ZNDP 009 – Demystifying Cisco’s SD-Access (SDA): Cisco TrustSec with Mike McPhee

Welcome back Nerds, Geeks, and Ziglets for another episode of the Zigbits Network Design Podcast (ZNDP), where Zigabytes are faster than Gigabytes. As always our goal is to provide you with real world context around technology. I’m Michael Zsiga, also known as Zig, and I am your host. With today’s episode we start the process of demystifying Cisco’s SD-Access (SDA) with a show dedicated on Cisco TrustSec.  Helping the Ziglets to accomplish this goal is my good friend Mike McPhee!

1. High level summary of technology solution

TrustSec is one of the longest-tenured campus software-defined network segmentation approaches in active use. Rather than use VXLAN or VLAN-based logical separation, TrustSec uses a large variety of attributes and intel gleaned from the authentication of the user and device to automatically assign each client to a Secure Group. These Secure Groups are generated and their access restrictions articulated & managed in a single place – graphically via Cisco Identity Services Engine (ISE). Policies and associations are now automatically updated on all of the participating network infrastructure devices – whether they be wired, wireless, or VPN.

While it is true that it was once Cisco proprietary, it was submitted by Cisco to the IEFT and is supported for both Cisco and compatible 3rd party equipment. ISE is the only explicitly required element.

2. High Level Business Requirements & Constraints (00:03:55)

  • Ease of use vs. segmentation overhead
    • Security advantages of segmentation
    • VLAN & ACL – based approach explodes in complexity
  • Highly dynamic endpoint mobility vs. risk
  • Profiling & Posture
    • Remediation flexibility
    • Performance and impact to end users
  • Integration with other security elements
  • Up-front installation/deployment
  • Support for growth and scale
    • Size of organization
    • Branches & datacenter topology
    • Split-brain or fail-to-local
  • IoT and BYOD
  • CAPEX and OPEX concerns
  • Brownfield Considerations
    • Pilot deployments
    • Augmenting existing VLAN & ACL -based approaches
  • Intent-based networking (SD-Access)

3. Full list of technical solutions that were compared (00:50:09)

VLAN-based approaches

  • L2 separation using VLANs, restrictions between segments enforced through L3 IP ACLs
    • Pros: Pretty universally supported on enterprise equipment, doesn’t necessarily need NAC head-end
    • Cons: scales poorly, labor-intensive and hard to keep current (managing VLAN, ACL, DHCP, Routing, etc. for every segment). Can be a bear to troubleshoot
    • Would be selected in older architectures, budget-first mentality, and in extensive multi-gen mixed vendor environments. Heaviest competing solution to TrustSec – often the 1st generation of segmentation that begets a move to TrustSec when it gets unruly.

VXLAN

  • Seeing some newer approaches (mostly in SDN space) attempt to manage using combination of VXLAN and EVPN. 
    • Pros: Can meld well with some DC segmentation approaches 
    • Cons: Extensive science project for partner & customer to orchestrate. Limited subset of equipment can support depending on implementation. Steep learning curve for operators without sufficient automation and abstraction. 
    • Would be a good choice in Greenfield deployments with experts on staff and where VXLANs already preferred in DC. Most likely too much for typical territory accounts – bigger play in advanced Enterprises, and even then unlikely to be the sole approach. 

Virual FW/EMM

  • Rather than leverage 802.1X or infrastructure enforcement, deploys agent to act on behalf of policy manager and enforce policies. 
    • Pros: Could care less what underlying infrastructure is – completely agnostic so long as SPAN or tap architecture in place 
    • Cons: Not all endpoints can support agents, and too many variables to contend with. Apprehension about yet another client. Assumes willing submission to install. Unable to counter aggressive network intrusions. Depending on deployment details, users can hamper or disable functionality. 
    • Viable, easy-button in single-site installs with homogeneous endpoint deployments, strict user privileges, and light security needs. Most financials find they need greater network-based protection and healthcare & manufacturing need to accommodate a ton of internet of things, so this falls apart. 

MPLS/VRF-Lite

  • Some use in larger enterprises, takes advantage of VRFs and potentially MPLS to provide segmentation 
    • Pros: Rock-solid and explicit. Can be a workhorse for multi-enclave evironments when paired with IPSec.
    • Cons: Rock-solid and explicit 😉 Too static and inflexible for dynamic endpoint activities. Requires expertise and patience. Network devices must support. Managing boundaries between WLAN and LAN can be interesting.
    • Would be a part of a solution for government or large institution networks where multi-tenancy is a big thing. Not really considered in smaller territory accounts like mine.

Hosted By: Michael “Zig” Zsiga

Guest Expert: Mike McPhee


How to stay engaged with Mike:


Thank you for the podcast reviews!

  • Amr Abdulbari, a fellow Cisco Champion, from Saudi Arabia said “I discover this podcast as I was searching for anything regarding Cisco Live and it has many information and I really like it .. there is not many podcasts about computer networking out there but this is one of the best”

Thank you for the iTunes reviews as they sincerely motivate me to continue to give back to this community that I love.  If you enjoy the podcast and the information I share, please feel free to write your own personalized review on iTunes!


Ask questions and give feedback


Engage with Zigbits further:


Engage with me further:


Transparency:

This post may contain affiliate links to products or services were I may receive a level of compensation from your actions by following those links. This is seamless to you and does not add any additional cost to the products or services in question. In addition, I do not let any affiliate relationship cloud my judgement or my recommendation of a product or service. My recommendations will always be above reproach.  This is my commitment to you Ziglets!

Michael “Zig” Zsiga II, CCDE™ 2016::32, CCIE™ #44883 has been in the networking industry a little over 15 years. He is currently a Lead Technical Architect at ePlus in the New England region of the United States. Zig holds an active CCDE and two CCIE certifications, one in Routing and Switching and the second in Service Provider. Zig also holds a Bachelor’s of Science in Computer Science from Park University. Zig is a father, a husband, a United States Marine, a gamer, a nerd, a geek and a big soccer fan. Zig loves all technology and can usually be found in the lab learning and teaching others. Zig is a co-organizer of The Boston Network Operators Group (www.bosnog.org), runs multiple CCIE Study groups, and is a newly published author. Zig lives in New Hampshire, USA with his wife, Julie and their son Gunnar.