cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

754
Views
0
Helpful
2
Replies
Dolevha
Beginner

Enforcing external SDA fabric traffic

Hey all,

I'm learning how to enforce a network with Trustsec. I understand how to enforce within the fabric, but I don't fully understand enforcing outside the fabric.

My goal is to deny a certain SGT from communicating with anything outside the fabric (towards the internet for example) while allowing other SGTs to do so.

Currently, I'm denying certain services to the internet with my dACL enforcement, using "deny ip any any" at the end.

Is this possible to do this with Trustsec? Do I have to configure this on my perimeter firewall?

Thanks!

Dolev

2 REPLIES 2
Mike.Cifelli
VIP Advocate

Take a look at the CTS allow-list model (default deny IP) with SDA: Cisco ISE TrustSec Allow-List Model (Default Deny IP) With SDA - Cisco

HTH!

That's a serious world of hurt I wouldn't wish on anyone. 


Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (50%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel