cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3023
Views
0
Helpful
2
Replies

Cisco Tetration micro-segmentation based on user/group AD ?

trandinh
Level 1
Level 1

Hi experts,

 

I have one scenario need your expertise to understand more about Cisco Tetration below: 

 

Let say I have  VM1-Web  ---> VM2-App. Both are running with Linux OS and installed software agents and already successfully managed by Cisco Tetration ( full visibility and enforcement are ready )

 

Can I create policy in Cisco Tetration  like :  if  user from Web team  login to VM1-Web with account  username web1,  then VM1-Web can ping /access VM2-App. But if with another user with account username web2 login to the same server (VM1-Web), the server VM1-Web now CAN NOT ping/ access VM2-App anymore  ? Can Cisco Tetration can do that ? 

 

In summary,  username web1 login VM1-Web  ==> VM1-Web can ping VM2-App , after that user web1 log out of VM1-Web

                    username web2 login VM1-Web  ==> VM1-Web CAN NOT ping VM2-App 

 

Thank you  very much

 

2 Replies 2

Satya Narra
Cisco Employee
Cisco Employee

Hello Trandinh,

 

Tetration telemetry does not look at the payload data inside a packet. Tetration collects that following fields (at a high level), Src IP, DST IP, SRC Port, DST Port and Protocol.

 

For the scenario you mentioned,

 

We can do the following,

If the Web team is assigned a subnet or if we can identify the IP address that the web team use, we can create a rule

w.x.y.z/28  can talk to VM1-Web on Port abc.

For your second criteria,yuo can write a rule

VM1-Web  <-->VM1-APP PING

VM1-Web <-->VM1-APP Access port.

 

Bottom line is Tetration cannot look into the user credentials with which the user is attempting to login.

 

I hope that helps.

bmoorewiz
Level 4
Level 4

You can write policy on AD integrated ISE and Anyconnect agents. You can create a filter based on their primary AD group and use that filter in the policy. 

Review Cisco Networking for a $25 gift card