topic Re: Cisco SDA Trustsec Concept in Software-Defined Access (SD-Access)

Cisco SDA Trustsec Concept

Newbie..9109 — Sat, 22 Mar 2025 11:33:01 GMT

Hi, Lets say i have ISE, DNAC, edge, intermediate, border and fusion firewall non cisco. Outside all of this doesnt support trustsec. 1. Where policy SGACL enforcement should be applied? Please tell me the most common practice 2. When packet return from outside fabric entering to fabric, should the packet tagged again? Which device should tag it?

Re: Cisco SDA Trustsec Concept

balaji.bandi — Sat, 22 Mar 2025 12:52:52 GMT

check the design guide :

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-sda-design-guide.html

Re: Cisco SDA Trustsec Concept

Andrii Oliinyk — Sat, 22 Mar 2025 22:55:52 GMT

everyhing non cisco & quering for trusysec make 0 sense

make align to what u need

Re: Cisco SDA Trustsec Concept

Newbie..9109 — Sun, 23 Mar 2025 03:01:28 GMT

I mean only firewall is non cisco. The others like edge, intermediate, border is cisco. Please help to answer my two questions

Re: Cisco SDA Trustsec Concept

jedolphi — Mon, 24 Mar 2025 10:56:04 GMT

Microsegmentation policy is applied on Edge Nodes toward wired and fabric wireless endpoints, this is automatically enabled by the SDA automation, you don't need to do anything to make this work. For traffic from fabric towards external networks you can choose to manually enable policy enforcement on the Border Node. If you do this then you will need to map external networks to SGTs on the Border Nodes.

If a packet is returning from the external network without a tag then a tag can be added by the Border Node before VXLAN encapsulation. Again this would require external networks to be mapped to SGTs on the Border Node.

If you map networks to SGTs on BN via SXP then you should note the IP:SGT binding limits on the BN switching platform.