10-17-2019 03:52 AM
Hi All
I have a few questions around SD Access.
1. If I want to have certain users access to certain places, I believe I can I use trustsec and this uses SGT to identify the user, the question is do I need a firewall to enforce the policy between networks, or does the SGT also apply on the same vlan, so I can block host 1 in vlan 1 to host 2 in vlan 1 etc?
2. For the above to work, does VXLAN come into the equation anywhere? If so how would it work?
3. Do you need to have all Cisco switches for the above to work?
10-17-2019 01:41 PM
Carl,
1. Cisco SD-Access uses the concept of Virtual Networks (VNs) that are instantiated as VRFs to segment the network. Users / devices are assigned to VLANs at the port level based on user / device auth with ISE, and these VLANs are tied to SVIs that are in the respective VNs. SGTs are also assigned based on the auth, so one VN could have multiple SGTs assigned within it. As you indicate, it is possible to block traffic within the VN between two users that are either assigned different SGTs or the same SGT. This does not require a firewall, but some firewalls do allow for SGT-based enforcement and so could be used for this. If two users assigned different SGTs are in different VNs (VRFs), then a firewall or some other mechanism (VRF route leaking, for example) would be used to determine if the users can talk from one VN to another.
2. VXLAN carries the SGT as part of its header as it traverses the Cisco SD-Access fabric site.
3. For Cisco SD-Access fabric, the Fabric Edge Nodes, Fabric Control Plane Nodes and Fabric Border Nodes need to be Cisco. Given the VXLAN header is just an L3 header, once it is applied it can be routed by any platform that supports the underlay routing protocol being used for the fabric site.
I recommend you view the session BRKCRS-2810 in the On-Demand Library at ciscolive.com. This is the beginning session in a series of Cisco SD-Access related sessions and goes through the details of the various fabric constructs and operations. If you want a deeper dive, you can also view BRKCRS-3810. The On-Demand Library is a free resource, and you do not have to have ever attended Cisco Live to access it.
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking Group
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide