Showing results for 
Search instead for 
Did you mean: 

Cisco Tetration micro-segmentation based on user/group AD ?


Hi experts,


I have one scenario need your expertise to understand more about Cisco Tetration below: 


Let say I have  VM1-Web  ---> VM2-App. Both are running with Linux OS and installed software agents and already successfully managed by Cisco Tetration ( full visibility and enforcement are ready )


Can I create policy in Cisco Tetration  like :  if  user from Web team  login to VM1-Web with account  username web1,  then VM1-Web can ping /access VM2-App. But if with another user with account username web2 login to the same server (VM1-Web), the server VM1-Web now CAN NOT ping/ access VM2-App anymore  ? Can Cisco Tetration can do that ? 


In summary,  username web1 login VM1-Web  ==> VM1-Web can ping VM2-App , after that user web1 log out of VM1-Web

                    username web2 login VM1-Web  ==> VM1-Web CAN NOT ping VM2-App 


Thank you  very much


2 Replies 2

Satya Narra
Cisco Employee
Cisco Employee

Hello Trandinh,


Tetration telemetry does not look at the payload data inside a packet. Tetration collects that following fields (at a high level), Src IP, DST IP, SRC Port, DST Port and Protocol.


For the scenario you mentioned,


We can do the following,

If the Web team is assigned a subnet or if we can identify the IP address that the web team use, we can create a rule

w.x.y.z/28  can talk to VM1-Web on Port abc.

For your second criteria,yuo can write a rule

VM1-Web  <-->VM1-APP PING

VM1-Web <-->VM1-APP Access port.


Bottom line is Tetration cannot look into the user credentials with which the user is attempting to login.


I hope that helps.


You can write policy on AD integrated ISE and Anyconnect agents. You can create a filter based on their primary AD group and use that filter in the policy. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers