These are self-study crib notes and may not be 100% accurate.
Security in SDA leans heavily on Cisco TrustSec.
Microsegmentation – the ability to impose security policy at near endpoint level. For example, to prevent two hosts in the same subnet communicating with each other. In SDA, this security is handled by SG’s or Scalable Groups.
Macrosegmentation – usually seen in Service Provider networks where multiple customers may be connected to the same equipment that need to be kept separate. Fixed using VRF’s in traditional networks. In SDA, this security is handled by virtual networks.
With Microsegmentation and SDA having the ability to have hosts that are logically adjacent in the same broadcast domain but physically elsewhere, these security policies need to be capable of being enforced all the way across the SDA fabric. The VNID and SG tags (SGT) held in a VXLAN-GPO header of a packet can help.
When a packet arrives at a switch from an endpoint, the switch is going to check policy and assign the packet into a virtual network (VN) and a scalable group (SG). When it gets put on to the SDA fabric, the switch maps the VN to a VNID and the SG to an SGT.
The receiving switch decodes the incoming packet – extracts the VNID and SGT to determine the destination and then checks policy to work out if the packet is allowed to be delivered.
Packets are tagged as they enter the switch closest to the sending endpoint but enforced at the switch closest to the destination – i.e. on egress. This means traffic will traverse the network whether or not it will be dropped at the far end.
Policy is defined in Cisco DNA Centre which passes the information on to ISE for enforcement.