Showing results for 
Search instead for 
Did you mean: 

Segmentation - How have people achieved it on Brownfield sites

Frequent Contributor
Frequent Contributor

Hi Guys

We are looking at implementing segmentation on our Network.

Typically, most people define segmentation as devices on different vlans, maybe behind firewalls that separate L3 networks etc.

We would like to use our switches to do the segmentation, using possibly trustsec and sgacl's etc.

My question is, have many people done this on brownfield sites i.e implementing it on an existing network?

We have a mix of Cat 9k switches, as well as older 2960X / S etc.

We want to start with segmenting OT from IT then see where we go from there, we have a NAC solution (Forescout) that has a segmentation module, but apparently due to the number of dynamic acls it would need to deploy, it would have issues, so we are struggling. Would trustsec get around this?

How is everyone else doing it? has anyone done it with third party solutions successfully? I have seen lots of presentations and talk about it, but not seen anyone actually do it successfully.

I could do with some ideas.

Many thanks guys


1 Reply 1

Cisco Employee
Cisco Employee

Hey @carl_townshend!

If your intention is to have segmentation using SGTs with Cisco TrustSec you have two options that I know of:

1- Moving to a SD-Access architecture: You can leverage the benefits of automation and segmentation. You would need to integrate ISE and DNA Center as they are a must in this architecture. Here you may find a lot of information regarding SDA:

2- You can do the segmentation manually: TBH this can be difficult to configure in a mid-large environment as it required many configurations. Hope the following document helps:


Orlando González.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers