Microsegmentation – the ability to isolate hosts in the same subnet and prevent communication. Resolved in SDA by use of Scalable Groups (SG).
Macrosegmentation – the ability to prevent customers connected to the same network communicating with each other in a Service Provider network. Resolved by use of VRFs in a traditional SP network. Resolved in SDA by use of Virtual Networks (VN).
Separation policies must be carried through the entire SDA fabric. To make this possible, the VXLAN VNID is used to identify the Virtual Network and extentions to the VXLAN specification (VXLAN-GPO), proprietrary to Cisco, allow a Scaleable Group Tag (SGT) to be passed across as well.
When a packet arrives at a switch, the switch assigns the packet to a virtual network and a scalable group based on policy. The packet is then encapsulated and the virtual network is mapped to a VNID and the Scalable Group is mapped to an SGT. The packet is then sent and decoded by the switch at the destination and acted upon according to policy – i.e. is the sending host permitted to talk to the receiving host etc.
Important to note that traffic is tagged on Ingress but policy is enforced on Egress which means traffic will traverse the network, even if it will ultimately be denied.
Policy is defined in DNA centre and passed on to Cisco ISE to enforce.
and sent across the network.