10-20-2018 07:24 AM
Hi,
Are there any best practices to trustsec? When should I replace a password of the trustsec (it is an unsafe environment)?
Thank you
Solved! Go to Solution.
10-20-2018 01:14 PM
Most of the ISE best practices also apply when deploying Trustsec since the majority is authentication/authorization.
Beyond the link already provided..
One thing to keep in mind is how you will carry the sgt's across the wan(if required). I can tell you first hand that scaling SXP can be a challenge, it works great until it just doesn't. If you can, inline tagging is the way to go, only problem there is that Cisco sdwan (viptela) doesn't support inline tagging yet, only dmvpn/iwan. This isn't a problem in small environments, but as tag counts and site counts increase you eventually just run in to scaling limitations.
Another piece I would recommend is configuration validation. If doing inline tagging in the LAN then you will be implenting cts manual in the uplinks. Since carrying the SGT involves adding data to the header the mtu is adjusted in the background. If you apply cts manual on only one side of a link you will start dropping packets short of 1500 default mtu. Have implementation engineers confirm pings of 1500 bytes still pass,it catches some high impact issues before they move on from a site.
I've dealt with some teething issues with trustsec, here are some software versions that work well for me. Testing/piloting is a must since everyone uses different features that all interact differently.
Isr4k's 16.3.6+
Isr2/3k 15.5.3+
Cat3k 3.7.5 (or 16.6.4, but has fragmented udp issue with dhcp snooping)
Cat9k 16.6.4
10-20-2018 12:31 PM
Please check out the available guides at Cisco TrustSec.
In case of dealing with different security zones, we should use different sets of passwords but still try to secure the access to the control planes as much as possible.
10-20-2018 01:14 PM
Most of the ISE best practices also apply when deploying Trustsec since the majority is authentication/authorization.
Beyond the link already provided..
One thing to keep in mind is how you will carry the sgt's across the wan(if required). I can tell you first hand that scaling SXP can be a challenge, it works great until it just doesn't. If you can, inline tagging is the way to go, only problem there is that Cisco sdwan (viptela) doesn't support inline tagging yet, only dmvpn/iwan. This isn't a problem in small environments, but as tag counts and site counts increase you eventually just run in to scaling limitations.
Another piece I would recommend is configuration validation. If doing inline tagging in the LAN then you will be implenting cts manual in the uplinks. Since carrying the SGT involves adding data to the header the mtu is adjusted in the background. If you apply cts manual on only one side of a link you will start dropping packets short of 1500 default mtu. Have implementation engineers confirm pings of 1500 bytes still pass,it catches some high impact issues before they move on from a site.
I've dealt with some teething issues with trustsec, here are some software versions that work well for me. Testing/piloting is a must since everyone uses different features that all interact differently.
Isr4k's 16.3.6+
Isr2/3k 15.5.3+
Cat3k 3.7.5 (or 16.6.4, but has fragmented udp issue with dhcp snooping)
Cat9k 16.6.4
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide