Solved: Re: How Are TrustSec Policies Managed over the WAN

jeramiah1945 · ‎11-07-2017

If I have deployed TrustSec and I have a user at a remote site who wants to access a resource, normally the switch will get the policy for that user from ISE located at the data center over the WAN. What happens if the WAN connection fails? Do I need a ISE at every location to protect from this? If the switch can't get a policy, what happens to my users access request?

howon · ‎11-08-2017

You can use Critical authentication in case none of the ISE nodes are available to the network device:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-sy/sec-cts-15-sy-book/cts-critical-auth.html

View solution in original post

howon · ‎11-08-2017

You can use Critical authentication in case none of the ISE nodes are available to the network device:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-sy/sec-cts-15-sy-book/cts-critical-auth.html

jeramiah1945 · ‎11-08-2017

Thank you, very useful

Ezy200044 · ‎06-20-2018

What are you guys using for CE to CE connections? SXP over MPLS?

Damien Miller · ‎06-20-2018

SXP is a valid method of spanning TrustSec domains across paths that don't support inline tagging. In large scale deployments it requires proper planning to ensure that it scales appropriately. The total ip-sgt mappings count or remote site SXP connections will greatly influence decisions made.

Another alternative is to set up a DMVPN overlay and leverage native inline tagging. In a perfect world you would have IWAN at all your sites and leverage inline tagging with DMVPN.

Ezy200044 · ‎06-20-2018

Appreciate the quick response. So over the WAN, inline tagging is not an option unless we use an overlay (ESP). We would build SXP peers between all the sites and you are saying to make sure its plan properly when it comes to IP to SGT mappings. Im sure the routers would be some sort of ASR.

Thanks

Damien Miller · ‎06-20-2018

Yes, you would need an overlay that is TrustSec SGT aware to accommodate inline tagging across the WAN. From an overlay perspective ipsec accommodates this, DMVPN just makes it easier to manage, and IWAN leverages both. I'm not aware of any carrier provided transport that will support CTS inline but I have not looked in to it.

The ISE and TrustSec BU have been working on scaling with SXP recently and ISE v2.4 brought enhancements in this area. In some environments you may be able to use ISE nodes as the central SXP connection point.

One method of scaling SXP in large environments is to leverage dedicated ASR's as your central collection point. You would place these ASR's in the data center(s) and then feed mappings from the reflectors to other remote sites/enforcement points.

SXP scaling numbers with ISE 2.4

ISE Performance & Scale

The end of this document also explores SXP and IP SGT mapping scaling from a theoretical point of view. I have found that a lot of it comes down to how equipment is being utilized vs how scale testing is performed. Total IP-SGT mappings in combination with total SXP connection count will impact scale.

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-system-bulletin.pdf

If you are going down a path of TrustSec enforcement in a large environment I would recommend engaging the TrustSec BU before starting.

Ezy200044 · ‎06-21-2018

Thanks Damien. Makes perfect sense.