Re: Trustsec intra-vlan segmentation

Is101008 · ‎08-18-2019

i´m playing around with trustsec a little bit and wondering if segmentation inside the same VLAN on the same switch is possible. Lets say i have 2 clients assigned SGT5 by 802.1x in the same boardcast domain on the same switch. In ISE i blocked the client-to-client (5 to 5) traffic and configured enforcement in the vlan. Should then the clients be prevented to talk to each other ?

I read in the configuration guide that the enforcement is also done for switched traffic if it is enforced on the VLAN but I´m not sure if its working on the same switch. In my lab enforcement works between VLANs but not inside the same VLAN

Thanks in advance

Damien Miller · ‎08-19-2019

Yes this is possible and should be working assuming you are on the correct platform with the configuration for it. TrustSec is of course vlan/subnet independent, all that matters is the SGT to IP binding and the SGACL that would apply between the tag/tags. So your policy should be working if everything else is up to it.

When you are being enforced across VLANs, is that also on the same switch, just different vlans, or different switches?

If we cover the basics when you are trying same vlan enforcement, does it meet some basic criteria,
1. Is the switch model capable of SGACL enforcement
2. Is the vlan included in the "cts role-based enforcement vlan-list" of the switch(s)
3. Do the SGACL's show up in "sh cts role-based permissions"
4. Do both endpoints display their "local" mappings in "sh cts role-based sgt-map all"

Z23 · ‎06-04-2024

Traffic from one client to another within the same VLAN will never be restricted as both of them are in the same broadcast domain. SG-ACLs are applied on the layer 3 level not on layer 2. To restrict clients in a broadcast domain there is a need for layer 2 VLAN ACLs.

Greg Gibbs · ‎06-04-2024

First of all, it is not ideal posting a reply to a 4+ year old post as technology constantly evolves and feature enhancements often bring new capabilities. If you have a new comment/question, it is better to start a new conversation.

Secondly, @Damien Miller is 100% accurate on his response. It is (and always has been) possible to enforce SG-ACLs for endpoints on the same Layer 2 VLAN. This is one of the salient points of software-based segmentation and Group Based Policy.

Inline SGTs are carried in the CMD (Cisco MetaData) field in the Ethernet header and SG-ACLs are enforced in hardware at the egress of the switchport. For more details on TrustSec, see this Cisco Live presentation on "Advanced Security Group Tags (SGT) - The Detailed Walk Through" from 2020. While the session is old, the content is still completely valid and relevant.

There are additional resources for TrustSec information here:
https://community.cisco.com/t5/security-knowledge-base/ise-berg/ta-p/5041171#TrustSec

Z23 · ‎06-05-2024

SGACLs are layer 3 ACLs that are applied on egress at the layer 3 gateways, not on the switch ports. They differ from DACLs, which are applied directly to the interface itself. When SGACLs are applied on the gateway, they only restrict endpoints from going out of the subnet to which they belong and cannot restrict traffic within the layer 2 broadcast domain.

Now, it seems like there's some confusion between SD-Access and the traditional deployment of TrustSec. After carefully reviewing the customer's notes, it's clear that they are exploring TrustSec only, not SD-Access. It's important to note that true micro-segmentation (intra-VLAN) is only possible in SD-Access, not in a traditional TrustSec deployment.

Greg Gibbs · ‎06-05-2024

SD Access is mainly the use of VXLAN and LISP overlays as a fabric over the physical campus infrastructure. With SDA, the SGT is propagated within the VXLAN header, making the SGT propagation easier. SDA does not fundamentally change the way SGACLs work and are enforced.

It is entirely possible to restrict traffic between endpoints on the same VLAN using SGACLs. This is a concept that has existed since the inception of TrustSec 10+ years ago, and is possible for both legacy TrustSec and SDA environments.
As stated in this How-to Guide for Campus and Branch Segmentation guide (page 12) published in 2014:

"In intra-campus segmentation you have two users connected to the Layer 2 switch (Figure 5). These users can be connected to the same VLAN or to different ones. You can use SGTs to tag each user and use SGACLs, rather than ACLs, to enforce traffic between them (Figure 5)."

forthehorde97 · ‎06-13-2024

SGACLs are actually like PACLs but superior since they don't consume that much TCAM space.
So isolation of devices is perfectly possible even if they're on the same VLAN/Broadcast domain.
I have successfully implemented that on Cat3k, Cat4k, Cat6k and Cat9k.
That is how it always been...

CCIESingh · ‎09-25-2024

I have a client who is trying to roll this out using ISE, goal is simple block same VLAN communication. the works fine as a POC limited to a manual deployment using user authentication.

When trying to scale having issues with pushing this out via Microsoft GPO to Windows workstations, surely this should work some way or another.

In the long term when deploying Cisco Trust Sec / Micro segmentation at large scale, which tool is best?

I have read that Tetration / Workload Center maybe a better fit with User Auth, looking to hear feedback.