10-10-2020 03:09 AM - edited 10-10-2020 03:10 AM
Hi All,
Just wanted you advice on TrustSec configuration of switches when doing SDA with DNAC and Cisco ISE.
The issue I have seen in a field for this is that Cisco DNA Center goes about discovering switch and later pushing config it to take part in SDA, DNA Center created NAD in Cisco ISE and provisions all configuration and settings under NAD, that includes Radius/TACACS shared secret and TrustSec.
TrustSec ID and Password are set to the switch Serial number. Same logic applies when switch is part of the stack, so which ever is the Master/Active switch in stack, its Serial is used for TrustSec configuration.
So now to the problem, if switches are not provisioned with setting switch stack member priority, this Master/Active switch changes, it appears as if locally on switch it changes its ID and Password thus preventing SGT pull from ISE as credentials are wrong.
Of course once switch has been configured properly for the stack, there is still a chance for issues, lets say I have two or more switches in stack, Master/Active is the first switch, I have two P2P L3 uplinks to switch 1 and 2. Switch 1 dies and and entire stack is rebooted, so the Switch 2 becomes Master/Active switch for the stack, this still leaves me with TrustSec and ISE as credentials would have changed.
I know that technically I have bigger issues to worry as I have dead switch, but this is why we have multiple switches, and uplinks that are put in place to both provide redundancy if one of my distribution/core devices die and I have redundant path to provide connectivity to the edge, but this is also why switches are in stack, so that one switch being dead does not mean that I have 100% user impact on edge, yes I might have 48 of endpoints having no connectivity, so having max 8 switches in stack on 9k series, I could potentially have another 336 endpoints work properly.
So what is the deal with TrustSec, do I go about provisioning switches with DNA Center and then go about changing CTS credentials to something else than Serial Number of switch, how do I prevent CTS credentials changing if another switch takes over the Master/Active switch role and switch stack gets rebooted or am I not aware of something how CTS credentials are updated during the boot of switch?
BTW: CTS credentials do not appear in running config, similarly as you do not see switch stack member priorities in running config. From some other posts I see that they are saved in "environment variable"
Solved! Go to Solution.