https://community.cisco.com/t5/network-access-control/sgt-extend-to-vmware/m-p/4664526#M576569 <P>You've run across a limitation that exists with TrustSec. As you pointed out, this used to be possible with the 1000v, but that isn't viable anymore. TrustSec shines in the facility/LAN/edge, but it's really not a DC technology.&nbsp;<BR /><BR />Adam already brought up Secure Workload and it's probably the most viable solution at the moment. The solution would leverage Cisco Secure Workload (Tetration) agents on the application servers, integrate ISE and Secure Workload, then write application scopes with facility/endpoint SGTs. This moves the enforcement point to the application servers native firewall. This does have its own scale considerations because firewall policy is written on IP and not SGT, Secure Workload is doing that translation based on the ISE sessions context it receives.&nbsp;</P> Fri, 05 Aug 2022 17:48:01 GMT Damien Miller 2022-08-05T17:48:01Z https://community.cisco.com/t5/network-access-control/sgt-extend-to-vmware/m-p/4664490#M576567 <P>Hi,</P> <P>What options are there for enforcing SGT policy as close to the Virtual machine/application as possible in a VMware environment? I know previously we could have used the Nexus 1000V but with that no longer being solved, is there a solution for this?</P> <P>Many thanks</P> Fri, 05 Aug 2022 15:57:22 GMT https://community.cisco.com/t5/network-access-control/sgt-extend-to-vmware/m-p/4664490#M576567 Aileron88 2022-08-05T15:57:22Z https://community.cisco.com/t5/network-access-control/sgt-extend-to-vmware/m-p/4664521#M576568 <P>Cisco Secure Workload:&nbsp;<A href="https://www.cisco.com/c/en/us/products/security/tetration/index.html" target="_blank">https://www.cisco.com/c/en/us/products/security/tetration/index.html</A></P> <P>Or integration ISE with ACI and ACI into VM-Ware.&nbsp; Not sure if there is a newer integration doc than this:&nbsp;<A href="https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-16-7/sec-usr-cts-xe-16-7-book/cts-aci-intgn.html.xml" target="_blank">https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-16-7/sec-usr-cts-xe-16-7-book/cts-aci-intgn.html.xml</A></P> Fri, 05 Aug 2022 17:24:15 GMT https://community.cisco.com/t5/network-access-control/sgt-extend-to-vmware/m-p/4664521#M576568 ahollifield 2022-08-05T17:24:15Z https://community.cisco.com/t5/network-access-control/sgt-extend-to-vmware/m-p/4664526#M576569 <P>You've run across a limitation that exists with TrustSec. As you pointed out, this used to be possible with the 1000v, but that isn't viable anymore. TrustSec shines in the facility/LAN/edge, but it's really not a DC technology.&nbsp;<BR /><BR />Adam already brought up Secure Workload and it's probably the most viable solution at the moment. The solution would leverage Cisco Secure Workload (Tetration) agents on the application servers, integrate ISE and Secure Workload, then write application scopes with facility/endpoint SGTs. This moves the enforcement point to the application servers native firewall. This does have its own scale considerations because firewall policy is written on IP and not SGT, Secure Workload is doing that translation based on the ISE sessions context it receives.&nbsp;</P> Fri, 05 Aug 2022 17:48:01 GMT https://community.cisco.com/t5/network-access-control/sgt-extend-to-vmware/m-p/4664526#M576569 Damien Miller 2022-08-05T17:48:01Z https://community.cisco.com/t5/network-access-control/sgt-extend-to-vmware/m-p/4665587#M576588 <P>Thank you both for the answers!</P> Mon, 08 Aug 2022 08:19:15 GMT https://community.cisco.com/t5/network-access-control/sgt-extend-to-vmware/m-p/4665587#M576588 Aileron88 2022-08-08T08:19:15Z