cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1669
Views
12
Helpful
3
Replies

SGT - Extend to VMware

Aileron88
Level 1
Level 1

Hi,

What options are there for enforcing SGT policy as close to the Virtual machine/application as possible in a VMware environment? I know previously we could have used the Nexus 1000V but with that no longer being solved, is there a solution for this?

Many thanks

2 Accepted Solutions

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni

You've run across a limitation that exists with TrustSec. As you pointed out, this used to be possible with the 1000v, but that isn't viable anymore. TrustSec shines in the facility/LAN/edge, but it's really not a DC technology. 

Adam already brought up Secure Workload and it's probably the most viable solution at the moment. The solution would leverage Cisco Secure Workload (Tetration) agents on the application servers, integrate ISE and Secure Workload, then write application scopes with facility/endpoint SGTs. This moves the enforcement point to the application servers native firewall. This does have its own scale considerations because firewall policy is written on IP and not SGT, Secure Workload is doing that translation based on the ISE sessions context it receives. 

View solution in original post

3 Replies 3

Damien Miller
VIP Alumni
VIP Alumni

You've run across a limitation that exists with TrustSec. As you pointed out, this used to be possible with the 1000v, but that isn't viable anymore. TrustSec shines in the facility/LAN/edge, but it's really not a DC technology. 

Adam already brought up Secure Workload and it's probably the most viable solution at the moment. The solution would leverage Cisco Secure Workload (Tetration) agents on the application servers, integrate ISE and Secure Workload, then write application scopes with facility/endpoint SGTs. This moves the enforcement point to the application servers native firewall. This does have its own scale considerations because firewall policy is written on IP and not SGT, Secure Workload is doing that translation based on the ISE sessions context it receives. 

Aileron88
Level 1
Level 1

Thank you both for the answers!