Solved: Re: Apply SGACL within same SGT group

pechew · ‎10-30-2018

Good Day. Have a use case where there are 200 PCs connected and don't want them to talk to each other.

Can we put all of them into the same SGT (group 10) and apply a SGACL that says Group 10 to Group 0, deny all.

Work this work or there are other better option. Thank you.

Damien Miller · ‎10-30-2018

You can do this and it works very well. In your TrustSec matrix you will define a deny ip sgacl for the intersecting square of SGT 10 to/from SGT 10. A sgacl with deny ip on sgt 10<>10 would block all peer to peer traffic with that SGT. The usual use case I see for this is guest subnets.

SGT 0 is considered the unknown tag, for the use case you described you would be looking at 10 to 10 traffic and not 10 to 0.

There is also a default policy for the TrustSec matrix, but be careful with that. If for example you define it as a deny ip, any box not given an sgacl follows the default.

View solution in original post

Damien Miller · ‎10-30-2018

You can do this and it works very well. In your TrustSec matrix you will define a deny ip sgacl for the intersecting square of SGT 10 to/from SGT 10. A sgacl with deny ip on sgt 10<>10 would block all peer to peer traffic with that SGT. The usual use case I see for this is guest subnets.

SGT 0 is considered the unknown tag, for the use case you described you would be looking at 10 to 10 traffic and not 10 to 0.

There is also a default policy for the TrustSec matrix, but be careful with that. If for example you define it as a deny ip, any box not given an sgacl follows the default.

pechew · ‎10-30-2018

Thank you, Damien