https://community.cisco.com/t5/software-defined-access-sd-access/isolation-inside-dna-scalable-group/m-p/4527043#M1687 <P>Hi</P><P>&nbsp; Dont think so.&nbsp; The permit or deny happens actually on the Access Contract which is associated to a Scalable Grupo. I mean, in order do differentiate devices, you´ll need differentiate Scalable Grupo.</P><P>&nbsp;</P> Wed, 05 Jan 2022 17:55:09 GMT Flavio Miranda 2022-01-05T17:55:09Z https://community.cisco.com/t5/software-defined-access-sd-access/isolation-inside-dna-scalable-group/m-p/4527016#M1686 <P>Hello,&nbsp;</P><P>Is there a means to deny traffic between endpoints belonging to the same Scalable Group?&nbsp; This for the obvious reason to prevent lateral movement between SG members.&nbsp; I am looking for the lookalike of ACI's 'Intra EPG isolation'.&nbsp;&nbsp;</P> Wed, 05 Jan 2022 17:18:42 GMT https://community.cisco.com/t5/software-defined-access-sd-access/isolation-inside-dna-scalable-group/m-p/4527016#M1686 JAN DEVOS 2022-01-05T17:18:42Z https://community.cisco.com/t5/software-defined-access-sd-access/isolation-inside-dna-scalable-group/m-p/4527043#M1687 <P>Hi</P><P>&nbsp; Dont think so.&nbsp; The permit or deny happens actually on the Access Contract which is associated to a Scalable Grupo. I mean, in order do differentiate devices, you´ll need differentiate Scalable Grupo.</P><P>&nbsp;</P> Wed, 05 Jan 2022 17:55:09 GMT https://community.cisco.com/t5/software-defined-access-sd-access/isolation-inside-dna-scalable-group/m-p/4527043#M1687 Flavio Miranda 2022-01-05T17:55:09Z https://community.cisco.com/t5/software-defined-access-sd-access/isolation-inside-dna-scalable-group/m-p/4527068#M1688 <P>Hi Jan,</P> <P>Yes, this has been fully-supported since Day 1.&nbsp; It is a very common strategy in guest networks where you don't want guest endpoints talking to each other.&nbsp; It's simply a matter of creating a deny policy using the same SGT for source and destination.</P> <P>I hope that helps.</P> <P>Roddie</P> Wed, 05 Jan 2022 18:43:05 GMT https://community.cisco.com/t5/software-defined-access-sd-access/isolation-inside-dna-scalable-group/m-p/4527068#M1688 Roddie Hasan 2022-01-05T18:43:05Z https://community.cisco.com/t5/software-defined-access-sd-access/isolation-inside-dna-scalable-group/m-p/4527497#M1689 <P>Tx, Roddie. This way of defining intra-SG-isolation (by deny any &lt;SG&gt; &lt;SG&gt;, where SG is one and the same scalable group) sounds logic. I did not think enough 'out of the box'., to find this solution by myself&nbsp; This merits to be documented somewhere, no?</P> Thu, 06 Jan 2022 15:55:43 GMT https://community.cisco.com/t5/software-defined-access-sd-access/isolation-inside-dna-scalable-group/m-p/4527497#M1689 JAN DEVOS 2022-01-06T15:55:43Z https://community.cisco.com/t5/software-defined-access-sd-access/isolation-inside-dna-scalable-group/m-p/4527540#M1690 <P>&gt;&nbsp;<SPAN>This merits to be documented somewhere, no?</SPAN></P> <P><SPAN>You're right, it should be - It's been a while since I looked at any of our guidance around policy, but I will do some digging to see if we have a CVD for it.</SPAN></P> <P><SPAN>This strategy is definitely used widely.</SPAN></P> <P><SPAN>Roddie</SPAN></P> Thu, 06 Jan 2022 17:14:35 GMT https://community.cisco.com/t5/software-defined-access-sd-access/isolation-inside-dna-scalable-group/m-p/4527540#M1690 Roddie Hasan 2022-01-06T17:14:35Z