11-22-2019 08:54 AM
I would like to enable SGT based policy between Virtual Networks based on SGTs. The fusion device is a 9300s switch and I understand I have two options:
1. SXP between the fusion device and ISE to receive IP to SGT mappings + Enable Enforcement of the policy on the fusion device by downloading TrustSec Policy from ISE
2. Per VRF SXP between Borders and ISE that allows re-inserting of SGT tag to VXLAN header (that is lost when the packet routes via the fusion device) and the policy can be enforced at egress Edge node as usual
Both of those solutions work but I would like to understand the caveats of each especially regarding the scalability of those options.
Option 1 means that all the rules + SGT mapping for all sources and destinations is going to be stored in the fusion device memory.
Option 2 means that each border will have to run per VRF SXP session but it wouldn't need to download all the rules because those would be enforced at egress.
If any of the statements I made here are incorrect please let me know
Thanks
Solved! Go to Solution.
11-22-2019 10:45 AM
11-22-2019 10:45 AM
11-22-2019 11:25 AM
Thanks Mike,
Route leaking or lack of is just connectivity ON & OFF which doesn't solve the problem. I don't want to rely on any prefix lists in SD-Access because the main advantage of it is abstracting IP addresses from the endpoint.
I suspect that in the future the traffic between VNs won't have to traverse via the Fusion device but will be sorted by the border itself. Unfortunately right now it has to go via fusion hence we are losing VXLAN header and SGT with it.
I solved the problem in two different ways just not sure which one is more common or recommended in the scenario where you don't have a fusion firewall but a standard switch.
11-26-2019 10:47 AM
11-26-2019 11:01 AM
Thanks Mike
Well, I avoid route leaking in my setup because traffic out of the fabric routes out to the legacy core by following default route and if the destination is in the fabric but different VN it simply hairpins back. The route leaking would allow it to stay within the fusion device but as we are getting ready for the firewall I didn't bother configuring it at this stage.
I found some documentation where it says that 9500 switch for example can hold 40k IP-SGT mappings while 9300 switch can do 10k so depending on the number of endpoints it is possible to enforce the policy on the fusion or border with SXP and I think I will leave it at the bigger box for now - until we get inter VN firewall like Firepower that can take 1M IP-SGT mappings.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide