How is end-to-end microsegmentation enforced in a Cisco SD-Access architecture?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
In a Cisco Software-Defined Access (SD-Access) architecture, end-to-end microsegmentation is enforced using Security Group Tags (SGTs) and Security Group Tag Access Control Lists (SGTACLs) to control access to various resources.
SGTs are assigned to network endpoints based on their identity, role, and attributes such as location, device type, or user identity. SGTs are propagated across the network using Cisco TrustSec technology, which is built on the IEEE 802.1AE MAC Security standard.
SGTACLs are then used to define policies that permit or deny traffic based on the SGT of the source and destination endpoints. SGTACLs can be applied at different points in the network, such as access switches, distribution switches, and border routers, to enforce policies at various levels of granularity.
Using SGTs and SGTACLs provides end-to-end microsegmentation that can be applied consistently across the network, regardless of the underlying infrastructure. This approach enables fine-grained control over network access and reduces the risk of lateral movement by attackers.
In contrast, VLANs are a Layer 2 segmentation technology that can be used to separate traffic within a single network, but they do not provide end-to-end microsegmentation. 5-tuples and ACLs can be used to permit or deny traffic based on various criteria, but they do not provide the identity-based access control provided by SGTs and SGTACLs. VRFs can be used to segment traffic at Layer 3, but they do not provide the identity-based access control or end-to-end segmentation provided by SGTs and SGTACLs.