Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4220
Views
28
Helpful
3
Replies

SGT Tag vs VxLAN tag

Go to solution
illusion_rox
Level 1
Level 1

‎01-31-2021 02:12 AM

Dear Experts, 

 

We are working with a customer who requires security group tags or equivalent tagging mechanisms to be implemented in the campus. One of the vendor (not taking its name) claimed they dont support SGT but they can do the tagging and traffic segmentation using VxLAN tags that will be forwarded by their NAC solution.

 

As per my understanding, VxLAN cant be equivalent or alternative to SGT? am i right?

1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to illusion_rox

‎02-01-2021 12:34 PM

Hello @illusion_rox 

 

Just the mere fact that a vendor is encapsulating the data plane in a VXLAN packet does not mean that they are doing TrustSec. VXLAN is a generic encapsulation method and it depends what the vendor is putting in that header. Cisco will put two things in VXLAN headers that makes the magic of SDA - a VNID (Virtual Network ID) and an SGT (Scalable Group Tag). The VNID tells the receiving device which VRF/NV the data traffic is for (macro segmentation), and the SGT tells us how to treat the data WITHIN the VN (micro-segmentation). VXLAN is the magic that allows customers to finally implement SGT in a network where perhaps it was challenging to do inline SGT tagging, or where it became tricky to send the mapping information via SXP all over the place. It doesn't scale well. VXLAN hides all that mess. 

View solution in original post

3 Replies 3

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-31-2021 02:57 AM

Hi,

VxLAN is different from SGT. VxLAN is equivalent to VLAN segmentation. It
segments the network at layer two/three similar to what VLANs/VRFs do. The
segregation will be based on routing/switching rather than policies.

SGT is another tag which is used to enforce security policies at different
devices such as switches, firewalls, routers,etc. They are equivalent to
ACLs.

You can combine both as they feed different purposes which is used for
example in ACI deployment with FTD or SDA with FTD.

***** please remember to rate useful posts

Go to solution
illusion_rox
Level 1
Level 1
In response to Mohammed al Baqari

‎01-31-2021 03:19 AM

Thank you. So if customer's compliance is asking for SGT or equivalent tag, will the vendor providing vxlan tagging would comply?

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to illusion_rox

‎02-01-2021 12:34 PM

Hello @illusion_rox 

 

Just the mere fact that a vendor is encapsulating the data plane in a VXLAN packet does not mean that they are doing TrustSec. VXLAN is a generic encapsulation method and it depends what the vendor is putting in that header. Cisco will put two things in VXLAN headers that makes the magic of SDA - a VNID (Virtual Network ID) and an SGT (Scalable Group Tag). The VNID tells the receiving device which VRF/NV the data traffic is for (macro segmentation), and the SGT tells us how to treat the data WITHIN the VN (micro-segmentation). VXLAN is the magic that allows customers to finally implement SGT in a network where perhaps it was challenging to do inline SGT tagging, or where it became tricky to send the mapping information via SXP all over the place. It doesn't scale well. VXLAN hides all that mess. 

Customers Also Viewed These Support Documents