Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1290
Views
0
Helpful
2
Replies

Enforcing external SDA fabric traffic

Dolevha
Beginner
Beginner

‎03-29-2021 05:40 AM

Hey all,

I'm learning how to enforce a network with Trustsec. I understand how to enforce within the fabric, but I don't fully understand enforcing outside the fabric.

My goal is to deny a certain SGT from communicating with anything outside the fabric (towards the internet for example) while allowing other SGTs to do so.

Currently, I'm denying certain services to the internet with my dACL enforcement, using "deny ip any any" at the end.

Is this possible to do this with Trustsec? Do I have to configure this on my perimeter firewall?

Thanks!

Dolev

0 Helpful
2 Replies 2

Mike.Cifelli
Advisor
Advisor

‎04-22-2021 10:20 AM

Take a look at the CTS allow-list model (default deny IP) with SDA: Cisco ISE TrustSec Allow-List Model (Default Deny IP) With SDA - Cisco

HTH!

0 Helpful

Damien Miller
VIP Advisor VIP Advisor
VIP Advisor
In response to Mike.Cifelli

‎04-22-2021 10:29 AM

That's a serious world of hurt I wouldn't wish on anyone. 


0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents