Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1780
Views
0
Helpful
2
Replies

Enforcing external SDA fabric traffic

Dolevha
Level 1
Level 1

‎03-29-2021 05:40 AM

Hey all,

I'm learning how to enforce a network with Trustsec. I understand how to enforce within the fabric, but I don't fully understand enforcing outside the fabric.

My goal is to deny a certain SGT from communicating with anything outside the fabric (towards the internet for example) while allowing other SGTs to do so.

Currently, I'm denying certain services to the internet with my dACL enforcement, using "deny ip any any" at the end.

Is this possible to do this with Trustsec? Do I have to configure this on my perimeter firewall?

Thanks!

Dolev

0 Helpful
2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-22-2021 10:20 AM

Take a look at the CTS allow-list model (default deny IP) with SDA: Cisco ISE TrustSec Allow-List Model (Default Deny IP) With SDA - Cisco

HTH!

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to Mike.Cifelli

‎04-22-2021 10:29 AM

That's a serious world of hurt I wouldn't wish on anyone. 


0 Helpful
Customers Also Viewed These Support Documents