Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
913
Views
10
Helpful
3
Replies

Isolate a Security Group

Cedric Metzger
Level 1
Level 1

‎05-15-2020 10:46 AM

I want to isolate a device in a VN. Which means, I want a policy SRC: SecurityGroup DST: any CONTRACT: deny. But as far as I can stell, there is know "any"-Group? How do you isolate a SG in DNAC?

0 Helpful
3 Replies 3

Preston Chilcote
Cisco Employee
Cisco Employee

‎05-15-2020 11:23 AM

I don't think there is a way to do that exactly.  In fact, I don't think normal SGACLs support that, so it's not just a SD-Access question.  Here are some other ideas:

 

The device could have it's own VN.  Then you wouldn't need a micro-segemented Group Based Policy.  Not super scalable if you have lots of devices like that.

 

I suppose you already thought about selecting all of the VNs individually for the destination group and apply a deny policy.    Unfortunately, that would require updating the policy anytime a new VN was added.

 

Change the default policy to deny and use policy to whitelist to permit the right traffic.  (Note when I tried this in the lab, there is a helpful message to ask users to read through this to understand the impact: https://community.cisco.com/t5/networking-documents/whitelist-policy-considerations-for-sd-access/ta-p/4048032 )

 

Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-16-2020 02:18 PM - edited ‎05-16-2020 02:22 PM

Totally agree with @Preston Chilcote .  Another note on the multiple VN and scalability comment made:

Keep in mind when designing and rolling out new networks that you are going to rely on either microsegmentation via multiple SGTs in less VNs or multiple VNs with possibly less SGTs.  Your workload is going to rely on CTS policy contracts or manual VN leaking if hosts in VNx need to reach hosts in VNy.  My recommendation would be to find a happy medium.  Meaning, group similar networks in same VN if cross-talk is ever a possibility, and segregate other networks into other VNs that you know for sure will probably never need access to each other.  Note that this obviously comes down to given requirements.  Even if you went one route versus the other you could adjust as needed.  My personal opinion would be to rely on whichever you feel most comfortable with managing.  HTH!

Cedric Metzger
Level 1
Level 1
In response to Mike.Cifelli

‎05-19-2020 02:21 PM

Hi Guys

 

Thanks a lot for your answers. It looks like I have to manually deny traffic to all other SGTs and make sure, that all new SGTs will be added to that policy.

 

Or maybe I can migrate from "blacklisting" to "whitelisting" which would be anyway more secure.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents