Friday, November 19, 2021

Vendor-Independent SD Access/Access Layer Microsegmentation

We have a project going on to implement "personalized networking" -- essentially, microsegmentation at the access layer. Focus right now is around 802.1X, ISE, and TrustSec. Discussions about DACLs after determining device type, but that's pretty well been rejected. Focus is on platform limitation of ACE entries (regardless of platform, but think Cisco and Juniper) as the biggest objection. Goals are to provide device classification, limit east/west traffic, and eliminate VLAN changes (current NAC uses that, what a nightmare).

What are people doing out there for vendor-independent microsegmentation-type solutions? I know EVPN has Group-Based Policies that can carry SGT information, and I've read that, theoretically, Cisco can advertise SGTs through GBP, but understanding in a unified way what's possible and what's out there these days is kind of nebulous. Cisco would want us to do -- ACI, I think? -- and Juniper would want us to do Mist.

This is a large hospital/medical environment, 100K access ports out in the network, so this is a large undertaking. Catalyst 9300 is our typical access switch, we've got some Juniper EX4300s out there, and we're waiting for more information/test gear of the EX4400. That said, we're open to the idea of third party/white box switching, so don't focus solely on Cisco/Juniper.

Whatever we do, we've worked hard to get rid of proprietary protocols over the last several years and want to minimize the dive back into them as much as possible. Pretty certain SGTs are in our future, but using GBP instead of SXP is a plus. VXLAN/EVPN control plane instead of VXLAN/LISP is a plus. Etc.



No comments:

Post a Comment