Buy or Renew
Buy or Renew
Register Here! - Join us 11/13 for the "Navigating DHCP Processes in SD-Access Network" Community Live event
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
245
Views
0
Helpful
4
Replies

Cisco SDA Trustsec Concept

Go to solution
Newbie..9109
Level 1
Level 1

‎03-22-2025 04:33 AM

Hi, Lets say i have ISE, DNAC, edge, intermediate, border and fusion firewall non cisco. Outside all of this doesnt support trustsec. 1. Where policy SGACL enforcement should be applied? Please tell me the most common practice 2. When packet return from outside fabric entering to fabric, should the packet tagged again? Which device should tag it?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jedolphi
Cisco Employee
Cisco Employee

‎03-24-2025 01:14 AM - edited ‎03-24-2025 03:56 AM

Microsegmentation policy is applied on Edge Nodes toward wired and fabric wireless endpoints, this is automatically enabled by the SDA automation, you don't need to do anything to make this work. For traffic from fabric towards external networks you can choose to manually enable policy enforcement on the Border Node. If you do this then you will need to map external networks to SGTs on the Border Nodes.

If a packet is returning from the external network without a tag then a tag can be added by the Border Node before VXLAN encapsulation. Again this would require external networks to be mapped to SGTs on the Border Node.

If you map networks to SGTs on BN via SXP then you should note the IP:SGT binding limits on the BN switching platform.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-22-2025 05:52 AM

check the design guide :

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-sda-design-guide.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Andrii Oliinyk
VIP
VIP

‎03-22-2025 03:55 PM

everyhing non cisco & quering  for trusysec make 0 sense

make align to what u need

0 Helpful

Go to solution
Newbie..9109
Level 1
Level 1
In response to Andrii Oliinyk

‎03-22-2025 08:01 PM

Hi

I mean only firewall is non cisco. The others like edge, intermediate, border is cisco. Please help to answer my two questions

0 Helpful

Go to solution
jedolphi
Cisco Employee
Cisco Employee

‎03-24-2025 01:14 AM - edited ‎03-24-2025 03:56 AM

Microsegmentation policy is applied on Edge Nodes toward wired and fabric wireless endpoints, this is automatically enabled by the SDA automation, you don't need to do anything to make this work. For traffic from fabric towards external networks you can choose to manually enable policy enforcement on the Border Node. If you do this then you will need to map external networks to SGTs on the Border Nodes.

If a packet is returning from the external network without a tag then a tag can be added by the Border Node before VXLAN encapsulation. Again this would require external networks to be mapped to SGTs on the Border Node.

If you map networks to SGTs on BN via SXP then you should note the IP:SGT binding limits on the BN switching platform.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card