8 Replies Latest reply: Jun 13, 2018 11:49 AM by csolder RSS

SD-Access without TrustSec

jose.tamayo.segarra

Hi everyone,

 

For SD-Access, the nice cool feature is having a software policy-based LAN segmentation. This needs, of source, a TrustSec-ready ISE, a TrustSec security policy and all.

 

How will SD-Access behave without TrustSec? Does it make sense to propose SD-Access without TrustSec?

  • 1. Re: SD-Access without TrustSec
    csolder

    Hi Jose

    In the current implementation of SD-Access, ISE is a mandatory element in the solution. We use ISE to not only authenticate and authorize the on-boarding of hosts into the SD-Access fabric, but also to push policy to the fabric edge nodes that is eventually carried in users data packets as they traverse the fabric. While policy is defined in the DNA-C UI, the actual policy is stored in ISE. Net-Net you will need to include ISE in any SD-Access deployments that you plan.

  • 2. Re: SD-Access without TrustSec
    tlj0062000

    This is not accurate in DNAC 1.1, you can deploy SDA without ISE/TrustSec. You just won't be able to do any end point segmentation (SGT's). But you would gain endpoint mobillity and macro-segmentation benefits(VRF), as well as several other benefits.  You could use another product for 802.1X, it just couldn't be used with SDA unless their is PxGrid support and it is interoperable with DNAC.

  • 3. Re: SD-Access without TrustSec
    csolder

    That was my point. SD-Access by definition is about providing both macro and micro segmentation. Without ISE then you do not really have SD-Access. You just have a fabric and VN.

  • 4. Re: SD-Access without TrustSec
    tlj0062000

    Your statement was that "ISE is a mandatory element in the solution". That is inaccurate, since it implies you cannot do SDA without ISE. And not sure where you got your definition of SDA but it provides much more then just micro and macro seg. A fabric and a VN (along with LISP/VXLAN) is indeed SDA if it is being managed with DNAC.

     

    Although I agree you do lose most of the value of SDA (dot1x, CTS, contextual data in assurance) without it. And I cannot figure out why an organization wouldn't use ISE since the licensing is included with the SDA license (DNA Advantage).

     

    Just disagree with your broad statements.

     

    I think we both see the value of SDA, as a complete solution we just need to be careful mixing facts with opinions and causing more confusion.

  • 5. Re: SD-Access without TrustSec
    csolder

    Good question on where I get my definition of SDA   I currently own technical strategy for SDA here at Cisco, and I am also one of the original engineering team members who brought SDA to life here at Cisco. From it’s inception, policy has been both fundamental and a foundational element for SDA. You are right that DNAC can create a fabric and create VNs etc without ISE, and you can get many benefits but by our original definition and vision of SDA it is not SDA without policy. Sorry to be pedantic.

  • 6. Re: SD-Access without TrustSec
    tlj0062000

    i Guess we will agree to disagree on definition. Foundational and fundamental is different then required. Given your role at Cisco  and how you define SDA, advise developers to remove the optional DNA-C ISE integration

  • 7. Re: SD-Access without TrustSec
    csolder

    Respectfully we should not agree to disagree. I would ask that you help us by aligning to our common definition of SDA.  The definition you are using is incorrect sorry and is not aligned to what our teams are telling the many customers we meet with. If there are inconsistencies in our documentation then I can have our teams correct this. Do let me know where you see those and we can have them fixed.

     

    Also note note your earlier statement about using another device (not ISE) to do 802.1x is supported  but still requires ISE to be a proxy to that external authentication device. This might change in the future but is the way it works even with the recently released 1.2 version.

  • 8. Re: SD-Access without TrustSec
    csolder

    I should also add I confirmed with our engineering team that we have not validated running SDA “without” ISE and as such if a customer were to run this and hit a problem they would likely not be supported by TAC. Hence again I would respectfully ask that you let your peers and customers know that SDA 1.0, 1.1 and 1.2 does require ISE.

     

    Thank you