topic Re: Segmentation and SGT in Software-Defined Access (SD-Access)

Segmentation and SGT

jakobhoeghmikkelsen — Wed, 10 Nov 2021 12:52:44 GMT

Hi all,

I have been reading this article https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html - and I need help for someone to explain me the illustrion.: 1.7.2 "How does Segmentation works"

I have attached the picture. Can someone please exlain the picture for me?

Re: Segmentation and SGT

balaji.bandi — Wed, 10 Nov 2021 13:03:49 GMT

SGT Security Group Tag) or (Scalable Group Tag) - this will be allocated to user or device.

Based on the SGT and matrix you see on your picture, what resource the SGT can access (it can be allow or deny)

That is very good feature of ISE being a identity engine.

Your diagram show high level (it required bit integration) between Enterprise Lan and DC environment.)

Re: Segmentation and SGT

jakobhoeghmikkelsen — Wed, 10 Nov 2021 13:12:02 GMT

Thanks for responding! But, does this mean that because employee has TAG nr 5 - he can't access the production and application serveres, because they have a different tag? Or does it mean that he can access the appl server because he has Permit all, and cannot acces prod_serv becaue he has deny_all?

Re: Segmentation and SGT

jakobhoeghmikkelsen — Wed, 10 Nov 2021 13:18:40 GMT

Thanks for responding! But, does this mean that because employee has TAG nr 5 - he can't access the production and application serveres, because they have a different tag (7 and 8)? Or does it mean that employee can access the appl server because he has Permit all, and cannot acces prod_serv becaue he has deny_all?

Re: Segmentation and SGT

balaji.bandi — Wed, 10 Nov 2021 13:28:23 GMT

as per the diagram employee only get App_Serv access ( rest all deny)