Buy or Renew
Buy or Renew
Register Here! - Join us 11/13 for the "Navigating DHCP Processes in SD-Access Network" Community Live event
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
154
Views
0
Helpful
1
Replies

TrustSec SGT tags and Scalable Groups

Go to solution
Mitrixsen
Level 1
Level 1

‎05-17-2025 03:26 AM

Hi, everyone.

I've recently began studying SD-Access and my book mentions the following regarding the policy plane (TrustSec).

Scalable group: A scalable group is a group of endpoints with similar policies. The
SD-Access policy plane assigns every endpoint (host) to a scalable group using
TrustSec SGT tags. Assignment to a scalable group can be either static per fabric edge
port or using dynamic authentication through AAA or RADIUS using Cisco ISE. The
same scalable group is configured on all fabric edge and border nodes. Scalable groups
can be defined in Cisco DNA Center and/or Cisco ISE and are advertised through
Cisco TrustSec.

As for the scalable groups. It says that it’s a group of endpoints that have the same policies and that the group is assigned using tags. So if I assign a tag like “IT-DEPARTMENT” to some devices, will they all be in the same scalable group? Can I, on the other hand, assign them to different scalable groups and apply policies even if they are on the same subnet without the need of deploying VACLs, MAC ACLs, etc?

Thank you.
David

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andrii Oliinyk
VIP
VIP

‎05-17-2025 04:24 AM

"So if I assign a tag like “IT-DEPARTMENT” to some devices, will they all be in the same scalable group?"
yes they will be in the same SG
"Can I, on the other hand, assign them to different scalable groups and apply policies even if they are on the same subnet without the need of deploying VACLs, MAC ACLs, etc?"
u can assign endpoint whatever SG of your choice. but any time endpoint may belong to single SG only. u dont need VACL/MACL/etc as soon as you properly map you filtering intent to egress policy where both SRC & DST SGTs must be available for policing device (egress switch|router|FW)

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Andrii Oliinyk
VIP
VIP

‎05-17-2025 04:24 AM

"So if I assign a tag like “IT-DEPARTMENT” to some devices, will they all be in the same scalable group?"
yes they will be in the same SG
"Can I, on the other hand, assign them to different scalable groups and apply policies even if they are on the same subnet without the need of deploying VACLs, MAC ACLs, etc?"
u can assign endpoint whatever SG of your choice. but any time endpoint may belong to single SG only. u dont need VACL/MACL/etc as soon as you properly map you filtering intent to egress policy where both SRC & DST SGTs must be available for policing device (egress switch|router|FW)

0 Helpful
Customers Also Viewed These Support Documents