Re: Isolation inside DNA Scalable Group?

JAN DEVOS · ‎01-05-2022

Hello,

Is there a means to deny traffic between endpoints belonging to the same Scalable Group? This for the obvious reason to prevent lateral movement between SG members. I am looking for the lookalike of ACI's 'Intra EPG isolation'.

Flavio Miranda · ‎01-05-2022

Hi

Dont think so. The permit or deny happens actually on the Access Contract which is associated to a Scalable Grupo. I mean, in order do differentiate devices, you´ll need differentiate Scalable Grupo.

Roddie Hasan · ‎01-05-2022

Hi Jan,

Yes, this has been fully-supported since Day 1. It is a very common strategy in guest networks where you don't want guest endpoints talking to each other. It's simply a matter of creating a deny policy using the same SGT for source and destination.

I hope that helps.

Roddie

JAN DEVOS · ‎01-06-2022

Tx, Roddie. This way of defining intra-SG-isolation (by deny any <SG> <SG>, where SG is one and the same scalable group) sounds logic. I did not think enough 'out of the box'., to find this solution by myself This merits to be documented somewhere, no?

Roddie Hasan · ‎01-06-2022

> This merits to be documented somewhere, no?

You're right, it should be - It's been a while since I looked at any of our guidance around policy, but I will do some digging to see if we have a CVD for it.

This strategy is definitely used widely.

Roddie