Segmentation
2.1.c i Macro-level segmentation using VNs
// Graphic missing - Coming soon //
Virtual Network
General information on “SDA Macro-level segmentation using VNs”:
- Configured/Done under Policy -> Virtual Network
- Each VN is a VRF instance and also mapped to a VLAN
- Allows for complete isolation of devices at the network layer
- Useful when there should be absolutely zero communication between different groups of devices
- Default VNs created by DNAC:
- DEFAULT_VN: An actual “User VN” provided by default
- INFRA_VN: Only used for Access Points and Extended Nodes
- After a VN is created, it must be added to each fabric node
- Fabric underlay devices (eg. routers/switches/…) reside in the Global Routing Table which is not managed by DNAC
- When information leaking between different VNs (aka Inter-VN communication) is needed (eg. for offering shared services such as DHCP/…) a so called “Fusion Router” is needed
- A “Fusion Router” is comparable to the Extranet (route leaking) function of MPLS using the same commands (route-target import/export)
- Configuration of the “Fusion Router” needs to be done manually (as of DNAC 1.3)
- If traffic inspection for Inter-VN traffic is needed, a Fusion Firewall can be used instead
- Each Fabric Edge Node has the same L3 Anycast Gateway (IP + MAC Addr, resides in the Overlay Routing Table) for a single VN which allows for host mobility
- Examples for the usage of VNs:
- Electrical Power Industry: Complete isolation between corporate network (eg. operations, finance, …) and the electrical power gear (eg. generators, transmitters, …)
- Airport: Complete isolation between guest network, corporate network and mission-critical systems
2.1.c ii Micro-level segmentation using SGTs (using Cisco ISE)
// Graphic missing - Coming soon //
Scalable Group Tag
General information on “SDA Micro-level segmentation using SGTs (using Cisco ISE)":
- Configured/Done under Policy -> Group-Based Access Control -> Scalable Groups
- Used for further segmentation within a VN
- A SGT is a logical group of users/devices/… (eg. Employees, Contractors, …)
- Everything done under DNAC (creating groups, contracts, policies) is automatically replicated to the connected ISE
- SGTs get assigned to end devices/users and not to the ports themselves
- Policies get enforced at the egress interface
- As of today, access-control is based on pre-defined contracts and no stateful packet inspection is possible
- Examples for the usage of SGTs:
- University: Different user groups require different access levels (eg. employees and students can access printers but only employees can access personal data).
- Company: Employees are split-up into different departments which need to (partly) access shared resources (eg. printers, department-specific servers, global server like the intranet, …)
Configuration steps for micro-level segmentation:
- Create Scalable Groups + Deploy
- Create Access Contracts + Deploy
- Create Policies + Deploy