topic Re: How do you apply an SGACL to an SD-Access port? in Software-Defined Access (SD-Access)

How do you apply an SGACL to an SD-Access port?

bmcgahan — Thu, 22 Feb 2024 13:42:23 GMT

I'm trying to apply SGACLs to do micro-segmentation in SD-Access.

Right now I have 2 ports with statically assigned SGTs, one is "Employees" and one is "Guests", both in the same VN (subnet).

I have a Policy created in DNA-C that says SGT "Guests" to "Employees" should be denied and logged.

ISE learns this from the DNA Center (see attached), but I don't see anywhere to actually apply the ACL to the switches themselves.

What is the final step in the configuration for this? If I'm not doing dot1x, does ISE have no way to trigger the download of the ACL?

Thanks!

Re: How do you apply an SGACL to an SD-Access port?

Roddie Hasan — Thu, 22 Feb 2024 14:28:03 GMT

The Fabric Edge should automatically request any relevant SGACLs whenever a host is onboarded with SGTs or a static SGT port comes up. You shouldn't have to do anything to trigger this as the provisioning process will add the Fabric Edge as a CTS client.

You can verify this on the Fabric Edge with this command:

show cts role-based permissions

I hope that helps!

Roddie

Re: How do you apply an SGACL to an SD-Access port?

Preston Chilcote — Thu, 22 Feb 2024 17:30:24 GMT

@bmcgahan How did you define the ACL rules? I think they need to be defined as Subnet-SGT mappings for this scenario.

Re: How do you apply an SGACL to an SD-Access port?

jedolphi — Thu, 22 Feb 2024 23:10:56 GMT

Guessing based on experiences with other users: after changing Group-Based Policies don't forget to "deploy" from either from the Catalyst Center UI or ISE UI.

Re: How do you apply an SGACL to an SD-Access port?

YDOT1Q — Wed, 15 Apr 2026 11:50:43 GMT

This is what the AI gave regarding this question--- Edge devices uses RADIUS to download from ISE

n Cisco SD-Access, SGTs and SGACLs are downloaded from Cisco ISE to switches via RADIUS during client authentication or device onboarding. Catalyst Center (DNAC) orchestrates the policy, while ISE pushes environment data and SGACLs to switches, enabled by the cts role based enforcement command for enforcement.

Cisco +3

Key SGT and SGACL Download Mechanism:

Centralized Policy Creation: Policies are created in Cisco Catalyst Center and pushed to Cisco ISE using REST APIs, where ISE serves as the authoritative policy engine.
Authentication Flow: When a user/device joins the network, the edge node authenticates it with ISE.
Dynamic Download: ISE dynamically sends the SGT (metadata) and the relevant SGACLs to the switch through RADIUS during this process.
Role-Based Enforcement: The cts role based enforcement command must be enabled on the switch to enforce these downloaded policies.
Environment Data: Switches download environment data from ISE, which includes the SGT list.

Now, the other related question I have is: Does this work in CISCO ACI in the data center? from where the Cisco SD Access is inherited, how does EPGs and Contracts are downloaded to the Fabric Edge? what protocol is being used by APIC and Leaf and what about the COOP protocol ???? Sorry lots of questions, but related and interesting

Re: How do you apply an SGACL to an SD-Access port?

Andrii Oliinyk — Wed, 15 Apr 2026 13:28:42 GMT

ACI doesnt use Trustsec/SGT approach. EPGs&Contracts are pushed to switches with leverage of Infrastructure Fabric Messaging (secure, internal management protocol over the infra tenant) by APIC. Data Management Engine on the switch receives validated model & programs it in HW.

Re: How do you apply an SGACL to an SD-Access port?

YDOT1Q — Wed, 15 Apr 2026 14:37:22 GMT

Thank you for the response.

So, VXLAN header does not have any role in carrying SGT in the ACI fabric?

In the case of SD Access, the SGT is carried in the VXLAN header.

Re: How do you apply an SGACL to an SD-Access port?

Andrii Oliinyk — Wed, 15 Apr 2026 14:49:46 GMT

"So, VXLAN header does not have any role in carrying SGT in the ACI fabric? "
No