Hi Team,
One of my customers with an existing SDA deployment, has asked us to help them move from the "Default permit" to "Defauly Deny" in the Trustsec policies. Since this a brownfield deployment, we are little skeptical in doing this without getting the information on "what all to allow"?
We have received the information about all destinations that specific SGT needs to access. The question is mostly about traffic that is not known and not tagged at this time e.g Control Plane and Management traffic from the switches.
We would like to know the best approach to handle this without impacting the production. I can think of a couple of approaches, but need to know the additional details:
1: Putting the default deny in Trust Matrix in "Monitor" mode with log keyword in SGACL. This way we can monitor what all is hitting the deny rule, and then open accordingly.
2: Allowing all traffic to and from "Trustsec_Devices" SGT to "Unknown" SGT to cater to the control plane and management traffic.
The first one seems time consuming, and will probably require us to go through a huge chunk of logs. The second approach has security issues. I was unable to find some documentation which provides a list of all control plane and management services that need to be opened in these scenarios. We would like to know how other customers have handled this.
Please provide your valuable inputs.
