP connections on the router when moving to SDWAN inline tagging. I have not spun up the SDWAN code on an ISR, but I know the commands are there for inline tagging, not sure if SXP is still in there, I would want to go this route if possible. I haven't tested it on SDWAN code, but after this discussion I think I will when I get time in the next couple of weeks.

Your understanding of the mapping flow sounds correct, ISE will speak all static mappings you manually create as well as dynamic mappings created during authorization. It is a single point of truth for all IP-SGT mappings regardless of how they are generated, unless manually tagged on NADs.