Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1513
Views
10
Helpful
2
Replies

Trustsec best practices

Go to solution
maladi17
Level 1
Level 1

‎10-20-2018 07:24 AM

Hi,

 

Are there any best practices to trustsec? When should I replace a password of the trustsec (it is an unsafe environment)?


Thank you

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎10-20-2018 01:14 PM

Most of the ISE best practices also apply when deploying Trustsec since the majority is authentication/authorization.

 

Beyond the link already provided.. 

 

One thing to keep in mind is how you will carry the sgt's across the wan(if required). I can tell you first hand that scaling SXP can be a challenge, it works great until it just doesn't. If you can, inline tagging is the way to go, only problem there is that Cisco sdwan (viptela) doesn't support inline tagging yet, only dmvpn/iwan. This isn't a problem in small environments, but as tag counts and site counts increase you eventually just run in to scaling limitations.

 

Another piece I would recommend is configuration validation. If doing inline tagging in the LAN then you will be implenting cts manual in the uplinks. Since carrying the SGT involves adding data to the header the mtu is adjusted in the background. If you apply cts manual on only one side of a link you will start dropping packets short of 1500 default mtu. Have implementation engineers confirm pings of 1500 bytes still pass,it catches some high impact issues before they move on from a site. 

 

I've dealt with some teething issues with trustsec, here are some software versions that work well for me. Testing/piloting is a must since everyone uses different features that all interact differently. 

Isr4k's 16.3.6+ 

Isr2/3k 15.5.3+

Cat3k 3.7.5 (or 16.6.4, but has fragmented udp issue with dhcp snooping) 

Cat9k 16.6.4

 

View solution in original post

2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-20-2018 12:31 PM

Please check out the available guides at Cisco TrustSec.

In case of dealing with different security zones, we should use different sets of passwords but still try to secure the access to the control planes as much as possible.

 

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎10-20-2018 01:14 PM

Most of the ISE best practices also apply when deploying Trustsec since the majority is authentication/authorization.

 

Beyond the link already provided.. 

 

One thing to keep in mind is how you will carry the sgt's across the wan(if required). I can tell you first hand that scaling SXP can be a challenge, it works great until it just doesn't. If you can, inline tagging is the way to go, only problem there is that Cisco sdwan (viptela) doesn't support inline tagging yet, only dmvpn/iwan. This isn't a problem in small environments, but as tag counts and site counts increase you eventually just run in to scaling limitations.

 

Another piece I would recommend is configuration validation. If doing inline tagging in the LAN then you will be implenting cts manual in the uplinks. Since carrying the SGT involves adding data to the header the mtu is adjusted in the background. If you apply cts manual on only one side of a link you will start dropping packets short of 1500 default mtu. Have implementation engineers confirm pings of 1500 bytes still pass,it catches some high impact issues before they move on from a site. 

 

I've dealt with some teething issues with trustsec, here are some software versions that work well for me. Testing/piloting is a must since everyone uses different features that all interact differently. 

Isr4k's 16.3.6+ 

Isr2/3k 15.5.3+

Cat3k 3.7.5 (or 16.6.4, but has fragmented udp issue with dhcp snooping) 

Cat9k 16.6.4

 

Customers Also Viewed These Support Documents