Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2912
Views
2
Helpful
6
Replies

Trustsec intra-vlan segmentation

Is101008
Level 4
Level 4

‎08-18-2019 09:58 PM

i´m playing around with trustsec a little bit and wondering if segmentation inside the same VLAN on the same switch is possible. Lets say i have 2 clients assigned SGT5 by 802.1x in the same boardcast domain on the same switch. In ISE i blocked the client-to-client (5 to 5) traffic and configured enforcement in the vlan. Should then the clients be prevented to talk to each other ? 

 

I read in the configuration guide that the enforcement is also done for switched traffic if it is enforced on the VLAN but I´m not sure if its working on the same switch. In my lab enforcement works between VLANs but not inside the same VLAN

 

Thanks in advance

Labels:
0 Helpful
6 Replies 6

Damien Miller
VIP Alumni
VIP Alumni

‎08-19-2019 08:14 AM

Yes this is possible and should be working assuming you are on the correct platform with the configuration for it. TrustSec is of course vlan/subnet independent, all that matters is the SGT to IP binding and the SGACL that would apply between the tag/tags. So your policy should be working if everything else is up to it.

When you are being enforced across VLANs, is that also on the same switch, just different vlans, or different switches?

If we cover the basics when you are trying same vlan enforcement, does it meet some basic criteria,
1. Is the switch model capable of SGACL enforcement
2. Is the vlan included in the "cts role-based enforcement vlan-list" of the switch(s)
3. Do the SGACL's show up in "sh cts role-based permissions"
4. Do both endpoints display their "local" mappings in "sh cts role-based sgt-map all"
0 Helpful

Z23
Level 1
Level 1
In response to Damien Miller

‎06-04-2024 07:46 PM - edited ‎06-07-2024 12:38 PM

Traffic from one client to another within the same VLAN will never be restricted as both of them are in the same broadcast domain. SG-ACLs are applied on the layer 3 level not on layer 2. To restrict clients in a broadcast domain there is a need for layer 2 VLAN ACLs. 

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Z23

‎06-04-2024 08:36 PM

First of all, it is not ideal posting a reply to a 4+ year old post as technology constantly evolves and feature enhancements often bring new capabilities. If you have a new comment/question, it is better to start a new conversation.

Secondly, @Damien Miller is 100% accurate on his response. It is (and always has been) possible to enforce SG-ACLs for endpoints on the same Layer 2 VLAN. This is one of the salient points of software-based segmentation and Group Based Policy.

Inline SGTs are carried in the CMD (Cisco MetaData) field in the Ethernet header and SG-ACLs are enforced in hardware at the egress of the switchport. For more details on TrustSec, see this Cisco Live presentation on "Advanced Security Group Tags (SGT) - The Detailed Walk Through" from 2020. While the session is old, the content is still completely valid and relevant.

There are additional resources for TrustSec information here:
https://community.cisco.com/t5/security-knowledge-base/ise-berg/ta-p/5041171#TrustSec

 

Z23
Level 1
Level 1
In response to Greg Gibbs

‎06-05-2024 09:15 AM - edited ‎06-07-2024 12:38 PM

SGACLs are layer 3 ACLs that are applied on egress at the layer 3 gateways, not on the switch ports. They differ from DACLs, which are applied directly to the interface itself. When SGACLs are applied on the gateway, they only restrict endpoints from going out of the subnet to which they belong and cannot restrict traffic within the layer 2 broadcast domain.

 

Now, it seems like there's some confusion between SD-Access and the traditional deployment of TrustSec. After carefully reviewing the customer's notes, it's clear that they are exploring TrustSec only, not SD-Access. It's important to note that true micro-segmentation (intra-VLAN) is only possible in SD-Access, not in a traditional TrustSec deployment.

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Z23

‎06-05-2024 07:57 PM - edited ‎06-05-2024 07:57 PM

SD Access is mainly the use of VXLAN and LISP overlays as a fabric over the physical campus infrastructure. With SDA, the SGT is propagated within the VXLAN header, making the SGT propagation easier. SDA does not fundamentally change the way SGACLs work and are enforced.

It is entirely possible to restrict traffic between endpoints on the same VLAN using SGACLs. This is a concept that has existed since the inception of TrustSec 10+ years ago, and is possible for both legacy TrustSec and SDA environments.
As stated in this How-to Guide for Campus and Branch Segmentation guide (page 12) published in 2014:

"In intra-campus segmentation you have two users connected to the Layer 2 switch (Figure 5). These users can be connected to the same VLAN or to different ones. You can use SGTs to tag each user and use SGACLs, rather than ACLs, to enforce traffic between them (Figure 5)."

0 Helpful

forthehorde97
Level 1
Level 1
In response to Z23

‎06-13-2024 02:30 PM

SGACLs are actually like PACLs but superior since they don't consume that much TCAM space.
So isolation of devices is perfectly possible even if they're on the same VLAN/Broadcast domain.
I have successfully implemented that on Cat3k, Cat4k, Cat6k and Cat9k.
That is how it always been...

0 Helpful
Customers Also Viewed These Support Documents