Segmentation
Cisco Group-Based Policy/TrustSec software-defined segmentation is a simpler and more effective way to protect critical business assets through network segmentation than traditional VLAN-based approaches.
The policy is defined through security groups, and Cisco ISE serves as the segmentation controller, simplifying the management of the switch, router, wireless, and firewall rules. This approach provides better security at lower costs than traditional segmentation.
A Forrester Consulting analysis found that operational costs were reduced by 80% and policy changes were 98% faster for customers who used Group-Based Policy/TrustSec Segmentation. This approach is based on open standards from the Internet Engineering Task Force (IETF) and is supported on third-party and Cisco platforms, including Open Daylight.
Segmentation is a key component of Software-Defined Access (SDA), which uses Cisco Digital Network Architecture (DNA) Controller and Cisco Identity Services Engine (ISE) to automate network segmentation and group-based policy.
Identity-based policy and segmentation decouple security policy definitions from VLAN and IP addresses, allowing for more flexible and scalable network design.
The Software-Defined Access Design and Deployment Guides provide detailed information on configuring and deploying Group-Based Policy.
These guides can help organizations implement SDA and take advantage of the benefits of software-defined networking, including improved security, reduced complexity, and increased agility.
Cisco Identity Services Engine (ISE) can interface with the Cisco Application Centric Infrastructure (ACI) Controller to extend segmentation across the enterprise network. This allows ISE to create and populate SG-EPG translation tables that are used by border devices to translate TrustSec-ACI identifiers as traffic passes between network domains.
TrustSec technology is supported by over 50 Cisco product families and can work with open-source and third-party products. ISE acts as the policy controller for routers, switches, wireless devices, and security products.
A license for ISE Advantage is required to use this feature.
Licenses that enable segmentation via SDA include Advantage or Premier on Cisco ISE, and Cisco DNA Premier/Cisco DNA Advantage.