TrustSec SGT tags and Scalable Groups

Mitrixsen — Sat, 17 May 2025 10:26:00 GMT

Hi, everyone.

I've recently began studying SD-Access and my book mentions the following regarding the policy plane (TrustSec).

■ Scalable group: A scalable group is a group of endpoints with similar policies. The
SD-Access policy plane assigns every endpoint (host) to a scalable group using
TrustSec SGT tags. Assignment to a scalable group can be either static per fabric edge
port or using dynamic authentication through AAA or RADIUS using Cisco ISE. The
same scalable group is configured on all fabric edge and border nodes. Scalable groups
can be defined in Cisco DNA Center and/or Cisco ISE and are advertised through
Cisco TrustSec.

As for the scalable groups. It says that it’s a group of endpoints that have the same policies and that the group is assigned using tags. So if I assign a tag like “IT-DEPARTMENT” to some devices, will they all be in the same scalable group? Can I, on the other hand, assign them to different scalable groups and apply policies even if they are on the same subnet without the need of deploying VACLs, MAC ACLs, etc?

Thank you.
David

Re: TrustSec SGT tags and Scalable Groups

Andrii Oliinyk — Sat, 17 May 2025 11:24:13 GMT

"So if I assign a tag like “IT-DEPARTMENT” to some devices, will they all be in the same scalable group?"
yes they will be in the same SG
"Can I, on the other hand, assign them to different scalable groups and apply policies even if they are on the same subnet without the need of deploying VACLs, MAC ACLs, etc?"
u can assign endpoint whatever SG of your choice. but any time endpoint may belong to single SG only. u dont need VACL/MACL/etc as soon as you properly map you filtering intent to egress policy where both SRC & DST SGTs must be available for policing device (egress switch|router|FW)

topic Re: TrustSec SGT tags and Scalable Groups in Software-Defined Access (SD-Access)

TrustSec SGT tags and Scalable Groups

Re: TrustSec SGT tags and Scalable Groups