0 Replies Latest reply: Dec 6, 2017 5:47 AM by jose.tamayo.segarra RSS

SD-Access, the hidden TrustSec requirement

jose.tamayo.segarra

Hi everyone,

 

I have been reading about DNA-Center for some days now, and I guess that TrustSec is a strong requirement to use the Policy feature, and I did not find it clearly stated. Without this, DNA-Center just creates an insecure, flat single-VLAN LAN.

 

In DNA-Center, the Policy app make sense only on a SD-Access LAN, correct me if not. From what I see, Policy definitions need ISE to be fully  integrated, fully configured to the TrustSec level (groups created, SGT Tags). So I can see 4 cases, please correct me if I missed something:

  • If the LAN is legacy, no TrustSec, then the only thing DNA-Center will do is put all SW access ports to the site VLAN, and that is it. Not even default ACL on ports, or 801.X authentication on SWports.
  • If the traditional (not SD-Access) LAN is TrustSec-ready, then I will have an ISE properly prepared and DNA-Center will ease the task of creating the policies, but I can do already this without DNA-Center. Will DNA-Center import also the defined policies from ISE, or only the group definitions?
  • In case of an SD-Access LAN, if there is no TrustSec ISE prepared (policies, groups, pxGrid, etc), then my LAN cannot have any policies, so back to single VLAN LAN.
  • Only in the case of SD-Access with a fully powered TrustSec-ready ISE, only then the LAN can enforce the security policies.

 

I know, lots of questions... but not having DNA-Center to play with, relying only on videos/pres/marketing material ... I sincerely felt I had to work out the guts of DNA-Center out of a bunch of marketing talk.

 

I would like to have this clear to make a solid business-case (a real one, with design architecture and process behind), that will choose the correct elements and appliances for the specific client needs. Perhaps SD-Access makes sense only for companies using or willing to fully integrate ISE and TrustSec (DNA-Center has its own benefits alone, of course)

 

Sorry for the long post