Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1189
Views
10
Helpful
1
Replies

Trustsec / VXLAN / ISE Question

carl_townshend
Spotlight
Spotlight

‎10-17-2019 03:52 AM

Hi All

I have a few questions around SD Access.

 

1. If I want to have certain users access to certain places, I believe I can I use trustsec and this uses SGT to identify the user, the question is do I need a firewall to enforce the policy between networks, or does the SGT also apply on the same vlan, so I can block host 1 in vlan 1 to host 2 in vlan 1 etc?

 

2. For the above to work, does VXLAN come into the equation anywhere? If so how would it work?

 

3. Do you need to have all Cisco switches for the above to work?

Labels:
0 Helpful
1 Reply 1

Scott Hodgdon
Cisco Employee
Cisco Employee

‎10-17-2019 01:41 PM

Carl,

1. Cisco SD-Access uses the concept of Virtual Networks (VNs) that are instantiated as VRFs to segment the network. Users / devices are assigned to VLANs at the port level based on user / device auth with ISE,  and these VLANs are tied to SVIs that are in the respective VNs. SGTs are also assigned based on the auth, so one VN could have multiple SGTs assigned within it. As you indicate, it is possible to block traffic within the VN between two users that are either assigned different SGTs or the same SGT. This does not require a firewall, but some firewalls do allow for SGT-based enforcement and so could be used for this. If two users assigned different SGTs are in different VNs (VRFs), then a firewall or some other mechanism (VRF route leaking, for example) would be used to determine if the users can talk from one VN to another. 

2. VXLAN carries the SGT as part of its header as it traverses the Cisco SD-Access fabric site. 

3. For Cisco SD-Access fabric, the Fabric Edge Nodes, Fabric Control Plane Nodes and Fabric Border Nodes need to be Cisco. Given the VXLAN header is just an L3 header, once it is applied it can be routed by any platform that supports the underlay routing protocol being used for the fabric site.

I recommend you view the session BRKCRS-2810 in the On-Demand Library at ciscolive.com. This is the beginning session in a series of Cisco SD-Access related sessions and goes through the details of the various fabric constructs and operations. If you want a deeper dive, you can also view BRKCRS-3810. The On-Demand Library is a free resource, and you do not have to have ever attended Cisco Live to access it.

Cheers,

Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking Group

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card