You are here
RS0126 - SDA Access Policy with TrustSec (Part 2)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Routing & Switching
Video Download:
Title: RS0126 - Video Download $20.00
The video shows you how to configure network segmentation using Policy on Cisco DNAC. We will go through different segmentation scenarios both for traffic within and between Virtual Network, all of which leveraging the underlying technology of Cisco TrustSec and Scalable Group Tag (SGT). We will also demonstrate how to continue to use SGT to enforce security beyond SDA fabric.
Part 2 of this video covers inter-VN segmentation
Topic:
- SGT Static Assignment
- SGT Dynamic Assignment
- Intra-VN Segmentation
- Inter-VN Segmentation
- SGT Static Mapping
- SGT to Cisco FTD
About Author
Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
2 comments
Confused
1. Since SGT's are state-less and you have to specify high port range. Does this not defeat the purpose of micro-segmentation? Just thinking the CIFS rule inadvertently would allows RDP and VNC comms for example.
2. When applying the RDP SGT rule it is only port TCP/3389 would the return ports not also be random high ports similar to CIFS?
3. Is SGT's applied on egress traffic, when trying the ICMP and CIFS protocols why does the fabric route it to the fusion and not drop it already on inspection on the ingress port?
Confused
1. No because ACL for the return traffic would have TCP/UDP port flipped so allowed traffic should not be initiated in the other direction.
2. It would for the destination port, source port remains either RDP or CIFS
3. SGACL is always enforced at egress switch. Traffic only need to be routed to fusion if it needs to across VN