Re: Cisco Tetration micro-segmentation based on user/group AD ?

trandinh · ‎06-09-2020

Hi experts,

I have one scenario need your expertise to understand more about Cisco Tetration below:

Let say I have VM1-Web ---> VM2-App. Both are running with Linux OS and installed software agents and already successfully managed by Cisco Tetration ( full visibility and enforcement are ready )

Can I create policy in Cisco Tetration like : if user from Web team login to VM1-Web with account username web1, then VM1-Web can ping /access VM2-App. But if with another user with account username web2 login to the same server (VM1-Web), the server VM1-Web now CAN NOT ping/ access VM2-App anymore ? Can Cisco Tetration can do that ?

In summary, username web1 login VM1-Web ==> VM1-Web can ping VM2-App , after that user web1 log out of VM1-Web

username web2 login VM1-Web ==> VM1-Web CAN NOT ping VM2-App

Thank you very much

Satya Narra · ‎06-11-2020

Hello Trandinh,

Tetration telemetry does not look at the payload data inside a packet. Tetration collects that following fields (at a high level), Src IP, DST IP, SRC Port, DST Port and Protocol.

For the scenario you mentioned,

We can do the following,

If the Web team is assigned a subnet or if we can identify the IP address that the web team use, we can create a rule

w.x.y.z/28 can talk to VM1-Web on Port abc.

For your second criteria,yuo can write a rule

VM1-Web <-->VM1-APP PING

VM1-Web <-->VM1-APP Access port.

Bottom line is Tetration cannot look into the user credentials with which the user is attempting to login.

I hope that helps.

bmoorewiz · ‎08-19-2020

You can write policy on AD integrated ISE and Anyconnect agents. You can create a filter based on their primary AD group and use that filter in the policy.