https://community.cisco.com/t5/network-access-control/enforcing-external-sda-fabric-traffic/m-p/4391697#M566832 <P>Take a look at the CTS allow-list model (default deny IP) with SDA:&nbsp;<A href="https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/dna-center/215516-trustsec-whitelist-model-with-sda.html#anc0" target="_blank">Cisco ISE TrustSec Allow-List Model (Default Deny IP) With SDA - Cisco</A></P> <P>HTH!</P> Thu, 22 Apr 2021 17:20:45 GMT Mike.Cifelli 2021-04-22T17:20:45Z https://community.cisco.com/t5/network-access-control/enforcing-external-sda-fabric-traffic/m-p/4315427#M566503 <P>Hey all,</P><P>I'm learning how to enforce a network with Trustsec. I understand how to enforce within the fabric, but I don't fully understand enforcing outside the fabric.</P><P>My goal is to deny a certain SGT from communicating with anything outside the fabric (towards the internet for example) while allowing other SGTs to do so.</P><P>Currently, I'm denying certain services to the internet with my dACL enforcement, using "deny ip any any" at the end.</P><P>Is this possible to do this with Trustsec? Do I have to configure this on my perimeter firewall?</P><P>Thanks!</P><P>Dolev</P> Mon, 29 Mar 2021 12:40:35 GMT https://community.cisco.com/t5/network-access-control/enforcing-external-sda-fabric-traffic/m-p/4315427#M566503 Dolevha 2021-03-29T12:40:35Z https://community.cisco.com/t5/network-access-control/enforcing-external-sda-fabric-traffic/m-p/4391697#M566832 <P>Take a look at the CTS allow-list model (default deny IP) with SDA:&nbsp;<A href="https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/dna-center/215516-trustsec-whitelist-model-with-sda.html#anc0" target="_blank">Cisco ISE TrustSec Allow-List Model (Default Deny IP) With SDA - Cisco</A></P> <P>HTH!</P> Thu, 22 Apr 2021 17:20:45 GMT https://community.cisco.com/t5/network-access-control/enforcing-external-sda-fabric-traffic/m-p/4391697#M566832 Mike.Cifelli 2021-04-22T17:20:45Z https://community.cisco.com/t5/network-access-control/enforcing-external-sda-fabric-traffic/m-p/4391705#M566833 <P>That's a serious world of hurt I wouldn't wish on anyone.&nbsp;<BR /><BR /><BR /></P> Thu, 22 Apr 2021 17:29:10 GMT https://community.cisco.com/t5/network-access-control/enforcing-external-sda-fabric-traffic/m-p/4391705#M566833 Damien Miller 2021-04-22T17:29:10Z