Welcome to IE-LAB!

Generic filters
Generic filters

Cisco SD-Access Fabric Policy Plane Based on Cisco TrustSec

Cisco SD-Access Fabric Policy Plane Based on Cisco TrustSec

The Cisco Software-Defined Access (SD-Access) fabric policy plane is based on Cisco TrustSec.

1. Control plane based on LISP

2. Data plane based on VXL _AN

3. Policy plane based on Cisco TrustSec

No alt text provided for this image

The VXLAN header carries the fields for VRF and SGT that is being used in network segmentation and security policies. In this topic, you will see how the SGTs work with Cisco TrustSec and Cisco ldentity Services Engine (ISE).

While the Cisco SD- Access control plane is based on LISP and data plane is based on VXL AN, the Cisco SD-Access policy plane is based on Cisco TrustSec.

Role of Cisco TrustSec in Campus Fabric

TrustSec has a couple key features that are essential in the secure and scalable Cisco SD-Access solution. Traffic is segmented based on a classification group, called a scalable group, and not based on topology (VL AN or IP Subnet). Based on endpoint classification Scalable Group Tags (SGTs) are assigned to enforce access policies for users, applications, and devices.

No alt text provided for this image

The traditional approach to security in enterprise network creates several limitations and complexities. Security policies that are based on IP addresses within subnets and VLANs tend to be complex and difficult to manage. The enforcement and management of these policies throughout the network can be an administrative task that requires much skill as access lists tend to grow with the organization. Another drawback of this current approach is the static nature of access lists. As network become more dynamic, constant changes with network policy become difficult

Cisco TrustSec provides software-defined segmentation that dynamically organizes endpoints into logical groups called security groups. Security, also known as scalable groups are assigned based on business decisions using a richer context than an IP address. Unlike access control mechanisms that are based on network topology, Cisco TrustSec policies use logical groupings. Decoupling access entitlements from IP addresses and VLANs simplifies security policy maintenance tasks, lowers operational costs, and allows common access policies to be consistently applied to wired, wireless, and VPN access. By classifying traffic according to the contextual identity of the endpoint instead of its IP address, the Cisco TrustSec solution enables more flexible access controls for dynamic networking environments and data centers.

The ultimate goal of Cisco TrustSec technology is to assign a tag (known as a Scalable Group Tag, or SGT) to the user’s or device’s traffic at the ingress (inbound into the network), and then enforce the access policy based on the tag elsewhere in the infrastructure (for example, data center). Switches, routers, and firewalls use the SGT to make forwarding decisions. For instance, an SGT may be assigned to a Guest user, so that the Guest traffic may be isolated from non-Guest traffic throughout the infrastructure.

The Cisco ldentity Services Engine (ISE) acts as a controller for software-defined segmentation groups and policies, providing a layer of policy abstraction and centralized administration. Cisco ISE allows segmentation policies to be applied to networks of any size using a simple and clear policy matrix.

Although the CCIE exam has not been fully opened due to the Corona virus, it is pointed out in the latest news that the exam desktop environment has changed and the exam interface has changed. The exam will open the device in the form of a web page and can be opened in multiple windows at the same time.

In general, the new test method and new test content. As well as the popularization of EI technology are the focus of the certification test reform, we must fully adapt to the new test method.


IELAB EI CCIE’s dumps update will be faster and more timely. Now the discount is still in progress, don’t miss the opportunity, contact our sales to get the discount.

 IE-LAB provides valid materials(accurate dumps) to help you pass your CCIE. For the written, we have valid workbooks that cover all real exam questions. You can easily pass the exam, usually 7 days’ preparation in enough. For the Lab exam, we will offer valid workbooks(real exam), rack which is the same as real exam, one to one support, professional tutor and timely update.

This article is exclusively published by James from IELAB.NETWORK and cannot be reproduced without permission.

Please follow us if you like our articles.

visit us: http://ielab.network

WhatsApp: +8617782638871


error: Content is protected !!
× How can I help you?