SDA – Policy Plane (Cisco TrustSec)

Microsegmentation – the ability to isolate hosts in the same subnet and prevent communication. Resolved in SDA by use of Scalable Groups (SG).

Macrosegmentation – the ability to prevent customers connected to the same network communicating with each other in a Service Provider network. Resolved by use of VRFs in a traditional SP network. Resolved in SDA by use of Virtual Networks (VN).

Separation policies must be carried through the entire SDA fabric. To make this possible, the VXLAN VNID is used to identify the Virtual Network and extentions to the VXLAN specification (VXLAN-GPO), proprietrary to Cisco, allow a Scaleable Group Tag (SGT) to be passed across as well.

When a packet arrives at a switch, the switch assigns the packet to a virtual network and a scalable group based on policy. The packet is then encapsulated and the virtual network is mapped to a VNID and the Scalable Group is mapped to an SGT. The packet is then sent and decoded by the switch at the destination and acted upon according to policy – i.e. is the sending host permitted to talk to the receiving host etc.

Important to note that traffic is tagged on Ingress but policy is enforced on Egress which means traffic will traverse the network, even if it will ultimately be denied.

Policy is defined in DNA centre and passed on to Cisco ISE to enforce.

and sent across the network.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.