05-15-2020 10:46 AM
I want to isolate a device in a VN. Which means, I want a policy SRC: SecurityGroup DST: any CONTRACT: deny. But as far as I can stell, there is know "any"-Group? How do you isolate a SG in DNAC?
05-15-2020 11:23 AM
I don't think there is a way to do that exactly. In fact, I don't think normal SGACLs support that, so it's not just a SD-Access question. Here are some other ideas:
The device could have it's own VN. Then you wouldn't need a micro-segemented Group Based Policy. Not super scalable if you have lots of devices like that.
I suppose you already thought about selecting all of the VNs individually for the destination group and apply a deny policy. Unfortunately, that would require updating the policy anytime a new VN was added.
Change the default policy to deny and use policy to whitelist to permit the right traffic. (Note when I tried this in the lab, there is a helpful message to ask users to read through this to understand the impact: https://community.cisco.com/t5/networking-documents/whitelist-policy-considerations-for-sd-access/ta-p/4048032 )
05-16-2020 02:18 PM - edited 05-16-2020 02:22 PM
Totally agree with @Preston Chilcote . Another note on the multiple VN and scalability comment made:
Keep in mind when designing and rolling out new networks that you are going to rely on either microsegmentation via multiple SGTs in less VNs or multiple VNs with possibly less SGTs. Your workload is going to rely on CTS policy contracts or manual VN leaking if hosts in VNx need to reach hosts in VNy. My recommendation would be to find a happy medium. Meaning, group similar networks in same VN if cross-talk is ever a possibility, and segregate other networks into other VNs that you know for sure will probably never need access to each other. Note that this obviously comes down to given requirements. Even if you went one route versus the other you could adjust as needed. My personal opinion would be to rely on whichever you feel most comfortable with managing. HTH!
05-19-2020 02:21 PM
Hi Guys
Thanks a lot for your answers. It looks like I have to manually deny traffic to all other SGTs and make sure, that all new SGTs will be added to that policy.
Or maybe I can migrate from "blacklisting" to "whitelisting" which would be anyway more secure.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide