- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Cisco SDA & VXLAN
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco SDA & VXLAN
Dear CheckMates,
I have a customer who is going to use Cisco SDA with VXLAN for deployment of new greenfield sites (this is already decided).
They wish to use the SGT provided in the VXLAN headers to be able to create policies in their R81.20 Security Gateways.
We are currently investigating how to get this working by trying to install the Check Point Identity Collector and integrating it with the Cisco ISE. This is proving to be harder than expected. I will open a dedicated topic on that subject if our latest attempts fail.
In the meantime, I was wondering if there was any way to use the VXLAN capabilities of the R81.20 SG directly without having to get an IDC involved?
All ideas/suggestions are welcomed.
Andrew
- Labels:
-
Identity Awareness
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not think SGT/TrustSec is working without IDC.
You need the IDC to learn the SGTs mapped to the IP address.
You need CloudGuard to learn what SGTs are configured on the ISE (via SmartConsole DataCenter Object).
Then you can create Access Roles based on the SGT and use it in the Policy.
About the Cisco SDA+VXLAN part. Funnily enough I also have sort of this in mind to connect specific sites to the HQ via VXLAN.
Short explanation:
New Site connected via MPLS to the HQ.
Main Objective: minimize hardware usage on the site.
Idea: create a VXLAN between the site switch (Cisco Catalyst 9500) and the HQ Check Point. VXLAN terminates on the HQ Check Point and based on the SGTs the sites devices are allowed to access the HQ LAN.
I do not know if this is even possible.
What is the specific objective of your customer?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My customer is looking to deploy a greenfield site using all the fancy SDA possibilities provided by the Cisco SDA solution and the network(s) will be routed through the Checkpoint R81.20 SG to the WAN.
Very simple network:-
Rest of the World ---WAN -- CKP SG -- DMZ -- SDA network
So all the SDA elements are behind the DMZ interface and the only other interface in use is a Management interface (at this time). The future plan is to run this in ClusterXL mode.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think maybe simple network diagram with objectives would help us, for sure.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content