Using Group-Based Policies in SDA with Forescout and ISE

Kevin Regan · ‎09-02-2020

For customers who use Forescout for visibility but want to leverage our most effective segmentation functions in SDA, we can use Forescout-ISE integration capabilities to enable SGT-based policy enforcement, with Forescout providing the endpoint classifications.

This is intended to remove obstacles to SDA deployments within Forescout customers and result in faster SDA rollouts..

This approach allows customers to continue to operate visibility and classification functions in Forescout, but also allows customers to migrate to using ISE in a phased manner.

The SGT definitions and policies, which are infrequently changed, need to be managed in DNAC or ISE, with Forescout using pxGrid functions to assign endpoints to them.

Forescout do have other functions that can assign SGTs to endpoints, but in an SDA deployment ISE with pxGrid licensing is present, so the attached is our recommended approach to avoid Forescout interacting directly with DNAC-managed devices.

Chris Cao · ‎02-08-2021

Thank you Kevin for your explanation.

I notice Forescout NAC is in passive monitoring mode in your powerpoint.

Do you mean all SD-Access VXLAN encapsulated packets have to be spanned to Forescout NAC? Or just do it at fabric border once?

Considering the distributed gateway in SD-Access, should I configure ERSPAN on every fabric edge? My concern is if I don't do this, Forescout NAC may not able to control intra fabric edge traffic.